Merge branch 'release/2.10.2' into production

CHANGES.md

@@ -1,3 +1,9 @@
+2015-01-16, Version 2.10.2
+==========================
+
+ * Make sure EXECUTE access type matches READ or WRITE (Raymond Feng)
+
+
 2015-01-15, Version 2.10.1
 ==========================
 
@@ -7,11 +13,11 @@
 
  * Added context middleware (Rand McKinney)
 
- * Use User.remoteMethod instead of loopbacks method This is needed for loopback-connector-remote authorization. Addresses https://github.com/strongloop/loopback/issues/622. (Berkeley Martinez)
+ * Revert the peer dep change to avoid npm complaints (Raymond Feng)
 
+ * Update strong-remoting dep (Raymond Feng)
 
-2015-01-07, Version 2.9.0
+ * Allow accessType per remote method (Raymond Feng)
-=========================
 
  * Update juggler dep (Raymond Feng)
 
@@ -19,12 +25,23 @@
 
  * Allow User.hashPassword/validatePassword to be overridden (Raymond Feng)
 
+ * Use User.remoteMethod instead of loopbacks method This is needed for loopback-connector-remote authorization. Addresses https://github.com/strongloop/loopback/issues/622. (Berkeley Martinez)
+
+ * API and REST tests added to ensure complete and valid credentials are supplied for verified error message to be returned  - tests added as suggested and fail under previous version of User model  - strongloop/loopback#931 (Ron Edgecomb)
+
+ * Require valid login credentials before verified email check.  - strongloop/loopback#931. (Ron Edgecomb)
+
 
 2015-01-07, Version 2.8.8
 =========================
 
 
 
+2015-01-07, Version 2.9.0
+=========================
+
+
+
 2015-01-07, Version 2.10.0
 ==========================
 
@@ -100,19 +117,16 @@
 
  * Fix bcrypt issues for browserify (Raymond Feng)
 
- * Allow native bcrypt for performance (Raymond Feng)
-
-
-2014-12-08, Version 2.8.3
-=========================
-
-
 
 2014-12-08, Version 2.8.4
 =========================
 
  * Allow native bcrypt for performance (Raymond Feng)
 
+
+2014-12-08, Version 2.8.3
+=========================
+
  * Remove unused underscore dependency (Ryan Graham)
 
 

common/models/acl.js

@@ -109,16 +109,20 @@ module.exports = function(ACL) {
       var val2 = req[props[i]] || ACL.ALL;
       var isMatchingMethodName = props[i] === 'property' && req.methodNames.indexOf(val1) !== -1;
 
-      if (val1 === val2 || isMatchingMethodName) {
+      // accessType: EXECUTE should match READ or WRITE
+      var isMatchingAccessType = props[i] === 'accessType' &&
+        val1 === ACL.EXECUTE;
+
+      if (val1 === val2 || isMatchingMethodName || isMatchingAccessType) {
         // Exact match
         score += 3;
       } else if (val1 === ACL.ALL) {
         // Wildcard match
         score += 2;
       } else if (val2 === ACL.ALL) {
-        // Doesn't match at all
         score += 1;
       } else {
+        // Doesn't match at all
         return -1;
       }
     }
@@ -304,7 +308,7 @@ module.exports = function(ACL) {
     property = property || ACL.ALL;
     var propertyQuery = (property === ACL.ALL) ? undefined : {inq: [property, ACL.ALL]};
     accessType = accessType || ACL.ALL;
-    var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL]};
+    var accessTypeQuery = (accessType === ACL.ALL) ? undefined : {inq: [accessType, ACL.ALL, ACL.EXECUTE]};
 
     var req = new AccessRequest(model, property, accessType);
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "loopback",
-  "version": "2.10.1",
+  "version": "2.10.2",
   "description": "LoopBack: Open Source Framework for Node.js",
   "homepage": "http://loopback.io",
   "keywords": [
@@ -102,6 +102,6 @@
     "url": "https://github.com/strongloop/loopback/blob/master/LICENSE"
   },
   "optionalDependencies": {
-    "sl-blip": "http://blip.strongloop.com/loopback@2.10.1"
+    "sl-blip": "http://blip.strongloop.com/loopback@2.10.2"
   }
 }

test/acl.test.js

@@ -139,6 +139,9 @@ describe('security ACLs', function() {
       ACL.create({principalType: ACL.USER, principalId: 'u001', model: 'testModel', property: ACL.ALL,
         accessType: ACL.READ, permission: ACL.ALLOW}, function(err, acl) {
 
+        ACL.create({principalType: ACL.USER, principalId: 'u002', model: 'testModel', property: ACL.ALL,
+          accessType: ACL.EXECUTE, permission: ACL.ALLOW}, function(err, acl) {
+
           ACL.checkPermission(ACL.USER, 'u001', 'testModel', 'name', ACL.READ, function(err, perm) {
             assert(perm.permission === ACL.ALLOW);
           });
@@ -155,6 +158,15 @@ describe('security ACLs', function() {
             assert(perm.permission === ACL.DENY);
           });
 
+          ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.WRITE, function(err, perm) {
+            assert(perm.permission === ACL.ALLOW);
+          });
+
+          ACL.checkPermission(ACL.USER, 'u002', 'testModel', 'name', ACL.READ, function(err, perm) {
+            assert(perm.permission === ACL.ALLOW);
+          });
+
+        });
       });
 
     });
@@ -203,7 +215,9 @@ describe('security ACLs', function() {
       }
     }, {
       acls: [
-        {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW}
+        {principalType: ACL.USER, principalId: 'u001', accessType: ACL.ALL, permission: ACL.ALLOW},
+        {principalType: ACL.USER, principalId: 'u002', accessType: ACL.EXECUTE, permission: ACL.ALLOW},
+        {principalType: ACL.USER, principalId: 'u003', accessType: ACL.EXECUTE, permission: ACL.DENY}
       ]
     });
 
@@ -225,6 +239,14 @@ describe('security ACLs', function() {
       assert(perm.permission === ACL.ALLOW);
     });
 
+    ACL.checkPermission(ACL.USER, 'u002', 'Customer', 'name', ACL.READ, function(err, perm) {
+      assert(perm.permission === ACL.ALLOW);
+    });
+
+    ACL.checkPermission(ACL.USER, 'u003', 'Customer', 'name', ACL.WRITE, function(err, perm) {
+      assert(perm.permission === ACL.DENY);
+    });
+
   });
 
   it('should filter static ACLs by model/property', function() {