Merge pull request '#6598 acls back' (!2400) from 6598-getUserAcls into dev
gitea/salix/pipeline/head This commit looks good
Details
gitea/salix/pipeline/head This commit looks good
Details
Reviewed-on: #2400 Reviewed-by: Juan Ferrer <juan@verdnatura.es>
This commit is contained in:
commit
6aca0765c0
|
@ -0,0 +1,72 @@
|
||||||
|
module.exports = Self => {
|
||||||
|
Self.remoteMethodCtx('acls', {
|
||||||
|
description: 'Get all of the current user acls',
|
||||||
|
returns: {
|
||||||
|
type: 'Object',
|
||||||
|
root: true
|
||||||
|
},
|
||||||
|
http: {
|
||||||
|
path: '/acls',
|
||||||
|
verb: 'GET'
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
const staticAcls = new Map();
|
||||||
|
const app = require('vn-loopback/server/server');
|
||||||
|
app.on('started', function() {
|
||||||
|
for (const model of app.models()) {
|
||||||
|
for (const acl of model.settings.acls) {
|
||||||
|
if (acl.principalType == 'ROLE' && acl.permission == 'ALLOW') {
|
||||||
|
const staticAcl = {
|
||||||
|
model: model.name,
|
||||||
|
property: '*',
|
||||||
|
accessType: acl.accessType,
|
||||||
|
permission: acl.permission,
|
||||||
|
principalType: acl.principalType,
|
||||||
|
principalId: acl.principalId,
|
||||||
|
};
|
||||||
|
if (staticAcls.has(acl.principalId))
|
||||||
|
staticAcls.get(acl.principalId).push(staticAcl);
|
||||||
|
else
|
||||||
|
staticAcls.set(acl.principalId, [staticAcl]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
Self.acls = async function(ctx) {
|
||||||
|
const models = Self.app.models;
|
||||||
|
const acls = [];
|
||||||
|
const userId = ctx.req.accessToken.userId;
|
||||||
|
if (userId) {
|
||||||
|
const roleMapping = await models.RoleMapping.find({
|
||||||
|
where: {
|
||||||
|
principalId: userId
|
||||||
|
},
|
||||||
|
include: [
|
||||||
|
{
|
||||||
|
relation: 'role',
|
||||||
|
scope: {
|
||||||
|
fields: [
|
||||||
|
'name'
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
});
|
||||||
|
const dynamicAcls = await models.ACL.find({
|
||||||
|
where: {
|
||||||
|
principalId: {
|
||||||
|
inq: roleMapping.map(rm => rm.role().name)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
dynamicAcls.forEach(acl => acls.push(acl));
|
||||||
|
staticAcls.get('$authenticated').forEach(acl => acls.push(acl));
|
||||||
|
} else
|
||||||
|
staticAcls.get('$unauthenticated').forEach(acl => acls.push(acl));
|
||||||
|
|
||||||
|
staticAcls.get('$everyone').forEach(acl => acls.push(acl));
|
||||||
|
return acls;
|
||||||
|
};
|
||||||
|
};
|
|
@ -0,0 +1,27 @@
|
||||||
|
const {models} = require('vn-loopback/server/server');
|
||||||
|
const id = {administrative: 5, employee: 1, productionBoss: 50};
|
||||||
|
|
||||||
|
describe('VnUser acls()', () => {
|
||||||
|
it('should get its owns acls', async() => {
|
||||||
|
expect(await hasAcl('administrative', id.administrative)).toBeTruthy();
|
||||||
|
expect(await hasAcl('productionBoss', id.productionBoss)).toBeTruthy();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should not get administrative acls', async() => {
|
||||||
|
expect(await hasAcl('administrative', id.employee)).toBeFalsy();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should get the $authenticated acls', async() => {
|
||||||
|
expect(await hasAcl('$authenticated', id.employee)).toBeTruthy();
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should get the $everyone acls', async() => {
|
||||||
|
expect(await hasAcl('$everyone', id.employee)).toBeTruthy();
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
const hasAcl = async(role, userId) => {
|
||||||
|
const ctx = {req: {accessToken: {userId}, headers: {origin: 'http://localhost'}}};
|
||||||
|
const acls = await models.VnUser.acls(ctx);
|
||||||
|
return Object.values(acls).some(acl => acl.principalId === role);
|
||||||
|
};
|
|
@ -16,6 +16,7 @@ module.exports = function(Self) {
|
||||||
require('../methods/vn-user/share-token')(Self);
|
require('../methods/vn-user/share-token')(Self);
|
||||||
require('../methods/vn-user/update-user')(Self);
|
require('../methods/vn-user/update-user')(Self);
|
||||||
require('../methods/vn-user/validate-token')(Self);
|
require('../methods/vn-user/validate-token')(Self);
|
||||||
|
require('../methods/vn-user/acls')(Self);
|
||||||
|
|
||||||
Self.definition.settings.acls = Self.definition.settings.acls.filter(acl => acl.property !== 'create');
|
Self.definition.settings.acls = Self.definition.settings.acls.filter(acl => acl.property !== 'create');
|
||||||
|
|
||||||
|
|
|
@ -140,6 +140,13 @@
|
||||||
"principalType": "ROLE",
|
"principalType": "ROLE",
|
||||||
"principalId": "$authenticated",
|
"principalId": "$authenticated",
|
||||||
"permission": "ALLOW"
|
"permission": "ALLOW"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"property": "acls",
|
||||||
|
"accessType": "*",
|
||||||
|
"principalType": "ROLE",
|
||||||
|
"principalId": "$everyone",
|
||||||
|
"permission": "ALLOW"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"scopes": {
|
"scopes": {
|
||||||
|
|
|
@ -17,6 +17,7 @@ async function init() {
|
||||||
err => err ? reject(err) : resolve());
|
err => err ? reject(err) : resolve());
|
||||||
});
|
});
|
||||||
// FIXME: Workaround to wait for loopback to be ready
|
// FIXME: Workaround to wait for loopback to be ready
|
||||||
|
app.emit('started');
|
||||||
await app.models.Application.status();
|
await app.models.Application.status();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue