-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Allow filtering of roles during permission fetching #61
base: master
Are you sure you want to change the base?
Conversation
Can one of the admins verify this patch? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a description of the use case to the PR description please
src/sbvr-api/permissions.coffee
Outdated
@@ -180,7 +180,10 @@ exports.setup = (app, sbvrUtils) -> | |||
throw err | |||
.nodeify(callback) | |||
|
|||
exports.getUserPermissions = getUserPermissions = (userId, callback) -> | |||
exports.getUserPermissions = getUserPermissions = (userId, roles, callback) -> | |||
if typeof roles is 'function' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use _.isFunction
please
src/sbvr-api/permissions.coffee
Outdated
@@ -206,6 +209,14 @@ exports.setup = (app, sbvrUtils) -> | |||
uhr: expiry_date: null | |||
, uhr: expiry_date: $gt: $now: null | |||
] | |||
if roles? | |||
innerFilter = _.get(permsFilter, '$or.is_of__role.$any.$expr.rhp.role.$any.$expr') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather this is done as
roleFilter =
r: is_of__user: $any:
$alias: 'uhr'
$expr:
uhr: user: userId
$or: [
uhr: expiry_date: null
, uhr: expiry_date: $gt: $now: null
]
if roles?
roleFilter = $and: [
roleFilter,
r: name: $in: roles
]
permsFilter = $or:
is_of__user: $any:
$alias: 'uhp'
$expr:
uhp: user: userId
$or: [
uhp: expiry_date: null
, uhp: expiry_date: $gt: $now: null
]
is_of__role: $any:
$alias: 'rhp'
$expr: rhp: role: $any:
$alias: 'r'
$expr: roleFilter
rather than using this hardcoded path which will be awkward to spot issues with and fix if the structure of the query changes in future (the logic should be the same, we just do the augmentation first and then it gets inserted straight into the correct spot of permsFilter when it's first created, rather than afterward)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice solution!
add to whitelist |
This adds an optional external whitelist of roles available to a user. Change-Type: minor Connects-To: #60 Signed-off-by: Andreas Fitzek <[email protected]>
1b90cc5
to
cc38fec
Compare
This adds an optional external whitelist of roles available to a user.
We want to be able to restrict credentials (like a JWT), to only a given subset of the roles the user actually has and therefore only to the permissions associated with that given role.
Flowdock: https://www.flowdock.com/app/rulemotion/r-security/threads/6aoRkUtQ2XpwuPkwBu9rvnNrXb_
Change-Type: minor
Connects-To: #60
This is untested so far, I just tested it by changing the js directly in the api node_modules.