Merge pull request #11 from fullcube/rework

Rework

Author: Tom Kirkpatrick

README.md

@@ -117,13 +117,18 @@ Options:
 
   [String] : The name of the model that should be used to store and check group access roles. *(default: 'GroupAccess')*
 
+- `foreignKey`
+
+  [String] : The foreign key that should be used to determine which access group a model belongs to. *(default: 'groupId')*
+
 - `groupRoles`
 
   [Array] : A list of group names. *(default: [ '$group:admin', '$group:member' ])*
 
-- `foreignKey`
+- `applyToStatic`
+
+  [Boolean] : Set to *true* to apply ACLs to static methods (by means of query filtering). *(default: false)*
 
-  [String] : The foreign key that should be used to determine which access group a model belongs to. *(default: 'groupId')*
 
 ## Tests
 

lib/index.js

@@ -26,7 +26,11 @@ module.exports = function loopbackComponentAccess(app, options) {
 
   // Set up role resolvers.
   accessUtils.setupRoleResolvers();
-  // Set up model opertion hooks
-  accessUtils.setupModels();
+
+  // Set up model opertion hooks.
+  if (options.applyToStatic) {
+    accessUtils.setupFilters();
+  }
+
 // TODO: Create Group Access model automatically if one hasn't been specified
 };

lib/middleware/user-context.js

@@ -23,16 +23,10 @@ module.exports = function userContextMiddleware() {
     loopbackContext.set('accessToken', req.accessToken.id);
     const app = req.app;
     const UserModel = app.accessUtils.options.userModel || 'User';
-    const GroupAccessModel = app.accessUtils.options.groupAccessModel || 'GroupAccess';
-
 
     return Promise.join(
       app.models[UserModel].findById(req.accessToken.userId),
-      app.models[GroupAccessModel].find({
-        where: {
-          userId: req.accessToken.userId
-        }
-      }),
+      app.accessUtils.getUserGroups(req.accessToken.userId),
       (user, groups) => {
         if (!user) {
           return next(new Error('No user with this access token was found.'));

lib/utils.js

@@ -13,12 +13,14 @@ module.exports = class AccessUtils {
     this.options = _defaults({ }, options, {
       userModel: 'User',
       roleModel: 'Role',
-      groupModel: 'Group',
       groupAccessModel: 'GroupAccess',
+      groupModel: 'Group',
+      foreignKey: 'groupId',
       groupRoles: [
         '$group:admin',
         '$group:member'
-      ]
+      ],
+      applyToStatic: false
     });
     // Default the foreignKey to the group model name + Id.
     this.options.foreignKey = this.options.foreignKey || `${this.options.groupModel.toLowerCase()}Id`;
@@ -47,8 +49,10 @@ module.exports = class AccessUtils {
   /**
    * Add operation hooks to limit access.
    */
-  setupModels() {
-    this.getGroupContentModels().forEach(modelName => {
+  setupFilters() {
+    const models = [ this.options.groupModel ].concat(this.getGroupContentModels());
+
+    models.forEach(modelName => {
       const Model = this.app.models[modelName];
 
       if (typeof Model.observe === 'function') {
@@ -81,15 +85,15 @@ module.exports = class AccessUtils {
             debug('%s observe access: query=%s, options=%o, hookState=%o',
               Model.modelName, JSON.stringify(ctx.query, null, 4), ctx.options, ctx.hookState);
 
-            return this.buildFilter(currentUser.getId())
+            return this.buildFilter(currentUser.getId(), ctx.Model)
               .then(filter => {
-                debug('filter: %o', filter);
+                debug('original query: %o', JSON.stringify(ctx.query, null, 4));
                 const where = ctx.query.where ? {
                   and: [ ctx.query.where, filter ]
                 } : filter;
 
                 ctx.query.where = where;
-                debug('where query modified to: %s', JSON.stringify(ctx.query, null, 4));
+                debug('modified query: %s', JSON.stringify(ctx.query, null, 4));
               });
           }
           return next();
@@ -101,16 +105,19 @@ module.exports = class AccessUtils {
   /**
    * Build a where filter to restrict search results to a users group
    *
-   * @param {String} userId UserId to build filter for,
+   * @param {String} userId UserId to build filter for.
+   * @param {Object} Model Model to build filter for,
    * @returns {Object} A where filter.
    */
-  buildFilter(userId) {
+  buildFilter(userId, Model) {
     const filter = { };
+    const key = this.isGroupModel(Model) ? Model.getIdName() : this.options.foreignKey;
+    // TODO: Support key determination based on the belongsTo relationship.
 
