diff --git a/lib/models/acl.js b/lib/models/acl.js index 819d1985..91a37297 100644 --- a/lib/models/acl.js +++ b/lib/models/acl.js @@ -41,34 +41,6 @@ var ScopeSchema = { description: String }; -var ScopeACLSchema = { - model: String, // The name of the model - property: String, // The name of the property, method, scope, or relation - - /** - * Name of the access type - READ/WRITE/EXEC - */ - accessType: String, - - /** - * ALARM - Generate an alarm, in a system dependent way, the access specified in the permissions component of the ACL entry. - * ALLOW - Explicitly grants access to the resource. - * AUDIT - Log, in a system dependent way, the access specified in the permissions component of the ACL entry. - * DENY - Explicitly denies access to the resource. - */ - permission: String, - scopeId: Number -}; - -var ScopeACL = loopback.createModel('ScopeACL', ScopeACLSchema, { - relations: { - scope: { - type: 'belongsTo', - model: 'Scope', - foreignKey: 'scopeId' - } - } -}); /** * Resource owner grants/delegates permissions to client applications @@ -78,15 +50,7 @@ var ScopeACL = loopback.createModel('ScopeACL', ScopeACLSchema, { * Scope has many resource access entries * @type {createModel|*} */ -var Scope = loopback.createModel('Scope', ScopeSchema, { - relations: { - resources: { - type: 'hasMany', - model: 'ScopeACL', - foreignKey: 'scopeId' - } - } -}); +var Scope = loopback.createModel('Scope', ScopeSchema); /** * System grants permissions to principals (users/applications, can be grouped into roles). @@ -139,6 +103,7 @@ ACL.EXECUTE = 'EXECUTE'; ACL.USER = 'USER'; ACL.APP = ACL.APPLICATION = 'APP'; ACL.ROLE = 'ROLE'; +ACL.SCOPE = 'SCOPE'; var permissionOrder = { ALLOW: 1, @@ -200,7 +165,9 @@ Scope.checkPermission = function (scope, model, property, accessType, callback) if (err) { callback && callback(err); } else { - scope.resources({where: {model: model, property: {inq: [property, ACL.ALL]}, accessType: {inq: [accessType, ACL.ALL]}}}, function (err, resources) { + ACL.find({where: {principalType: ACL.SCOPE, principalId: scope.id, + model: model, property: {inq: [property, ACL.ALL]}, + accessType: {inq: [accessType, ACL.ALL]}}}, function (err, resources) { if (err) { callback && callback(err); return; @@ -227,6 +194,5 @@ Scope.checkPermission = function (scope, model, property, accessType, callback) module.exports = { ACL: ACL, - Scope: Scope, - ScopeACL: ScopeACL + Scope: Scope }; diff --git a/test/acl.test.js b/test/acl.test.js index 7a9b44fe..705f6367 100644 --- a/test/acl.test.js +++ b/test/acl.test.js @@ -16,13 +16,14 @@ describe('security scopes', function () { it("should allow access to models for the given scope by wildcard", function () { var ds = loopback.createDataSource({connector: loopback.Memory}); Scope.attachTo(ds); - ScopeACL.attachTo(ds); + ACL.attachTo(ds); // console.log(Scope.relations); Scope.create({name: 'user', description: 'access user information'}, function (err, scope) { // console.log(scope); - scope.resources.create({model: 'user', property: ACL.ALL, accessType: ACL.ALL, permission: ACL.ALLOW}, + ACL.create({principalType: ACL.SCOPE, principalId: scope.id, model: 'user', property: ACL.ALL, + accessType: ACL.ALL, permission: ACL.ALLOW}, function (err, resource) { // console.log(resource); Scope.checkPermission('user', 'user', ACL.ALL, ACL.ALL, checkResult); @@ -36,13 +37,14 @@ describe('security scopes', function () { it("should allow access to models for the given scope", function () { var ds = loopback.createDataSource({connector: loopback.Memory}); Scope.attachTo(ds); - ScopeACL.attachTo(ds); + ACL.attachTo(ds); // console.log(Scope.relations); Scope.create({name: 'user', description: 'access user information'}, function (err, scope) { // console.log(scope); - scope.resources.create({model: 'user', property: 'name', accessType: ACL.READ, permission: ACL.ALLOW}, + ACL.create({principalType: ACL.SCOPE, principalId: scope.id, + model: 'user', property: 'name', accessType: ACL.READ, permission: ACL.ALLOW}, function (err, resource) { // console.log(resource); Scope.checkPermission('user', 'user', ACL.ALL, ACL.ALL, checkResult);