From d8647bb3c11ab286870c858df01fb81e71379cb7 Mon Sep 17 00:00:00 2001 From: Raymond Feng Date: Thu, 16 Jan 2014 08:50:50 -0800 Subject: [PATCH 1/3] Make ACL model subclassing friendly --- lib/models/acl.js | 20 +++++++++++--------- lib/models/role.js | 27 ++++++++++++++++++--------- 2 files changed, 29 insertions(+), 18 deletions(-) diff --git a/lib/models/acl.js b/lib/models/acl.js index 772b0171..46f4e19d 100644 --- a/lib/models/acl.js +++ b/lib/models/acl.js @@ -294,9 +294,9 @@ ACL.checkPermission = function checkPermission(principalType, principalId, var req = new AccessRequest(model, property, accessType); - var acls = ACL.getStaticACLs(model, property); + var acls = this.getStaticACLs(model, property); - var resolved = ACL.resolvePermission(acls, req); + var resolved = this.resolvePermission(acls, req); if(resolved && resolved.permission === ACL.DENY) { debug('Permission denied by statically resolved permission'); @@ -307,7 +307,8 @@ ACL.checkPermission = function checkPermission(principalType, principalId, return; } - ACL.find({where: {principalType: principalType, principalId: principalId, + var self = this; + this.find({where: {principalType: principalType, principalId: principalId, model: model, property: propertyQuery, accessType: accessTypeQuery}}, function (err, dynACLs) { if (err) { @@ -315,7 +316,7 @@ ACL.checkPermission = function checkPermission(principalType, principalId, return; } acls = acls.concat(dynACLs); - resolved = ACL.resolvePermission(acls, req); + resolved = self.resolvePermission(acls, req); if(resolved && resolved.permission === ACL.DEFAULT) { var modelClass = loopback.getModel(model); resolved.permission = (modelClass && modelClass.settings.defaultPermission) || ACL.ALLOW; @@ -326,7 +327,7 @@ ACL.checkPermission = function checkPermission(principalType, principalId, ACL.prototype.debug = function() { if(debug.enabled) { - debug('---ACL---') + debug('---ACL---'); debug('model %s', this.model); debug('property %s', this.property); debug('principalType %s', this.principalType); @@ -361,9 +362,10 @@ ACL.checkAccess = function (context, callback) { var req = new AccessRequest(model.modelName, property, accessType); var effectiveACLs = []; - var staticACLs = ACL.getStaticACLs(model.modelName, property); + var staticACLs = this.getStaticACLs(model.modelName, property); - ACL.find({where: {model: model.modelName, property: propertyQuery, + var self = this; + this.find({where: {model: model.modelName, property: propertyQuery, accessType: accessTypeQuery}}, function (err, acls) { if (err) { callback && callback(err); @@ -403,7 +405,7 @@ ACL.checkAccess = function (context, callback) { callback && callback(err, null); return; } - var resolved = ACL.resolvePermission(effectiveACLs, req); + var resolved = self.resolvePermission(effectiveACLs, req); debug('checkAccess() returns: %j', resolved); callback && callback(null, resolved); }); @@ -437,7 +439,7 @@ ACL.checkAccessForToken = function (token, model, modelId, method, callback) { context.debug(); - ACL.checkAccess(context, function (err, access) { + this.checkAccess(context, function (err, access) { if (err) { callback && callback(err); return; diff --git a/lib/models/role.js b/lib/models/role.js index a76c585a..c9cee824 100644 --- a/lib/models/role.js +++ b/lib/models/role.js @@ -53,7 +53,8 @@ RoleMapping.ROLE = 'ROLE'; */ RoleMapping.prototype.application = function (callback) { if (this.principalType === RoleMapping.APPLICATION) { - loopback.Application.findById(this.principalId, callback); + var applicationModel = this.constructor.Application || loopback.Application; + applicationModel.findById(this.principalId, callback); } else { process.nextTick(function () { callback && callback(null, null); @@ -69,6 +70,7 @@ RoleMapping.prototype.application = function (callback) { */ RoleMapping.prototype.user = function (callback) { if (this.principalType === RoleMapping.USER) { + var userModel = this.constructor.User || loopback.User; loopback.User.findById(this.principalId, callback); } else { process.nextTick(function () { @@ -85,7 +87,8 @@ RoleMapping.prototype.user = function (callback) { */ RoleMapping.prototype.childRole = function (callback) { if (this.principalType === RoleMapping.ROLE) { - loopback.User.findById(this.principalId, callback); + var roleModel = this.constructor.Role || Role; + roleModel.findById(this.principalId, callback); } else { process.nextTick(function () { callback && callback(null, null); @@ -107,10 +110,13 @@ var Role = loopback.createModel('Role', RoleSchema, { } }); +Role.RoleMapping = RoleMapping; + // Set up the connection to users/applications/roles once the model Role.once('dataSourceAttached', function () { + var roleMappingModel = this.RoleMapping || RoleMapping; Role.prototype.users = function (callback) { - RoleMapping.find({where: {roleId: this.id, + roleMappingModel.find({where: {roleId: this.id, principalType: RoleMapping.USER}}, function (err, mappings) { if (err) { callback && callback(err); @@ -123,7 +129,7 @@ Role.once('dataSourceAttached', function () { }; Role.prototype.applications = function (callback) { - RoleMapping.find({where: {roleId: this.id, + roleMappingModel.find({where: {roleId: this.id, principalType: RoleMapping.APPLICATION}}, function (err, mappings) { if (err) { callback && callback(err); @@ -136,7 +142,7 @@ Role.once('dataSourceAttached', function () { }; Role.prototype.roles = function (callback) { - RoleMapping.find({where: {roleId: this.id, + roleMappingModel.find({where: {roleId: this.id, principalType: RoleMapping.ROLE}}, function (err, mappings) { if (err) { callback && callback(err); @@ -330,7 +336,8 @@ Role.isInRole = function (role, context, callback) { return; } - Role.findOne({where: {name: role}}, function (err, result) { + var roleMappingModel = this.RoleMapping || RoleMapping; + this.findOne({where: {name: role}}, function (err, result) { if (err) { callback && callback(err); return; @@ -346,7 +353,7 @@ Role.isInRole = function (role, context, callback) { var principalType = p.type || undefined; var principalId = p.id || undefined; if (principalType && principalId) { - RoleMapping.findOne({where: {roleId: result.id, + roleMappingModel.findOne({where: {roleId: result.id, principalType: principalType, principalId: principalId}}, function (err, result) { debug('Role mapping found: %j', result); @@ -388,11 +395,12 @@ Role.getRoles = function (context, callback) { } }; + var self = this; // Check against the smart roles var inRoleTasks = []; Object.keys(Role.resolvers).forEach(function (role) { inRoleTasks.push(function (done) { - Role.isInRole(role, context, function (err, inRole) { + self.isInRole(role, context, function (err, inRole) { if (!err && inRole) { addRole(role); done(); @@ -403,6 +411,7 @@ Role.getRoles = function (context, callback) { }); }); + var roleMappingModel = this.RoleMapping || RoleMapping; context.principals.forEach(function (p) { // Check against the role mappings var principalType = p.type || undefined; @@ -416,7 +425,7 @@ Role.getRoles = function (context, callback) { if (principalType && principalId) { // Please find() treat undefined matches all values inRoleTasks.push(function (done) { - RoleMapping.find({where: {principalType: principalType, + roleMappingModel.find({where: {principalType: principalType, principalId: principalId}}, function (err, mappings) { debug('Role mappings found: %s %j', err, mappings); if (err) { From 7212ebe805f57970af59deddbc0447d28db30bd6 Mon Sep 17 00:00:00 2001 From: Raymond Feng Date: Thu, 16 Jan 2014 09:12:52 -0800 Subject: [PATCH 2/3] Remove the dangling require --- lib/models/index.js | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/models/index.js b/lib/models/index.js index 295acccd..ec204a42 100644 --- a/lib/models/index.js +++ b/lib/models/index.js @@ -6,7 +6,6 @@ exports.AccessToken = require('./access-token'); exports.Application = require('./application'); exports.ACL = require('./acl'); exports.Role = require('./role'); -exports.Installation = require('./installation'); From a6ff22c9c165e517ac9b3ae58605764e60bc0c9a Mon Sep 17 00:00:00 2001 From: Raymond Feng Date: Thu, 16 Jan 2014 15:05:10 -0800 Subject: [PATCH 3/3] Make sure defaultPermission is checked --- lib/models/acl.js | 3 +++ test/acl.test.js | 15 ++++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/models/acl.js b/lib/models/acl.js index 46f4e19d..4e4a161c 100644 --- a/lib/models/acl.js +++ b/lib/models/acl.js @@ -406,6 +406,9 @@ ACL.checkAccess = function (context, callback) { return; } var resolved = self.resolvePermission(effectiveACLs, req); + if(resolved && resolved.permission === ACL.DEFAULT) { + resolved.permission = (model && model.settings.defaultPermission) || ACL.ALLOW; + } debug('checkAccess() returns: %j', resolved); callback && callback(null, resolved); }); diff --git a/test/acl.test.js b/test/acl.test.js index a7dd15ee..76449d5f 100644 --- a/test/acl.test.js +++ b/test/acl.test.js @@ -213,7 +213,8 @@ describe('security ACLs', function () { }, { acls: [ {principalType: ACL.USER, principalId: userId, accessType: ACL.ALL, permission: ACL.ALLOW} - ] + ], + defaultPermission: 'DENY' }); ACL.create({principalType: ACL.USER, principalId: userId, model: 'Customer', property: ACL.ALL, @@ -243,6 +244,18 @@ describe('security ACLs', function () { }, function(err, access) { assert(!err && access.permission === ACL.ALLOW); }); + + ACL.checkAccess({ + principals: [ + {type: ACL.ROLE, id: Role.EVERYONE} + ], + model: 'Customer', + property: 'name', + accessType: ACL.READ + }, function(err, access) { + assert(!err && access.permission === ACL.DENY); + }); + }); }); });