Support scopes defined via model settings

2017-03-29 14:23:26 +02:00 · 2017-03-29 14:23:26 +02:00 · a035db9624
parent fab857dd5f
commit a035db9624
2 changed files with 57 additions and 2 deletions
--- a/lib/access-context.js
+++ b/lib/access-context.js
@ -207,12 +207,28 @@ AccessContext.prototype.getScopes = function() {
  // are assigned a single "DEFAULT" scope
  const methodLevel = this.sharedMethod.accessScopes || DEFAULT_SCOPES;

-  // TODO add model-level and app-level scopes
+  // TODO app-level scopes
+  const modelSettings = this.sharedMethod.sharedClass.ctor.settings || {};
+  const modelScopes = modelSettings.accessScopes || {};
+
+  const allMethodNames = [this.sharedMethod.name]
+    .concat(this.sharedMethod.aliases)
+    .map(n => (this.sharedMethod.isStatic ? '' : 'prototype.') + n);

  debug('--Context scopes of %s()--', this.sharedMethod.stringName);
  debug('  method-level: %j', methodLevel);
+  debug('  model-level:');
+  let modelLevel = [];
+  allMethodNames.forEach(alias => {
+    const scopes = modelScopes[alias];
+    if (!scopes) return;
+    modelLevel = modelLevel.concat(scopes);
+    debug('  - %s: %j', alias, scopes);
+  });
+  if (!modelLevel.length)
+    debug('    (empty)');

-  return methodLevel;
+  return methodLevel.concat(modelLevel);
 };

 /**
--- a/test/authorization-scopes.test.js
+++ b/test/authorization-scopes.test.js
@ -69,6 +69,45 @@ describe('Authorization scopes', () => {
    });
  });

+  describe('scope config defined at model-level', () => {
+    beforeEach(logAllServerErrors);
+
+    it('hounours scope defined for method name', () => {
+      User.settings.accessScopes = {
+        findById: ['read'],
+      };
+
+      return givenScopedToken(['read']).then(() => {
+        return request.get('/users/' + testUser.id)
+          .set('Authorization', scopedToken.id)
+          .expect(200);
+      });
+    });
+
+    it('honours scope defined for method alias', () => {
+      User.settings.accessScopes = {
+        'prototype.updateAttributes': ['write'],
+      };
+
+      return givenScopedToken(['write']).then(() => {
+        return request.patch('/users/' + testUser.id)
+          .send({username: 'test-user'})
+          .set('Authorization', scopedToken.id)
+          .expect(200);
+      });
+    });
+
+    it('adds model-level scopes to method-level scopes', () => {
+      User.settings.accessScopes = {
+        findById: ['read'],
+      };
+
+      return request.get('/users/' + testUser.id)
+        .set('Authorization', regularToken.id)
+        .expect(200);
+    });
+  });
+
  function givenAppAndRequest() {
    app = loopback({localRegistry: true, loadBuiltinModels: true});
    app.set('remoting', {rest: {handleErrors: false}});