Commit Graph

47 Commits

Author SHA1 Message Date
Moshe Malka 29c5f20d90
Fix ACL check to support model wildcard 2018-10-25 14:00:35 +02:00
Moshe Malka 186ae2ae57
Fix ACL tests to wait until all assertions finish 2018-09-17 14:12:58 +02:00
virkt25 fa644d6a31 chore: update to latest linting rules 2018-09-13 10:08:25 -04:00
Justin Ross 60750b4508
Update Copyright Years
Update copyright years to include 2018
2018-01-16 13:55:02 +01:00
Miroslav Bajtoš 73cc950b1b
Update eslint and eslint-config to latest 2017-12-12 09:33:15 +01:00
Farid Neshat d2d8fabb16 Fix acl.resolvePermission for wildcard req
When acl.resolvePermission was called with a request containing a
wildcard, it would return the matching acl with lowest score instead of
higher.

Fixes #2153
2017-09-27 02:48:34 +02:00
Miroslav Bajtoš c5145bdf34
Add support for scoped access tokens
Define a new property `AccessToken.scopes` to contain the list of
scopes granted to this access token.

Define a new remote method metadata `accessScopes` to contain a list
of scope name required by this method.

Define a special built-in scope name "DEFAULT" that's used when
a method/token does not provide any scopes. This allows access
tokens to grant access to both the default scope and any additional
custom scopes at the same time.

Modify the authorization algorithm to ensure that at least one
of the scopes required by a remote method is allowed by the scopes
granted to the requesting access token.

The "DEFAULT" scope preserve backwards compatibility because existing
remote methods with no `accessScopes` can be accessed by (existing)
access tokens with no `scopes` defined.

Impact on existing applications:

 - Database schema must be updated after upgrading the loopback version

 - If the application was already using a custom `AccessToken.scopes`
   property with a type different from an array, then the relevant code
   must be updated to work with the new type "array of strings".
2017-04-07 13:04:40 +02:00
ebarault 8aa98a80ef Propagate authorized roles in remoting context
Adds an authorizedRoles object to remotingContext.args.options
which contains all the roles (static and dynamic) that are
granted to the user when performing a request through
strong-remoting to an app with authentication enabled.

The authorizedRoles object for example looks like:
{
  $everyone: true,
  $authenticated: true,
  myRole: true
}

NOTE: this pr also covers a number of jsdoc fixes as well
as refactoring in ACL.js and access-context.js
2017-03-20 12:29:33 +01:00
ebarault a63fad402e Add promise support to built-in model ACL 2017-01-31 14:09:43 +01:00
Loay 06cb481c3f Update eslint to loopback config v5
Notable side-effects:
 - loopback no longer exports "caller" and "arguments" properties
 - kv-memory connector is now properly added to the connector registry
 - the file "test/support.js" was finally removed
2016-11-22 14:08:02 +01:00
gunjpan 832e2c391c Discard sugar method for model creation
Current implementation of `app.model(modelName, settings)`
works as a sugar for model creation. In 3.0, this is
not supported anymore. This implementation reports an
error when sugar is used for model creation.
Includes:
 - Updated app.model() method
 - Fixed test cases reflecting the change
2016-09-07 10:40:23 +02:00
David Cheung ddb5327e64 Update tests for strong-error-handler
Fix rest-adapter related test case switching to strong-error-handler
Only affect the test-cases calling rest methods
2016-06-07 13:26:18 -04:00
Supasate Choochaisri 04e26fae5c Separate error-checking and next/done logic from other logic in the test suite
Signed-off-by: Supasate Choochaisri <supasate.c@gmail.com>
2016-05-05 11:12:48 +07:00
Ryan Graham 6964914bab
update copyright statements 2016-05-03 15:50:21 -07:00
Miroslav Bajtoš f9702b0ace Use eslint with loopback config
Drop jshint and jscs in favour of eslint.

Fix style violations.

