Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →
sails-permissions
Advanced tools
sails-permissions - npm Package Compare versions
Comparing version 1.4.2 to 1.4.3
@@ -8,2 +8,4 @@ /** | ||
| * Verify that User is satisfactorily related to the Object's owner. | ||
| * By this point, we know we have some permissions related to the action and object | ||
| * If they are 'owner' permissions, verify that the objects that are being accessed are owned by the current user | ||
| */ | ||
@@ -23,26 +25,36 @@ module.exports = function(req, res, next) { | ||
| // inject 'owner' as a query criterion and continue if we are not mutating | ||
| // an existing object | ||
| /* | ||
| * This block allows us to filter reads by the owner attribute, rather than failing an entire request | ||
| * if some of the results are not owned by the user. | ||
| * We don't want to take this same course of action for an update or delete action, we would prefer to fail the entire request. | ||
| * There is no notion of 'create' for an owner permission, so it is not relevant here. | ||
| */ | ||
| if (!_.contains(['update', 'delete'], action) && req.options.modelDefinition.attributes.owner) { | ||
| // Some parsing must happen on the query down the line, | ||
| // as req.query has no impact on the results from PermissionService.findTargetObjects. | ||
| // I had to look at the actionUtil parseCriteria method to see where to augment the criteria | ||
| req.params.all().where = req.params.all().where || {}; | ||
| req.params.all().where.owner = req.user.id; | ||
| req.query.owner = req.user.id; | ||
| _.isObject(req.body) && (req.body.owner = req.user.id); | ||
| return next(); | ||
| } | ||
| // Make sure you have owner permissions for all models if you are mutating an existing object | ||
| PermissionService.findTargetObjects(req) | ||
| .then(function (objects) { | ||
| this.objects = objects; | ||
| return PermissionService.isAllowedToPerformAction(this.objects, req.user, action, ModelService.getTargetModelName(req), req.body); | ||
| }) | ||
| .then(function(canPerform) { | ||
| if (PermissionService.hasForeignObjects(objects, req.user) && !canPerform) { | ||
| return res.badRequest({ | ||
| error: 'Cannot perform action [' + action + '] on foreign object' | ||
| .then(function(objects) { | ||
| // PermissionService.isAllowedToPerformAction checks if the user has 'user' based permissions (vs role or owner based permissions) | ||
| return PermissionService.isAllowedToPerformAction(objects, req.user, action, ModelService.getTargetModelName(req), req.body) | ||
| .then(function(hasUserPermissions) { | ||
| if (hasUserPermissions) { | ||
| return next(); | ||
| } | ||
| if (PermissionService.hasForeignObjects(objects, req.user)) { | ||
| return res.badRequest({ | ||
| error: 'Cannot perform action [' + action + '] on foreign object' | ||
| }); | ||
| } | ||
| next(); | ||
| }); | ||
| } | ||
| next(); | ||
| }) | ||
| .catch(next); | ||
| }; |
@@ -407,3 +407,8 @@ var Promise = require('bluebird'); | ||
| } | ||
| return new Promise.map(objects, PermissionService.isAllowedToPerformSingle(user.id, action, model, body)); | ||
| return new Promise.map(objects, PermissionService.isAllowedToPerformSingle(user.id, action, model, body)) | ||
| .then(function (allowedArray) { | ||
| return allowedArray.every(function (allowed) { | ||
| return allowed === true; | ||
| }); | ||
| }); | ||
| }, | ||
@@ -425,3 +430,3 @@ | ||
| }).then(function(model) { | ||
| return Permission.find({ | ||
| return Permission.find({ | ||
| model: model.id, | ||
@@ -428,0 +433,0 @@ action: action, |
| { | ||
| "name": "sails-permissions", | ||
| "version": "1.4.2", | ||
| "version": "1.4.3", | ||
| "description": "Comprehensive user permissions and entitlements system for sails.js and Waterline. Supports user authentication with passport.js, role-based permissioning, object ownership, and row-level security.", | ||
@@ -5,0 +5,0 @@ "main": "api/hooks/sails-permissions.js", |
@@ -470,2 +470,39 @@ var assert = require('assert'); | ||
| it('should not be able to read another user', function(done) { | ||
| request(sails.hooks.http.app) | ||
| .get('/user/' + adminUserId) | ||
| .set('Authorization', registeredAuth.Authorization) | ||
| .expect(400) | ||
| .end(function(err, res) { | ||
| var user = res.body; | ||
| assert.ifError(err); | ||
| assert(_.isString(user.error), JSON.stringify(user)); | ||
| done(err); | ||
| }); | ||
| }); | ||
| it('should not be able to read all users', function(done) { | ||
| request(sails.hooks.http.app) | ||
| .get('/user/') | ||
| .set('Authorization', registeredAuth.Authorization) | ||
| .expect(200) | ||
| .end(function(err, res) { | ||
| var users = res.body; | ||
| assert.ifError(err); | ||
| assert(users.length == 1); | ||
| done(err); | ||
| }); | ||
| }); | ||
| }); | ||
@@ -472,0 +509,0 @@ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.96%
101793
- Lines of code
- increased by1.41%
2939
No dependency changes