Add role based ACL checks to LiveQuery (#2893)

* Add acl role check to _matchesACL, start adding tests. * Add tests for ACL role checks in LiveQueryServer. * Switch to arrow functions, add immutabalized code from @acinader, swap for loop style.
2016-10-21 21:53:31 -06:00
parent 0faaec3224
commit af55cd1efb
2 changed files with 168 additions and 0 deletions
--- a/src/LiveQuery/ParseLiveQueryServer.js
+++ b/src/LiveQuery/ParseLiveQueryServer.js
@@ -327,6 +327,64 @@ class ParseLiveQueryServer {
      if (isSubscriptionSessionTokenMatched) {
        return Parse.Promise.as(true);
      }
+
+      // Check if the user has any roles that match the ACL
+      return new Parse.Promise((resolve, reject) => {
+
+        // Resolve false right away if the acl doesn't have any roles
+        const acl_has_roles = Object.keys(acl.permissionsById).some(key => key.startsWith("role:"));
+        if (!acl_has_roles) {
+            return resolve(false);
+        }
+
+        this.sessionTokenCache.getUserId(subscriptionSessionToken)
+        .then((userId) => {
+
+            // Pass along a null if there is no user id
+            if (!userId) {
+                return Parse.Promise.as(null);
+            }
+
+            // Prepare a user object to query for roles
+            // To eliminate a query for the user, create one locally with the id
+            var user = new Parse.User();
+            user.id = userId;
+            return user;
+
+        })
+        .then((user) => {
+
+            // Pass along an empty array (of roles) if no user
+            if (!user) {
+                return Parse.Promise.as([]);
+            }
+
+            // Then get the user's roles
+            var rolesQuery = new Parse.Query(Parse.Role);
+            rolesQuery.equalTo("users", user);
+            return rolesQuery.find();
+        }).
+        then((roles) => {
+
+            // Finally, see if any of the user's roles allow them read access
+            for (let role of roles) {
+                if (acl.getRoleReadAccess(role)) {
+                    return resolve(true);
+                }
+            }
+            resolve(false);
+        })
+        .catch((error) => {
+            reject(error);
+        });
+
+      });
+    }).then((isRoleMatched) => {
+
+      if(isRoleMatched) {
+        return Parse.Promise.as(true);
+      }
+
      // Check client sessionToken matches ACL
      let clientSessionToken = client.sessionToken;
      return this.sessionTokenCache.getUserId(clientSessionToken).then((userId) => {