Merge pull request #453 from strongloop/feature/fix-issue-451

Pass in remotingContext for ACL
2014-08-08 07:40:19 -07:00 · 2014-08-08 07:40:19 -07:00 · cec7deb4a5
parent 0e8a69015a 9fb0977433
commit cec7deb4a5
5 changed files with 32 additions and 3 deletions
--- a/lib/application.js
+++ b/lib/application.js
@ -323,6 +323,7 @@ app.enableAuth = function() {
        req.accessToken,
        modelId,
        method,
+        ctx,
        function(err, allowed) {
          // Emit any cached data events that fired while checking access.
          req.resume();
--- a/lib/models/access-context.js
+++ b/lib/models/access-context.js
@ -66,6 +66,7 @@ function AccessContext(context) {
  if (token.appId) {
    this.addPrincipal(Principal.APPLICATION, token.appId);
  }
+  this.remotingContext = context.remotingContext;
 }

 // Define constant for the wildcard
--- a/lib/models/model.js
+++ b/lib/models/model.js
@ -234,16 +234,23 @@ Model._ACL = function getACL(ACL) {
 * @param {AccessToken} token The access token
 * @param {*} modelId The model ID.
 * @param {SharedMethod} sharedMethod The method in question
+ * @param {Object} ctx The remote invocation context
 * @callback {Function} callback The callback function
 * @param {String|Error} err The error object
 * @param {Boolean} allowed True if the request is allowed; false otherwise.
 */

-Model.checkAccess = function(token, modelId, sharedMethod, callback) {
+Model.checkAccess = function(token, modelId, sharedMethod, ctx, callback) {
  var ANONYMOUS = require('./access-token').ANONYMOUS;
  token = token || ANONYMOUS;
  var aclModel = Model._ACL();

+  ctx = ctx || {};
+  if(typeof ctx === 'function' && callback === undefined) {
+    callback = ctx;
+    ctx = {};
+  }
+  
  aclModel.checkAccessForContext({
    accessToken: token,
    model: this,
@ -251,7 +258,8 @@ Model.checkAccess = function(token, modelId, sharedMethod, callback) {
    method: sharedMethod.name,
    sharedMethod: sharedMethod,
    modelId: modelId,
-    accessType: this._getAccessTypeForMethod(sharedMethod)
+    accessType: this._getAccessTypeForMethod(sharedMethod),
+    remotingContext: ctx
  }, function(err, accessRequest) {
    if(err) return callback(err);
    callback(null, accessRequest.isAllowed());
--- a/test/access-control.integration.js
+++ b/test/access-control.integration.js
@ -160,6 +160,19 @@ describe('access control - integration', function () {
  });

  describe('/accounts', function () {
+    var count = 0;
+    before(function() {
+      var roleModel = loopback.getModelByType(loopback.Role);
+      roleModel.registerResolver('$dummy', function (role, context, callback) {
+        process.nextTick(function () {
+          if(context.remotingContext) {
+            count++;
+          }
+          callback && callback(null, false); // Always true
+        });
+      });
+    });
+
    lt.beforeEach.givenModel('account');

    lt.it.shouldBeDeniedWhenCalledAnonymously('GET', '/api/accounts');
@ -170,7 +183,6 @@ describe('access control - integration', function () {
    lt.it.shouldBeDeniedWhenCalledUnauthenticated('GET', urlForAccount);
    lt.it.shouldBeDeniedWhenCalledByUser(CURRENT_USER, 'GET', urlForAccount);

-
    lt.it.shouldBeDeniedWhenCalledAnonymously('POST', '/api/accounts');
    lt.it.shouldBeDeniedWhenCalledUnauthenticated('POST', '/api/accounts');
    lt.it.shouldBeDeniedWhenCalledByUser(CURRENT_USER, 'POST', '/api/accounts');
--- a/test/fixtures/access-control/models.json
+++ b/test/fixtures/access-control/models.json
@ -124,6 +124,13 @@
          "principalType": "ROLE",
          "principalId": "$owner",
          "property": "deleteById"
+        },
+        {
+          "accessType": "*",
+          "permission": "DENY",
+          "property": "find",
+          "principalType": "ROLE",
+          "principalId": "$dummy"
        }
      ]
    },