From 9fb4c14835a1d857cb7891e706939b99ceb84702 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Tue, 9 Feb 2021 16:01:02 +0000 Subject: [PATCH] Some more fixes after testing permissions a bit further. --- .../server/src/api/controllers/permission.js | 39 ++++++++++++--- packages/server/src/api/routes/permission.js | 1 + .../src/api/routes/tests/couchTestUtils.js | 16 +++++++ .../src/api/routes/tests/permissions.spec.js | 48 ++++++++++++++++++- packages/server/src/middleware/authorized.js | 12 ++--- 5 files changed, 103 insertions(+), 13 deletions(-) diff --git a/packages/server/src/api/controllers/permission.js b/packages/server/src/api/controllers/permission.js index 372e804958..1e6bd1869c 100644 --- a/packages/server/src/api/controllers/permission.js +++ b/packages/server/src/api/controllers/permission.js @@ -18,6 +18,16 @@ const PermissionUpdateType = { ADD: "add", } +// utility function to stop this repetition - permissions always stored under roles +async function getAllDBRoles(db) { + const body = await db.allDocs( + getRoleParams(null, { + include_docs: true, + }) + ) + return body.rows.map(row => row.doc) +} + async function updatePermissionOnRole( appId, { roleId, resourceId, level }, @@ -27,12 +37,7 @@ async function updatePermissionOnRole( const remove = updateType === PermissionUpdateType.REMOVE const isABuiltin = isBuiltin(roleId) const dbRoleId = getDBRoleID(roleId) - const body = await db.allDocs( - getRoleParams(null, { - include_docs: true, - }) - ) - const dbRoles = body.rows.map(row => row.doc) + const dbRoles = await getAllDBRoles(db) const docUpdates = [] // the permission is for a built in, make sure it exists @@ -87,6 +92,28 @@ exports.fetchLevels = function(ctx) { ctx.body = [PermissionLevels.WRITE, PermissionLevels.READ] } +exports.fetch = async function(ctx) { + const db = new CouchDB(ctx.appId) + const roles = await getAllDBRoles(db) + let permissions = {} + // create an object with structure role ID -> resource ID -> level + for (let role of roles) { + if (role.permissions) { + const roleId = getExternalRoleID(role._id) + if (permissions[roleId] == null) { + permissions[roleId] = {} + } + for (let [resource, level] of Object.entries(role.permissions)) { + permissions[roleId][resource] = higherPermission( + permissions[roleId][resource], + level + ) + } + } + } + ctx.body = permissions +} + exports.getResourcePerms = async function(ctx) { const resourceId = ctx.params.resourceId const db = new CouchDB(ctx.appId) diff --git a/packages/server/src/api/routes/permission.js b/packages/server/src/api/routes/permission.js index 1d7c042f99..9cf5ae287e 100644 --- a/packages/server/src/api/routes/permission.js +++ b/packages/server/src/api/routes/permission.js @@ -23,6 +23,7 @@ function generateValidator() { router .get("/api/permission/builtin", authorized(BUILDER), controller.fetchBuiltin) .get("/api/permission/levels", authorized(BUILDER), controller.fetchLevels) + .get("/api/permission", authorized(BUILDER), controller.fetch) .get( "/api/permission/:resourceId", authorized(BUILDER), diff --git a/packages/server/src/api/routes/tests/couchTestUtils.js b/packages/server/src/api/routes/tests/couchTestUtils.js index 3d99e16873..0bc7f90998 100644 --- a/packages/server/src/api/routes/tests/couchTestUtils.js +++ b/packages/server/src/api/routes/tests/couchTestUtils.js @@ -73,6 +73,22 @@ exports.createTable = async (request, appId, table, removeId = true) => { return res.body } +exports.createRow = async (request, appId, tableId, row = null) => { + row = row || { + name: "Test Contact", + description: "original description", + status: "new", + tableId: tableId, + } + const res = await request + .post(`/api/${tableId}/rows`) + .send(row) + .set(exports.defaultHeaders(appId)) + .expect("Content-Type", /json/) + .expect(200) + return