From adcddc98ec823a3112c3e23d9727944e50046c0c Mon Sep 17 00:00:00 2001 From: Tom Kirkpatrick Date: Thu, 4 Feb 2016 23:20:32 +0100 Subject: [PATCH] Fix handling for accessing the Group Model directly --- lib/utils.js | 6 ++++ .../simple-app/common/models/store.json | 33 ++++++++++++------- test/rest-test.js | 20 +++++++++++ 3 files changed, 48 insertions(+), 11 deletions(-) diff --git a/lib/utils.js b/lib/utils.js index a673385..4a0e929 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -332,6 +332,12 @@ module.exports = class AccessUtils { debug('getCurrentGroupId context.remotingContext.args: %o', context.remotingContext.args); let groupId = null; + // If we are accessing the group model directly, the group id is the model id. + if (this.isGroupModel(context.model)) { + process.nextTick(() => cb(null, context.modelId)); + return cb.promise; + } + // If we are accessing an existing model, get the store id from the existing model instance. // TODO: Cache this result so that it can be reused across each ACL lookup attempt. if (context.modelId) { diff --git a/test/fixtures/simple-app/common/models/store.json b/test/fixtures/simple-app/common/models/store.json index 4b21af0..effed40 100644 --- a/test/fixtures/simple-app/common/models/store.json +++ b/test/fixtures/simple-app/common/models/store.json @@ -45,30 +45,41 @@ { "accessType": "READ", "principalType": "ROLE", - "principalId": "admin", - "permission": "ALLOW", - "property": "find" + "principalId": "$group:member", + "permission": "ALLOW" }, { "accessType": "READ", "principalType": "ROLE", - "principalId": "$group:member", + "principalId": "$group:manager", + "permission": "ALLOW" + }, + { + "accessType": "WRITE", + "principalType": "ROLE", + "principalId": "$group:manager", "permission": "ALLOW", - "property": "findById" + "property": "create" }, { - "accessType": "EXECUTE", + "accessType": "WRITE", "principalType": "ROLE", - "principalId": "$authenticated", + "principalId": "$group:manager", "permission": "ALLOW", - "property": "addUser" + "property": "updateAttributes" }, { - "accessType": "EXECUTE", + "accessType": "WRITE", "principalType": "ROLE", - "principalId": "$authenticated", + "principalId": "$group:manager", "permission": "ALLOW", - "property": "removeUser" + "property": "upsert" + }, + { + "accessType": "*", + "principalType": "ROLE", + "principalId": "$group:admin", + "permission": "ALLOW" } ], "methods": {} diff --git a/test/rest-test.js b/test/rest-test.js index 6dca244..87a505f 100644 --- a/test/rest-test.js +++ b/test/rest-test.js @@ -64,6 +64,26 @@ describe('REST API', function() { users.forEach(user => { describe(`${user.username} (User with ${user.abilities.join(', ')} permissions):`, function() { + // related group content + describe('group model', function() { + if (_includes(user.abilities, 'read')) { + it('should get a teams store', function() { + return logInAs(user.username) + .then(res => json('get', `/api/stores/A?access_token=${res.body.id}`) + .expect(200)) + .then(res => { + expect(res.body).to.be.an('object'); + expect(res.body).to.have.property('name', 'Store A'); + }); + }); + } + it('should not get another teams store', function() { + return logInAs(user.username) + .then(res => json('get', `/api/stores/B?access_token=${res.body.id}`) + .expect(401)); + }); + }); + // related group content describe('related group content', function() { if (_includes(user.abilities, 'read')) {