Merge pull request #3293 from alFReD-NSH/bugfix/acl-checkpermission

Fix acl.resolvePermission not working with wildcard request
2017-09-27 16:51:27 +02:00 · 2017-09-27 16:51:27 +02:00 · ef7175a4d5
parent 2128ecde46 d2d8fabb16
commit ef7175a4d5
2 changed files with 36 additions and 0 deletions
--- a/common/models/acl.js
+++ b/common/models/acl.js
@ -243,6 +243,7 @@ module.exports = function(ACL) {
        var permissionOrder = AccessContext.permissionOrder[permission];
        if (candidateOrder > permissionOrder) {
          permission = candidate.permission;
+          break;
        }
      }
    }
--- a/test/acl.test.js
+++ b/test/acl.test.js
@ -186,6 +186,41 @@ describe('security ACLs', function() {
    // });
  });

+  it('should order ACL entries based on the matching score even with wildcard req', function() {
+    var acls = [
+      {
+        'model': 'account',
+        'accessType': '*',
+        'permission': 'DENY',
+        'principalType': 'ROLE',
+        'principalId': '$everyone',
+      },
+      {
+        'model': 'account',
+        'accessType': '*',
+        'permission': 'ALLOW',
+        'principalType': 'ROLE',
+        'principalId': '$owner',
+      }];
+    var req = {
+      model: 'account',
+      property: '*',
+      accessType: 'WRITE',
+    };
+
+    acls = acls.map(function(a) { return new ACL(a); });
+
+    var perm = ACL.resolvePermission(acls, req);
+    // remove the registry from AccessRequest instance to ease asserting.
+    // Check the above test case for more info.
+    delete perm.registry;
+    assert.deepEqual(perm, {model: 'account',
+      property: '*',
+      accessType: 'WRITE',
+      permission: 'ALLOW',
+      methodNames: []});
+  });
+
  it('should allow access to models for the given principal by wildcard', function() {
    // jscs:disable validateIndentation
    ACL.create({