Make sure defaultPermission is checked

2014-01-16 15:05:10 -08:00 · 2014-01-16 15:05:10 -08:00 · a6ff22c9c1
parent 7212ebe805
commit a6ff22c9c1
2 changed files with 17 additions and 1 deletions
--- a/lib/models/acl.js
+++ b/lib/models/acl.js
@ -406,6 +406,9 @@ ACL.checkAccess = function (context, callback) {
        return;
      }
      var resolved = self.resolvePermission(effectiveACLs, req);
+      if(resolved && resolved.permission === ACL.DEFAULT) {
+        resolved.permission = (model && model.settings.defaultPermission) || ACL.ALLOW;
+      }
      debug('checkAccess() returns: %j', resolved);
      callback && callback(null, resolved);
    });
--- a/test/acl.test.js
+++ b/test/acl.test.js
@ -213,7 +213,8 @@ describe('security ACLs', function () {
      }, {
        acls: [
          {principalType: ACL.USER, principalId: userId, accessType: ACL.ALL, permission: ACL.ALLOW}
-        ]
+        ],
+        defaultPermission: 'DENY'
      });

      ACL.create({principalType: ACL.USER, principalId: userId, model: 'Customer', property: ACL.ALL,
@ -243,6 +244,18 @@ describe('security ACLs', function () {
              }, function(err, access) {
                assert(!err && access.permission === ACL.ALLOW);
              });
+
+              ACL.checkAccess({
+                principals: [
+                  {type: ACL.ROLE, id: Role.EVERYONE}
+                ],
+                model: 'Customer',
+                property: 'name',
+                accessType: ACL.READ
+              }, function(err, access) {
+                assert(!err && access.permission === ACL.DENY);
+              });
+
            });
          });
        });