Merge pull request #1014 from strongloop/feature/fix-issue-1011
Make sure EXECUTE access type matches READ or WRITE
This commit is contained in:
commit
07dffe7473
|
@ -109,16 +109,20 @@ module.exports = function(ACL) {
|
|||
var val2 = req[props[i]] || ACL.ALL;
|
||||
var isMatchingMethodName = props[i] === 'property' && req.methodNames.indexOf(val1) !== -1;
|
||||
|
||||
if (val1 === val2 || isMatchingMethodName) {
|
||||
// accessType: EXECUTE should match READ or WRITE
|
||||
var isMatchingAccessType = props[i] === 'accessType' &&
|
||||
val1 === ACL.EXECUTE;
|
||||
|
||||
if (val1 === val2 || isMatchingMethodName || isMatchingAccessType) {
|
||||
// Exact match
|
||||
score += 3;
|
||||
} else if (val1 === ACL.ALL) {
|
||||
// Wildcard match
|
||||
score += 2;
|
||||
} else if (val2 === ACL.ALL) {
|
||||
// Doesn't match at all
|
||||
score += 1;
|
||||
} else {
|
||||
// Doesn't match at all
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
@ -304,7 +308,7 @@ module.exports = function(ACL) {
|
|||
property = property || ACL.ALL;
|
||||
var propertyQuery = (property === ACL.ALL) ? undefined : {inq: [property, ACL.ALL]};
|
||||
accessType = accessType || ACL.ALL;
|
||||
var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL]};
|
||||
var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL, ACL.EXECUTE]};
|
||||
|
||||
var req = new AccessRequest(model, property, accessType);
|
||||
|
||||
|
|
|
@ -139,6 +139,9 @@ describe('security ACLs', function() {
|
|||
ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'testModel', property: ACL.ALL,
|
||||
accessType: ACL.READ, permission: ACL.ALLOW}, function(err, acl) {
|
||||
|
||||
ACL.create({principalType: ACL.USER, principalId: 'u002', model: 'testModel', property: ACL.ALL,
|
||||
accessType: ACL.EXECUTE, permission: ACL.ALLOW}, function(err, acl) {
|
||||
|
||||
ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.READ, function(err, perm) {
|
||||
assert(perm.permission === ACL.ALLOW);
|
||||
});
|
||||
|
@ -155,6 +158,15 @@ describe('security ACLs', function() {
|
|||
assert(perm.permission === ACL.DENY);
|
||||
});
|
||||
|
||||
ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.WRITE, function(err, perm) {
|
||||
assert(perm.permission === ACL.ALLOW);
|
||||
});
|
||||
|
||||
ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.READ, function(err, perm) {
|
||||
assert(perm.permission === ACL.ALLOW);
|
||||
});
|
||||
|
||||
});
|
||||
});
|
||||
|
||||
});
|
||||
|
@ -203,7 +215,9 @@ describe('security ACLs', function() {
|
|||
}
|
||||
}, {
|
||||
acls: [
|
||||
{principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW}
|
||||
{principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW},
|
||||
{principalType: ACL.USER, principalId: 'u002', accessType: ACL.EXECUTE, permission: ACL.ALLOW},
|
||||
{principalType: ACL.USER, principalId: 'u003', accessType: ACL.EXECUTE, permission: ACL.DENY}
|
||||
]
|
||||
});
|
||||
|
||||
|
@ -225,6 +239,14 @@ describe('security ACLs', function() {
|
|||
assert(perm.permission === ACL.ALLOW);
|
||||
});
|
||||
|
||||
ACL.checkPermission(ACL.USER, 'u002', 'Customer', 'name', ACL.READ, function(err, perm) {
|
||||
assert(perm.permission === ACL.ALLOW);
|
||||
});
|
||||
|
||||
ACL.checkPermission(ACL.USER, 'u003', 'Customer', 'name', ACL.WRITE, function(err, perm) {
|
||||
assert(perm.permission === ACL.DENY);
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
it('should filter static ACLs by model/property', function() {
|
||||
|
|
Loading…
Reference in New Issue