From f4527c9c919509a550e61f176c02bd54d79fa6d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20Bajto=C5=A1?= <mbajtoss@gmail.com>
Date: Tue, 20 Mar 2018 14:15:44 +0100
Subject: [PATCH] Fix role check in apps with multiple user models

---
 lib/access-context.js                      |  4 +-
 test/multiple-user-principal-types.test.js | 56 ++++++++++++++++++++--
 2 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/lib/access-context.js b/lib/access-context.js
index 310e9bf2..ed37bd4e 100644
--- a/lib/access-context.js
+++ b/lib/access-context.js
@@ -84,10 +84,10 @@ function AccessContext(context) {
     this.addPrincipal(principalType, principalId, principalName);
   }
 
-  var token = this.accessToken || {};
+  const token = this.accessToken;
 
   if (token.userId != null) {
-    this.addPrincipal(Principal.USER, token.userId);
+    this.addPrincipal(token.principalType || Principal.USER, token.userId);
   }
   if (token.appId != null) {
     this.addPrincipal(Principal.APPLICATION, token.appId);
diff --git a/test/multiple-user-principal-types.test.js b/test/multiple-user-principal-types.test.js
index 7ce9a74e..6ed09018 100644
--- a/test/multiple-user-principal-types.test.js
+++ b/test/multiple-user-principal-types.test.js
@@ -5,7 +5,6 @@
 
 'use strict';
 var expect = require('./helpers/expect');
-var request = require('supertest');
 var loopback = require('../');
 var ctx = require('../lib/access-context');
 var extend = require('util')._extend;
@@ -28,7 +27,7 @@ describe('Multiple users with custom principalType', function() {
     // create a local app object that does not share state with other tests
     app = loopback({localRegistry: true, loadBuiltinModels: true});
     app.set('_verifyAuthModelRelations', false);
-    app.set('remoting', {errorHandler: {debug: true, log: false}});
+    app.set('remoting', {errorHandler: false});
     app.dataSource('db', {connector: 'memory'});
 
     var userModelOptions = {
@@ -270,7 +269,7 @@ describe('Multiple users with custom principalType', function() {
     }
   });
 
-  describe('role model', function() {
+  describe('Role model', function() {
     this.timeout(10000);
 
     var RoleMapping, ACL, user;
@@ -717,6 +716,57 @@ describe('Multiple users with custom principalType', function() {
     }
   });
 
+  describe('authorization', () => {
+    beforeEach(givenProductModelAllowingOnlyUserRoleAccess);
+
+    it('allows users belonging to authorized role', () => {
+      logServerErrorsOtherThan(200, app);
+      debugger;
+      return userFromOneModel.createAccessToken()
+        .then(token => {
+          return supertest(app)
+            .get('/Products')
+            .set('Authorization', token.id)
+            .expect(200, []);
+        });
+    });
+
+    it('rejects other users', () => {
+      logServerErrorsOtherThan(401, app);
+      return userFromAnotherModel.createAccessToken()
+        .then(token => {
+          return supertest(app)
+            .get('/Products')
+            .set('Authorization', token.id)
+            .expect(401);
+        });
+    });
+
+    function givenProductModelAllowingOnlyUserRoleAccess() {
+      const Product = app.registry.createModel({
+        name: 'Product',
+        acls: [
+          {
+            'principalType': 'ROLE',
+            'principalId': '$everyone',
+            'permission': 'DENY',
+          },
+          {
+            'principalType': 'ROLE',
+            'principalId': userRole.name,
+            'permission': 'ALLOW',
+          },
+        ],
+      });
+      app.model(Product, {dataSource: 'db'});
+
+      return userRole.principals.create({
+        principalType: OneUser.modelName,
+        principalId: userFromOneModel.id,
+      });
+    }
+  });
+
   // helpers
   function createUserModel(app, name, options) {
     var model = app.registry.createModel(Object.assign({name: name}, options));