Merge pull request #453 from strongloop/feature/fix-issue-451

Pass in remotingContext for ACL

lib/application.js

@@ -323,6 +323,7 @@ app.enableAuth = function() {
         req.accessToken,
         modelId,
         method,
+        ctx,
         function(err, allowed) {
           // Emit any cached data events that fired while checking access.
           req.resume();

lib/models/access-context.js

@@ -66,6 +66,7 @@ function AccessContext(context) {
   if (token.appId) {
     this.addPrincipal(Principal.APPLICATION, token.appId);
   }
+  this.remotingContext = context.remotingContext;
 }
 
 // Define constant for the wildcard

lib/models/model.js

@@ -234,16 +234,23 @@ Model._ACL = function getACL(ACL) {
  * @param {AccessToken} token The access token
  * @param {*} modelId The model ID.
  * @param {SharedMethod} sharedMethod The method in question
+ * @param {Object} ctx The remote invocation context
  * @callback {Function} callback The callback function
  * @param {String|Error} err The error object
  * @param {Boolean} allowed True if the request is allowed; false otherwise.
  */
 
-Model.checkAccess = function(token, modelId, sharedMethod, callback) {
+Model.checkAccess = function(token, modelId, sharedMethod, ctx, callback) {
   var ANONYMOUS = require('./access-token').ANONYMOUS;
   token = token || ANONYMOUS;
   var aclModel = Model._ACL();
 
+  ctx = ctx || {};
+  if(typeof ctx === 'function' && callback === undefined) {
+    callback = ctx;
+    ctx = {};
+  }
+  
   aclModel.checkAccessForContext({
     accessToken: token,
     model: this,
@@ -251,7 +258,8 @@ Model.checkAccess = function(token, modelId, sharedMethod, callback) {
     method: sharedMethod.name,
     sharedMethod: sharedMethod,
     modelId: modelId,
-    accessType: this._getAccessTypeForMethod(sharedMethod)
+    accessType: this._getAccessTypeForMethod(sharedMethod),
+    remotingContext: ctx
   }, function(err, accessRequest) {
     if(err) return callback(err);
     callback(null, accessRequest.isAllowed());

test/access-control.integration.js

@@ -160,6 +160,19 @@ describe('access control - integration', function () {
   });
 
   describe('/accounts', function () {
+    var count = 0;
+    before(function() {
+      var roleModel = loopback.getModelByType(loopback.Role);
+      roleModel.registerResolver('$dummy', function (role, context, callback) {
+        process.nextTick(function () {
+          if(context.remotingContext) {
+            count++;
+          }
+          callback && callback(null, false); // Always true
+        });
+      });
+    });
+
     lt.beforeEach.givenModel('account');
 
     lt.it.shouldBeDeniedWhenCalledAnonymously('GET', '/api/accounts');
@@ -170,7 +183,6 @@ describe('access control - integration', function () {
     lt.it.shouldBeDeniedWhenCalledUnauthenticated('GET', urlForAccount);
     lt.it.shouldBeDeniedWhenCalledByUser(CURRENT_USER, 'GET', urlForAccount);
 
-
     lt.it.shouldBeDeniedWhenCalledAnonymously('POST', '/api/accounts');
     lt.it.shouldBeDeniedWhenCalledUnauthenticated('POST', '/api/accounts');
     lt.it.shouldBeDeniedWhenCalledByUser(CURRENT_USER, 'POST', '/api/accounts');

test/fixtures/access-control/models.json

@@ -124,6 +124,13 @@
           "principalType": "ROLE",
           "principalId": "$owner",
           "property": "deleteById"
+        },
+        {
+          "accessType": "*",
+          "permission": "DENY",
+          "property": "find",
+          "principalType": "ROLE",
+          "principalId": "$dummy"
         }
       ]
     },