From 6566b8191d3b015186503749a0d283088113a25a Mon Sep 17 00:00:00 2001
From: Henrique Varella Ehrenfried <h.v.ehrenfried@gmail.com>
Date: Tue, 29 May 2018 09:59:25 -0300
Subject: [PATCH] Start to make ACL to work
---
common/models/category.json | 31 +++++++++++++--
common/models/end_user.json | 31 +++++++++++++--
common/models/geolocation.json | 47 +++++++++++++++++------
package.json | 70 +++++++++++++++++-----------------
server/boot/access-control.js | 42 +++++++++++---------
server/boot/authentication.js | 2 +-
6 files changed, 153 insertions(+), 70 deletions(-)
diff --git a/common/models/category.json b/common/models/category.json
index b5f0f9b..e01860e 100644
--- a/common/models/category.json
+++ b/common/models/category.json
@@ -16,17 +16,42 @@
},
"validations": [],
"relations": {
- "locations":{
+ "locations": {
"type": "hasMany",
"model": "geolocation",
"foreignKey": "category_id"
},
- "user":{
+ "user": {
"type": "belongsTo",
"model": "end_user",
"foreignKey": "id"
}
},
- "acls": [],
+ "acls": [
+ {
+ "accessType": "*",
+ "principalType": "ROLE",
+ "principalId": "$everyone",
+ "permission": "DENY"
+ },
+ {
+ "accessType": "READ",
+ "principalType": "ROLE",
+ "principalId": "$everyone",
+ "permission": "ALLOW"
+ },
+ {
+ "accessType": "*",
+ "principalType": "ROLE",
+ "principalId": "admin",
+ "permission": "ALLOW"
+ },
+ {
+ "accessType": "count",
+ "principalType": "ROLE",
+ "principalId": "$authenticated",
+ "permission": "ALLOW"
+ }
+ ],
"methods": {}
}
diff --git a/common/models/end_user.json b/common/models/end_user.json
index 9a1559f..b936c03 100644
--- a/common/models/end_user.json
+++ b/common/models/end_user.json
@@ -25,17 +25,42 @@
},
"validations": [],
"relations": {
- "locations":{
+ "locations": {
"type": "hasMany",
"model": "geolocation",
"foreignKey": "user_id"
},
- "category":{
+ "category": {
"type": "hasMany",
"model": "categories",
"foreignKey": "id"
}
},
- "acls": [],
+ "acls": [
+ {
+ "accessType": "*",
+ "principalType": "ROLE",
+ "principalId": "$everyone",
+ "permission": "DENY"
+ },
+ {
+ "accessType": "READ",
+ "principalType": "ROLE",
+ "principalId": "$owner",
+ "permission": "ALLOW"
+ },
+ {
+ "accessType": "EXECUTE",
+ "principalType": "ROLE",
+ "principalId": "$owner",
+ "permission": "ALLOW"
+ },
+ {
+ "accessType": "*",
+ "principalType": "ROLE",
+ "principalId": "admin",
+ "permission": "ALLOW"
+ }
+ ],
"methods": {}
}
diff --git a/common/models/geolocation.json b/common/models/geolocation.json
index 4e24cc6..e063519 100644
--- a/common/models/geolocation.json
+++ b/common/models/geolocation.json
@@ -17,17 +17,17 @@
},
"latitude": {
"type": "number",
- "postgresql":{
- "dataType":"float"
- },
- "required": true
+ "required": true,
+ "postgresql": {
+ "dataType": "float"
+ }
},
"longitude": {
"type": "number",
- "postgresql":{
- "dataType":"float"
- },
- "required": true
+ "required": true,
+ "postgresql": {
+ "dataType": "float"
+ }
},
"android_id": {
"type": "string"
@@ -45,17 +45,42 @@
},
"validations": [],
"relations": {
- "user":{
+ "user": {
"type": "belongsTo",
"model": "end_user",
"foreignKey": "id"
},
- "category":{
+ "category": {
"type": "belongsTo",
"model": "category",
"foreignKey": "id"
}
},
- "acls": [],
+ "acls": [
+ {
+ "accessType": "*",
+ "principalType": "ROLE",
+ "principalId": "$everyone",
+ "permission": "DENY"
+ },
+ {
+ "accessType": "WRITE",
+ "principalType": "ROLE",
+ "principalId": "$everyone",
+ "permission": "ALLOW"
+ },
+ {
+ "accessType": "READ",
+ "principalType": "ROLE",
+ "principalId": "$everyone",
+ "permission": "ALLOW"
+ },
+ {
