joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixes for Class Level and Pointer Permissions (#1989)

Browse Source 
* Fixes for Pointer Permissions

- Fix bug that would leave public CLP when setting a new set of permissions
- Sets empty permissions if missing to match parse.com API
- Updates tests to reflect changes

* Adds regression test for #1991

* Fit -> It
This commit is contained in:
Florent Vilmart
2016-06-06 12:31:50 -04:00
committed by Drew
parent ac705a8da6
commit e7e2369132
6 changed files with 96 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/Controllers/SchemaController.js
View File

@@ -632,30 +632,36 @@ class SchemaController {
}
return Promise.resolve(this);
}
// Validates an operation passes class-level-permissions set in the schema
validatePermission(className, aclGroup, operation) {
// Validates the base CLP for an operation
testBaseCLP(className, aclGroup, operation) {
if (!this.perms[className] || !this.perms[className][operation]) {
return Promise.resolve();
return true;
}
let classPerms = this.perms[className];
let perms = classPerms[operation];
// Handle the public scenario quickly
if (perms['*']) {
return Promise.resolve();
return true;
}
// Check permissions against the aclGroup provided (array of userId/roles)
let found = false;
for (let i = 0; i < aclGroup.length && !found; i++) {
if (perms[aclGroup[i]]) {
found = true;
}
if (aclGroup.some(acl => { return perms[acl] === true })) {
return true;
}
return false;
}
if (found) {
// Validates an operation passes class-level-permissions set in the schema
validatePermission(className, aclGroup, operation) {
if (this.testBaseCLP(className, aclGroup, operation)) {
return Promise.resolve();
}
if (!this.perms[className] || !this.perms[className][operation]) {
return true;
}
let classPerms = this.perms[className];
let perms = classPerms[operation];
// No matching CLP, let's check the Pointer permissions
// And handle those later
let permissionField = ['get', 'find'].indexOf(operation) > -1 ? 'readUserFields' : 'writeUserFields';
@@ -666,6 +672,7 @@ class SchemaController {
'Permission denied for this action.');
}
// Process the readUserFields later
if (Array.isArray(classPerms[permissionField]) && classPerms[permissionField].length > 0) {
return Promise.resolve();
}