Merge pull request #1014 from strongloop/feature/fix-issue-1011

Make sure EXECUTE access type matches READ or WRITE
This commit is contained in:
Raymond Feng 2015-01-16 10:28:51 -08:00
commit 07dffe7473
2 changed files with 42 additions and 16 deletions

View File

@ -109,16 +109,20 @@ module.exports = function(ACL) {
var val2 = req[props[i]] || ACL.ALL;
var isMatchingMethodName = props[i] === 'property' && req.methodNames.indexOf(val1) !== -1;
if (val1 === val2 || isMatchingMethodName) {
// accessType: EXECUTE should match READ or WRITE
var isMatchingAccessType = props[i] === 'accessType' &&
val1 === ACL.EXECUTE;
if (val1 === val2 || isMatchingMethodName || isMatchingAccessType) {
// Exact match
score += 3;
} else if (val1 === ACL.ALL) {
// Wildcard match
score += 2;
} else if (val2 === ACL.ALL) {
// Doesn't match at all
score += 1;
} else {
// Doesn't match at all
return -1;
}
}
@ -304,7 +308,7 @@ module.exports = function(ACL) {
property = property || ACL.ALL;
var propertyQuery = (property === ACL.ALL) ? undefined : {inq: [property, ACL.ALL]};
accessType = accessType || ACL.ALL;
var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL]};
var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL, ACL.EXECUTE]};
var req = new AccessRequest(model, property, accessType);

View File

@ -139,6 +139,9 @@ describe('security ACLs', function() {
ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'testModel', property: ACL.ALL,
accessType: ACL.READ, permission: ACL.ALLOW}, function(err, acl) {
ACL.create({principalType: ACL.USER, principalId: 'u002', model: 'testModel', property: ACL.ALL,
accessType: ACL.EXECUTE, permission: ACL.ALLOW}, function(err, acl) {
ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.READ, function(err, perm) {
assert(perm.permission === ACL.ALLOW);
});
@ -155,6 +158,15 @@ describe('security ACLs', function() {
assert(perm.permission === ACL.DENY);
});
ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.WRITE, function(err, perm) {
assert(perm.permission === ACL.ALLOW);
});
ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.READ, function(err, perm) {
assert(perm.permission === ACL.ALLOW);
});
});
});
});
@ -203,7 +215,9 @@ describe('security ACLs', function() {
}
}, {
acls: [
{principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW}
{principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW},
{principalType: ACL.USER, principalId: 'u002', accessType: ACL.EXECUTE, permission: ACL.ALLOW},
{principalType: ACL.USER, principalId: 'u003', accessType: ACL.EXECUTE, permission: ACL.DENY}
]
});
@ -225,6 +239,14 @@ describe('security ACLs', function() {
assert(perm.permission === ACL.ALLOW);
});
ACL.checkPermission(ACL.USER, 'u002', 'Customer', 'name', ACL.READ, function(err, perm) {
assert(perm.permission === ACL.ALLOW);
});
ACL.checkPermission(ACL.USER, 'u003', 'Customer', 'name', ACL.WRITE, function(err, perm) {
assert(perm.permission === ACL.DENY);
});
});
it('should filter static ACLs by model/property', function() {