Skip to content

Support routes' permissions for express middleware #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ilich wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Support routes' permissions for express middleware #273

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
00ab5de
Updated project dependencies
ilich Jan 19, 2019
4620e1f
ACL middleware checks current URL and route to allow handle permissio…
ilich Jan 19, 2019
e1c54b4
Take baseUrl into account when checking permissions based on current …
ilich Jan 20, 2019
92cbede
Use elder mocha version to avoid infinite waiting
ilich Jan 20, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 48 additions & 20 deletions lib/acl.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -679,32 +679,60 @@ Acl.prototype.middleware = function(numPathComponents, userId, actions){
return;
}

url = req.originalUrl.split('?')[0];
if(!numPathComponents){
resource = url;
}else{
resource = url.split('/').slice(0,numPathComponents+1).join('/');
}
var isResourceAllowed = function (originalUrl, callback){
url = originalUrl.split('?')[0];
if(!numPathComponents){
resource = url;
}else{
resource = url.split('/').slice(0,numPathComponents+1).join('/');
}

if(!_actions){
_actions = req.method.toLowerCase();
}
if(!_actions){
_actions = req.method.toLowerCase();
}

acl.logger?acl.logger.debug('Requesting '+_actions+' on '+resource+' by user '+_userId):null;
acl.logger?acl.logger.debug('Requesting '+_actions+' on '+resource+' by user '+_userId):null;

acl.isAllowed(_userId, resource, _actions, function(err, allowed){
if (err){
callback(new Error('Error checking permissions to access resource'));
}else if(allowed === false){
if (acl.logger) {
acl.logger.debug('Not allowed '+_actions+' on '+resource+' by user '+_userId);
acl.allowedPermissions(_userId, resource, function(err, obj){
acl.logger.debug('Allowed permissions: '+util.inspect(obj));
});
}
callback(new HttpError(403,'Insufficient permissions to access resource'));
}else{
acl.logger?acl.logger.debug('Allowed '+_actions+' on '+resource+' by user '+_userId):null;
callback();
}
});
}

acl.isAllowed(_userId, resource, _actions, function(err, allowed){
// check requested URL first
isResourceAllowed(req.originalUrl, function (err) {
if (err){
next(new Error('Error checking permissions to access resource'));
}else if(allowed === false){
if (acl.logger) {
acl.logger.debug('Not allowed '+_actions+' on '+resource+' by user '+_userId);
acl.allowedPermissions(_userId, resource, function(err, obj){
acl.logger.debug('Allowed permissions: '+util.inspect(obj));
});
// try current route URL if access to actual URL is denied
var routeUrl = req.baseUrl;
if (routeUrl.length > 0 && routeUrl[routeUrl.length - 1] !== '/') {
routeUrl += '/';
}

var routePath = req.route.path;
if (routePath.length > 0 && routePath !== '/' && routePath[0] === '/') {
routeUrl += routePath.substring(1);
}
next(new HttpError(403,'Insufficient permissions to access resource'));

isResourceAllowed(routeUrl, function (err) {
if (err){
next(err);
}else{
next();
}
});
}else{
acl.logger?acl.logger.debug('Allowed '+_actions+' on '+resource+' by user '+_userId):null;
next();
}
});
Expand Down
Loading