diff --git a/packages/auth/src/security/roles.js b/packages/auth/src/security/roles.js index d000fa8e1c..8529dde6f4 100644 --- a/packages/auth/src/security/roles.js +++ b/packages/auth/src/security/roles.js @@ -231,7 +231,8 @@ exports.getRequiredResourceRole = async ( { resourceId, subResourceId } ) => { const roles = await exports.getAllRoles(appId) - let main, sub + let main = [], + sub = [] for (let role of roles) { // no permissions, ignore it if (!role.permissions) { @@ -240,12 +241,13 @@ exports.getRequiredResourceRole = async ( const mainRes = role.permissions[resourceId] const subRes = role.permissions[subResourceId] if (mainRes && mainRes.indexOf(permLevel) !== -1) { - main = role + main.push(role._id) } else if (subRes && subRes.indexOf(permLevel) !== -1) { - sub = role + sub.push(role._id) } } - return sub ? sub : main + // for now just return the IDs + return main.concat(sub) } class AccessController { diff --git a/packages/server/src/middleware/authorized.js b/packages/server/src/middleware/authorized.js index 67857342f9..4e9c2c9ef8 100644 --- a/packages/server/src/middleware/authorized.js +++ b/packages/server/src/middleware/authorized.js @@ -46,13 +46,15 @@ module.exports = idOnly: false, }) const permError = "User does not have permission" - let requiredRole + let possibleRoleIds = [] if (hasResource(ctx)) { - requiredRole = await getRequiredResourceRole(ctx.appId, permLevel, ctx) + possibleRoleIds = await getRequiredResourceRole(ctx.appId, permLevel, ctx) } // check if we found a role, if not fallback to base permissions - if (requiredRole) { - const found = hierarchy.find(role => role._id === requiredRole._id) + if (possibleRoleIds.length > 0) { + const found = hierarchy.find( + role => possibleRoleIds.indexOf(role._id) !== -1 + ) return found ? next() : ctx.throw(403, permError) } else if (!doesHaveBasePermission(permType, permLevel, hierarchy)) { ctx.throw(403, permError)