+ "accessType": "*",
+ "principalType": "ROLE",
+ "principalId": "admin",
+ "permission": "ALLOW"
+ }
+ ],
"methods": {}
}
diff --git a/package.json b/package.json
index 4081858..e6fcce1 100644
--- a/package.json
+++ b/package.json
@@ -1,35 +1,35 @@
-{
- "name": "SMPPIR-CheckIn-API",
- "version": "1.0.0",
- "main": "server/server.js",
- "engines": {
- "node": ">=4"
- },
- "scripts": {
- "lint": "eslint .",
- "start": "node .",
- "posttest": "npm run lint && nsp check"
- },
- "dependencies": {
- "compression": "^1.0.3",
- "cors": "^2.5.2",
- "helmet": "^3.12.1",
- "loopback": "^3.0.0",
- "loopback-boot": "^2.6.5",
- "loopback-component-explorer": "^6.0.1",
- "loopback-connector-postgresql": "^3.3.1",
- "serve-favicon": "^2.0.1",
- "strong-error-handler": "^2.0.0"
- },
- "devDependencies": {
- "eslint": "^3.17.1",
- "eslint-config-loopback": "^8.0.0",
- "nsp": "^3.2.1"
- },
- "repository": {
- "type": "",
- "url": ""
- },
- "license": "UNLICENSED",
- "description": "SMPPIR-CheckIn-API"
-}
+{
+ "name": "SMPPIR-CheckIn-API",
+ "version": "1.0.0",
+ "main": "server/server.js",
+ "engines": {
+ "node": ">=4"
+ },
+ "scripts": {
+ "lint": "eslint .",
+ "start": "node .",
+ "posttest": "npm run lint && nsp check"
+ },
+ "dependencies": {
+ "compression": "^1.0.3",
+ "cors": "^2.5.2",
+ "helmet": "^3.12.1",
+ "loopback": "^3.0.0",
+ "loopback-boot": "^2.6.5",
+ "loopback-component-explorer": "^6.0.1",
+ "loopback-connector-postgresql": "^3.3.1",
+ "serve-favicon": "^2.0.1",
+ "strong-error-handler": "^2.0.0"
+ },
+ "devDependencies": {
+ "eslint": "^3.17.1",
+ "eslint-config-loopback": "^8.0.0",
+ "nsp": "^3.2.1"
+ },
+ "repository": {
+ "type": "",
+ "url": ""
+ },
+ "license": "UNLICENSED",
+ "description": "SMPPIR-CheckIn-API"
+}
diff --git a/server/boot/access-control.js b/server/boot/access-control.js
index 488b10f..f85a2e1 100644
--- a/server/boot/access-control.js
+++ b/server/boot/access-control.js
@@ -43,24 +43,32 @@ module.exports = function(app) {
if (!userId) {
return reject();
}
+ else{
+ console.log("USER ID ::",userId)
+ }
+ console.log("ROLE ::", role)
+
+ console.log("CONTEXT MODEL ::", context.model)
+ console.log("CONTEXT ID ::", context.id)
+
// check if userId is in team table for the given project id
- context.model.findById(context.modelId, function(err, model) {
- if (err || !model)
- return reject();
-
- var EndUser = app.models.EndUser;
- EndUser.count({
- ownerId: model.ownerId,
- memberId: userId
- }, function(err, count) {
- if (err) {
- console.log(err);
- return cb(null, false);
- }
-
- cb(null, count > 0); // true = is a team member
- });
+ context.model.findById(userId, function(err, model) {
+
+ app.models.EndUser.findById(userId, function(err2, user){
+ console.log("ERR ::", err)
+ console.log("ERR 2::", err2)
+ console.log("MODEL ::", model)
+
+ console.log("ENDUSER MODEL", user)
+
+ if (err || err2 || !user || !model)
+ return reject();
+ if(user.permission !== role)
+ return reject();
+ else
+ return cb(null,true)
+ })
});
});
@@ -91,7 +99,7 @@ module.exports = function(app) {
// do not allow anonymous users
var userId = context.accessToken.userId;
if (!userId) {
- return reject();
+ return reject();
}
// check if userId is in team table for the given project id
diff --git a/server/boot/authentication.js b/server/boot/authentication.js
index 7fd9c55..8e88d4b 100644
--- a/server/boot/authentication.js
+++ b/server/boot/authentication.js
@@ -2,5 +2,5 @@
module.exports = function enableAuthentication(server) {
// enable authentication
- // server.enableAuth();
+ server.enableAuth();
};
--
GitLab