diff --git a/common/models/acl.js b/common/models/acl.js index a453d7a7..d5059490 100644 --- a/common/models/acl.js +++ b/common/models/acl.js @@ -243,6 +243,7 @@ module.exports = function(ACL) { var permissionOrder = AccessContext.permissionOrder[permission]; if (candidateOrder > permissionOrder) { permission = candidate.permission; + break; } } } diff --git a/test/acl.test.js b/test/acl.test.js index 3b9b0ef3..c063513b 100644 --- a/test/acl.test.js +++ b/test/acl.test.js @@ -186,6 +186,41 @@ describe('security ACLs', function() { // }); }); + it('should order ACL entries based on the matching score even with wildcard req', function() { + var acls = [ + { + 'model': 'account', + 'accessType': '*', + 'permission': 'DENY', + 'principalType': 'ROLE', + 'principalId': '$everyone', + }, + { + 'model': 'account', + 'accessType': '*', + 'permission': 'ALLOW', + 'principalType': 'ROLE', + 'principalId': '$owner', + }]; + var req = { + model: 'account', + property: '*', + accessType: 'WRITE', + }; + + acls = acls.map(function(a) { return new ACL(a); }); + + var perm = ACL.resolvePermission(acls, req); + // remove the registry from AccessRequest instance to ease asserting. + // Check the above test case for more info. + delete perm.registry; + assert.deepEqual(perm, {model: 'account', + property: '*', + accessType: 'WRITE', + permission: 'ALLOW', + methodNames: []}); + }); + it('should allow access to models for the given principal by wildcard', function() { // jscs:disable validateIndentation ACL.create({