While we are at this, reduce the max line length from 150 to 100.
2016-04-06 10:45:30 +02:00
Ritchie Martori 9cde2a45be Use the new remoting.authorization hook for check access 2015-05-12 15:33:05 -07:00
ulion 9f705139f8 Static ACL support array of properties now 2015-03-06 06:24:09 +08:00
Miroslav Bajtoš c2236c393b Upgrade jscs to ~1.11 via grunt-jscs ^1.5 2015-02-20 15:31:15 +01:00
Raymond Feng 563a06fa7e Make sure EXECUTE access type matches READ or WRITE
See https://github.com/strongloop/loopback/issues/1011
2015-01-14 13:38:44 -08:00
Rob Halff 36e1f6840c fix jscs errors 2014-11-21 03:35:36 +01:00
Rob Halff 918497c365 singlequote, semicolon & /*jshint -W030 */ 2014-11-21 02:46:21 +01:00
Raymond Feng 242b44ed2b Skip static ACL entries that don't match the property 2014-10-13 16:45:36 -07:00
Miroslav Bajtoš 1fe0110849 Dismantle `lib/models`.
- Move core models `Model` and `PersistedModel` to `lib/`.
 - Move `AccessContext` class to `lib/`, since it is not a model.
 - Move all other built-in models to `common/models`.

This is a preparation for extracting model definitions to JSON files.
By splitting the change into multiple commits, git is able to keep track
of file moves (renames).
2014-10-13 12:09:27 +02:00
Miroslav Bajtoš d21669b844 Merge branch 'master' into 2.0
Conflicts:
	docs.json
	lib/application.js
	lib/loopback.js
	lib/models/data-model.js
	lib/models/model.js
	lib/models/user.js
	lib/registry.js
	package.json
	test/app.test.js
2014-06-13 10:09:25 +02:00
Miroslav Bajtoš ea5b9d16fc Rename DataModel to PersistedModel 2014-06-05 09:56:00 +02:00
Ritchie Martori fea1cee1c4 !fixup only set ctx.accessType when sharedMethod is available 2014-06-02 14:41:08 -07:00
Ritchie Martori a2f931ed3f Refactor ACL to allow for `methodNames` / aliases 2014-06-02 14:41:08 -07:00
Miroslav Bajtoš 18fd61a546 Merge branch 'master' into 2.0 2014-05-28 18:41:36 +02:00
Raymond Feng ed0b568542 Fix the test for mocha 1.19.0
See 6c705cd4d4
2014-05-26 21:52:48 -07:00
Ritchie Martori d237ae5ddb Merge latest from master 2014-05-20 14:31:09 -07:00
Ritchie Martori ae2fb9dea0 !fixup use DataModel instead of Model for all data based models 2014-05-02 20:15:01 -07:00
Raymond Feng 921e35954d Rename the method so that it won't conflict with Model.checkAccess
See https://github.com/strongloop/loopback/issues/239
2014-04-21 11:13:03 -07:00
Raymond Feng 328a72ac91 Improve the ACL matching algorithm
See https://github.com/strongloop/loopback-example-access-control/issues/8
2014-03-19 15:09:20 -07:00
Raymond Feng a6ff22c9c1 Make sure defaultPermission is checked 2014-01-16 15:05:10 -08:00
Ritchie Martori 939df463fe Fix tests depending on old behavior of default User ACLs 2013-12-17 21:10:05 -08:00
Raymond Feng 97dc0aa441 Refactor to the code use wrapper classes
Add AccessContext, Principal, and AccessRequest
Add debug information
2013-12-11 16:03:48 -08:00
Raymond Feng 82eeaeee6b Fix the algorithm for Role.isInRole and ACL.checkAccess 2013-12-10 23:33:57 -08:00
Raymond Feng 7f51c28539 Fix the ACL resolution against rules by matching score 2013-12-09 15:26:53 -08:00
Raymond Feng bee8a3b022 Add checkAccess for subject and token 2013-11-20 13:43:01 -08:00
Ritchie Martori da0545bed6 Initial auto wiring for model dataSources 2013-11-18 16:13:40 -08:00
Raymond Feng 8381b05da1 Allows LDL level ACLs 2013-11-15 09:41:26 -08:00
Raymond Feng 8e679d0927 Fix the permission resolution 2013-11-14 21:19:57 -08:00
Raymond Feng 94f12d0fce Fix the permission check 2013-11-14 21:19:57 -08:00
Raymond Feng 660ef89755 Merge ScopeACL into ACL 2013-11-14 21:19:56 -08:00
Raymond Feng c3a1a85159 Add constants and more tests 2013-11-14 21:19:56 -08:00
Raymond Feng 48a0242711 Define the models/relations for ACL 2013-11-14 21:19:56 -08:00
Raymond Feng 67b934357b Start to build the ACL models 2013-11-14 21:19:56 -08:00