res.body +} + exports.createRole = async (request, appId) => { const roleBody = { name: "NewRole", diff --git a/packages/server/src/api/routes/tests/permissions.spec.js b/packages/server/src/api/routes/tests/permissions.spec.js index fc5ce23f96..e1322b7b13 100644 --- a/packages/server/src/api/routes/tests/permissions.spec.js +++ b/packages/server/src/api/routes/tests/permissions.spec.js @@ -1,12 +1,14 @@ const { createApplication, createTable, + createRow, supertest, defaultHeaders, addPermission, } = require("./couchTestUtils") const { BUILTIN_ROLE_IDS } = require("../../../utilities/security/roles") +const HIGHER_ROLE_ID = BUILTIN_ROLE_IDS.BASIC const STD_ROLE_ID = BUILTIN_ROLE_IDS.PUBLIC describe("/permission", () => { @@ -15,6 +17,7 @@ describe("/permission", () => { let appId let table let perms + let row beforeAll(async () => { ;({ request, server } = await supertest()) @@ -29,8 +32,17 @@ describe("/permission", () => { appId = app.instance._id table = await createTable(request, appId) perms = await addPermission(request, appId, STD_ROLE_ID, table._id) + row = await createRow(request, appId, table._id) }) + async function getTablePermissions() { + return request + .get(`/api/permission/${table._id}`) + .set(defaultHeaders(appId)) + .expect("Content-Type", /json/) + .expect(200) + } + describe("levels", () => { it("should be able to get levels", async () => { const res = await request @@ -45,7 +57,7 @@ describe("/permission", () => { }) }) - describe("test", () => { + describe("add", () => { it("should be able to add permission to a role for the table", async () => { expect(perms.length).toEqual(1) expect(perms[0]._id).toEqual(`${STD_ROLE_ID}`) @@ -57,6 +69,40 @@ describe("/permission", () => { .set(defaultHeaders(appId)) .expect("Content-Type", /json/) .expect(200) + expect(res.body[STD_ROLE_ID]).toEqual("read") + }) + + it("should get resource permissions with multiple roles", async () => { + perms = await addPermission(request, appId, HIGHER_ROLE_ID, table._id, "write") + const res = await getTablePermissions() + expect(res.body[HIGHER_ROLE_ID]).toEqual("write") + expect(res.body[STD_ROLE_ID]).toEqual("read") + const allRes = await request + .get(`/api/permission`) + .set(defaultHeaders(appId)) + .expect("Content-Type", /json/) + .expect(200) + expect(allRes.body[HIGHER_ROLE_ID][table._id]).toEqual("write") + expect(allRes.body[STD_ROLE_ID][table._id]).toEqual("read") + }) + }) + + describe("remove", () => { + it("should be able to remove the permission", async () => { + const res = await request + .delete(`/api/permission/${STD_ROLE_ID}/${table._id}/read`) + .set(defaultHeaders(appId)) + .expect("Content-Type", /json/) + .expect(200) + expect(res.body[0]._id).toEqual(STD_ROLE_ID) + const permsRes = await getTablePermissions() + expect(permsRes.body[STD_ROLE_ID]).toBeUndefined() + }) + }) + + describe("check public user allowed", () => { + it("should be able to read the row", async () => { + // TODO }) }) }) diff --git a/packages/server/src/middleware/authorized.js b/packages/server/src/middleware/authorized.js index 82ca7f98f2..b838ef4e29 100644 --- a/packages/server/src/middleware/authorized.js +++ b/packages/server/src/middleware/authorized.js @@ -64,12 +64,12 @@ module.exports = (permType, permLevel = null) => async (ctx, next) => { ctx.throw(403, "Not Authorized") } - // if ( - // hasResource(ctx) && - // doesHaveResourcePermission(permissions, permLevel, ctx) - // ) { - // return next() - // } + if ( + hasResource(ctx) && + doesHaveResourcePermission(permissions, permLevel, ctx) + ) { + return next() + } if (!doesHaveBasePermission(permType, permLevel, basePermissions)) { ctx.throw(403, "User does not have permission")