From f0be2618f3e8c697a7a2e4fc1ac37f3944ce4ac5 Mon Sep 17 00:00:00 2001
From: Andreas Fitzek <andreas@fitzek.eu>
Date: Thu, 10 Aug 2017 13:39:57 +0200
Subject: [PATCH 1/2] Allow filtering of roles during permission fetching

This adds an optional external whitelist of roles available to a user.

Change-Type: minor
Connects-To: #60
Signed-off-by: Andreas Fitzek <andreas@resin.io>
---
 src/sbvr-api/permissions.coffee | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/sbvr-api/permissions.coffee b/src/sbvr-api/permissions.coffee
index 270b6b49e..cf178dd04 100644
--- a/src/sbvr-api/permissions.coffee
+++ b/src/sbvr-api/permissions.coffee
@@ -180,7 +180,10 @@ exports.setup = (app, sbvrUtils) ->
 			throw err
 		.nodeify(callback)
 
-	exports.getUserPermissions = getUserPermissions = (userId, callback) ->
+	exports.getUserPermissions = getUserPermissions = (userId, roles, callback) ->
+		if typeof roles is 'function'
+			callback = roles
+			roles = null
 		if _.isString(userId)
 			userId = _.parseInt(userId)
 		if !_.isFinite(userId)
@@ -206,6 +209,14 @@ exports.setup = (app, sbvrUtils) ->
 								uhr: expiry_date: null
 							,	uhr: expiry_date: $gt: $now: null
 							]
+		if roles?
+			innerFilter = _.get(permsFilter, '$or.is_of__role.$any.$expr.rhp.role.$any.$expr')
+			newFilter =
+				$and: [
+					innerFilter,
+					r: name: $in: roles
+			]
+			_.set(permsFilter, '$or.is_of__role.$any.$expr.rhp.role.$any.$expr', newFilter)
 		return getPermissions(permsFilter, callback)
 
 	exports.getApiKeyPermissions = getApiKeyPermissions = do ->

From cc38fece76472ea15986751e065c51f001daea42 Mon Sep 17 00:00:00 2001
From: Andreas Fitzek <andreas@fitzek.eu>
Date: Fri, 11 Aug 2017 14:02:07 +0200
Subject: [PATCH 2/2] addressed review

---
 src/sbvr-api/permissions.coffee | 37 ++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/src/sbvr-api/permissions.coffee b/src/sbvr-api/permissions.coffee
index cf178dd04..22ba249d9 100644
--- a/src/sbvr-api/permissions.coffee
+++ b/src/sbvr-api/permissions.coffee
@@ -181,13 +181,30 @@ exports.setup = (app, sbvrUtils) ->
 		.nodeify(callback)
 
 	exports.getUserPermissions = getUserPermissions = (userId, roles, callback) ->
-		if typeof roles is 'function'
+		if _.isFunction(roles)
 			callback = roles
 			roles = null
 		if _.isString(userId)
 			userId = _.parseInt(userId)
 		if !_.isFinite(userId)
 			return Promise.rejected(new Error('User ID has to be numeric, got: ' + typeof userId))
+
+		roleFilter = 
+					r: is_of__user: $any:
+						$alias: 'uhr'
+						$expr:
+							uhr: user: userId
+							$or: [
+								uhr: expiry_date: null
+							,	uhr: expiry_date: $gt: $now: null
+							]
+
+		if roles?
+			roleFilter = $and: [
+					roleFilter,
+					r: name: $in: roles
+			]
+
 		permsFilter = $or:
 			is_of__user: $any:
 				$alias: 'uhp'
@@ -201,22 +218,8 @@ exports.setup = (app, sbvrUtils) ->
 				$alias: 'rhp'
 				$expr: rhp: role: $any:
 					$alias: 'r'
-					$expr: r: is_of__user: $any:
-						$alias: 'uhr'
-						$expr:
-							uhr: user: userId
-							$or: [
-								uhr: expiry_date: null
-							,	uhr: expiry_date: $gt: $now: null
-							]
-		if roles?
-			innerFilter = _.get(permsFilter, '$or.is_of__role.$any.$expr.rhp.role.$any.$expr')
-			newFilter =
-				$and: [
-					innerFilter,
-					r: name: $in: roles
-			]
-			_.set(permsFilter, '$or.is_of__role.$any.$expr.rhp.role.$any.$expr', newFilter)
+					$expr: roleFilter
+		
 		return getPermissions(permsFilter, callback)
 
 	exports.getApiKeyPermissions = getApiKeyPermissions = do ->