Updating to allow a list of roles to be retrieved, allowing resources to have multiple levels of role that they can be accessed via.

5 years ago · bf4a8737f0
2 changed files with 12 additions and 8 deletions
--- a/packages/auth/src/security/roles.js
+++ b/packages/auth/src/security/roles.js
@ -231,7 +231,8 @@ exports.getRequiredResourceRole = async (
  { resourceId, subResourceId }
 ) => {
  const roles = await exports.getAllRoles(appId)
-  let main, sub
+  let main = [],
+    sub = []
  for (let role of roles) {
    // no permissions, ignore it
    if (!role.permissions) {
@ -240,12 +241,13 @@ exports.getRequiredResourceRole = async (
    const mainRes = role.permissions[resourceId]
    const subRes = role.permissions[subResourceId]
    if (mainRes && mainRes.indexOf(permLevel) !== -1) {
-      main = role
+      main.push(role._id)
    } else if (subRes && subRes.indexOf(permLevel) !== -1) {
-      sub = role
+      sub.push(role._id)
    }
  }
-  return sub ? sub : main
+  // for now just return the IDs
+  return main.concat(sub)
 }

 class AccessController {
--- a/packages/server/src/middleware/authorized.js
+++ b/packages/server/src/middleware/authorized.js
@ -46,13 +46,15 @@ module.exports =
      idOnly: false,
    })
    const permError = "User does not have permission"
-    let requiredRole
+    let possibleRoleIds = []
    if (hasResource(ctx)) {
-      requiredRole = await getRequiredResourceRole(ctx.appId, permLevel, ctx)
+      possibleRoleIds = await getRequiredResourceRole(ctx.appId, permLevel, ctx)
    }
    // check if we found a role, if not fallback to base permissions
-    if (requiredRole) {
-      const found = hierarchy.find(role => role._id === requiredRole._id)
+    if (possibleRoleIds.length > 0) {
+      const found = hierarchy.find(
+        role => possibleRoleIds.indexOf(role._id) !== -1
+      )
      return found ? next() : ctx.throw(403, permError)
    } else if (!doesHaveBasePermission(permType, permLevel, hierarchy)) {
      ctx.throw(403, permError)