verdnatura-mirror
/
loopback
mirror of https://github.com/strongloop/loopback.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix role check in apps with multiple user models

This commit is contained in:
Miroslav Bajtoš 2018-03-20 14:15:44 +01:00
parent 6ddf268cb6
commit f4527c9c91
No known key found for this signature in database
GPG Key ID: 6F2304BA9361C7E3
2 changed files with 55 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/access-context.js
View File

@ -84,10 +84,10 @@ function AccessContext(context) {
this.addPrincipal(principalType, principalId, principalName); this.addPrincipal(principalType, principalId, principalName);
} }
var token = this.accessToken || {}; const token = this.accessToken;
if (token.userId != null) { if (token.userId != null) {
this.addPrincipal(Principal.USER, token.userId); this.addPrincipal(token.principalType || Principal.USER, token.userId);
} }
if (token.appId != null) { if (token.appId != null) {
this.addPrincipal(Principal.APPLICATION, token.appId); this.addPrincipal(Principal.APPLICATION, token.appId);

56
test/multiple-user-principal-types.test.js
View File

@ -5,7 +5,6 @@
'use strict'; 'use strict';
var expect = require('./helpers/expect'); var expect = require('./helpers/expect');
var request = require('supertest');
var loopback = require('../'); var loopback = require('../');
var ctx = require('../lib/access-context'); var ctx = require('../lib/access-context');
var extend = require('util')._extend; var extend = require('util')._extend;
@ -28,7 +27,7 @@ describe('Multiple users with custom principalType', function() {
// create a local app object that does not share state with other tests // create a local app object that does not share state with other tests
app = loopback({localRegistry: true, loadBuiltinModels: true}); app = loopback({localRegistry: true, loadBuiltinModels: true});
app.set('_verifyAuthModelRelations', false); app.set('_verifyAuthModelRelations', false);
app.set('remoting', {errorHandler: {debug: true, log: false}}); app.set('remoting', {errorHandler: false});
app.dataSource('db', {connector: 'memory'}); app.dataSource('db', {connector: 'memory'});
var userModelOptions = { var userModelOptions = {
@ -270,7 +269,7 @@ describe('Multiple users with custom principalType', function() {
} }
}); });
describe('role model', function() { describe('Role model', function() {
this.timeout(10000); this.timeout(10000);
var RoleMapping, ACL, user; var RoleMapping, ACL, user;
@ -717,6 +716,57 @@ describe('Multiple users with custom principalType', function() {
} }
}); });
describe('authorization', () => {
beforeEach(givenProductModelAllowingOnlyUserRoleAccess);
it('allows users belonging to authorized role', () => {
logServerErrorsOtherThan(200, app);
debugger;
return userFromOneModel.createAccessToken()
.then(token => {
return supertest(app)
.get('/Products')
.set('Authorization', token.id)
.expect(200, []);
});
});
it('rejects other users', () => {
logServerErrorsOtherThan(401, app);
return userFromAnotherModel.createAccessToken()
.then(token => {
return supertest(app)
.get('/Products')
.set('Authorization', token.id)
.expect(401);
});
});
function givenProductModelAllowingOnlyUserRoleAccess() {
const Product = app.registry.createModel({
name: 'Product',
acls: [
{
'principalType': 'ROLE',
'principalId': '$everyone',
'permission': 'DENY',
},
{
'principalType': 'ROLE',
'principalId': userRole.name,
'permission': 'ALLOW',
},
],
});
app.model(Product, {dataSource: 'db'});
return userRole.principals.create({
principalType: OneUser.modelName,
principalId: userFromOneModel.id,
});
}
});
// helpers // helpers
function createUserModel(app, name, options) { function createUserModel(app, name, options) {
var model = app.registry.createModel(Object.assign({name: name}, options)); var model = app.registry.createModel(Object.assign({name: name}, options));