     return this.getUserGroups(userId)
       .then(userGroups => {
         userGroups = Array.from(userGroups, group => group[this.options.foreignKey]);
-        filter[this.options.foreignKey] = { inq: userGroups };
+        filter[key] = { inq: userGroups };
         return filter;
       });
   }
@@ -132,6 +139,23 @@ module.exports = class AccessUtils {
     return false;
   }
 
+  /**
+   * Check if a model class is the configured group access model.
+   *
+   * @param {String|Object} modelClass Model class to check.
+   * @returns {Boolean} Returns true if the principalId is on the expected format.
+   */
+  isGroupAccessModel(modelClass) {
+    if (modelClass) {
+      const groupAccessModel = this.app.models[this.options.groupAccessModel];
+
+      return modelClass === groupAccessModel ||
+        modelClass.prototype instanceof groupAccessModel ||
+        modelClass === this.options.groupAccessModel;
+    }
+    return false;
+  }
+
   /**
    * Get a list of group content models (models that have a belongs to relationship to the group model)
    *
@@ -143,8 +167,8 @@ module.exports = class AccessUtils {
     Object.keys(this.app.models).forEach(modelName => {
       const modelClass = this.app.models[modelName];
 
-      // TODO: Should we allow the access group model to be treated as a group content model too?
-      if (modelName === this.options.groupAccessModel) {
+      // Mark the group itself as a group or the group access model.
+      if (this.isGroupModel(modelClass) || this.isGroupAccessModel(modelClass)) {
         return;
       }
 
@@ -207,14 +231,6 @@ module.exports = class AccessUtils {
     const ctx = this.app.loopback.getCurrentContext();
     const currentUser = ctx && ctx.get('currentUser') || null;
 
-    if (ctx) {
-      debug('getCurrentUser() - currentUser: %o', currentUser);
-    }
-    else {
-      // this means its a server-side logic call w/o any HTTP req/resp aspect to it.
-      debug('getCurrentUser() - no loopback context');
-    }
-
     return currentUser;
   }
 
@@ -227,14 +243,6 @@ module.exports = class AccessUtils {
     const ctx = this.app.loopback.getCurrentContext();
     const currentUserGroups = ctx && ctx.get('currentUserGroups') || [];
 
-    if (ctx) {
-      debug('currentUserGroups(): %o', currentUserGroups);
-    }
-    else {
-      // this means its a server-side logic call w/o any HTTP req/resp aspect to it.
-      debug('currentUserGroups(): no loopback context');
-    }
-
     return currentUserGroups;
   }
 
@@ -268,21 +276,51 @@ module.exports = class AccessUtils {
     const Role = this.app.models[this.options.roleModel];
 
     Role.registerResolver(accessGroup, (role, context, cb) => {
-      const currentUser = this.getCurrentUser();
+      cb = cb || createPromiseCallback();
+      const modelClass = context.model;
+      const modelId = context.modelId;
+      const userId = context.getUserId();
       const roleName = this.extractRoleName(role);
       const GroupAccess = this.app.models[this.options.groupAccessModel];
       const scope = { };
 
-      // Do not allow anonymous users.
-      if (!currentUser) {
-        debug('access denied for anonymous user');
-        return process.nextTick(() => cb(null, false));
+      debug(`Role resolver for ${role}: evaluate ${modelClass.modelName} with id: ${modelId} for user: ${userId}`);
+
+      // No userId is present
+      if (!userId) {
+        process.nextTick(() => {
+          debug('Deny access for anonymous user');
+          cb(null, false);
+        });
+        return cb.promise;
       }
 
-      debug(`Role resolver for ${role}: evaluate ${context.model.definition.name} with id: ${context.modelId}` +
-        ` for currentUser.getId(): ${currentUser.getId()}`);
+      this.app.loopback.getCurrentContext().set('groupAccessApplied', true);
+
+      /**
+       * Basic application that does not cover static methods. Similar to $owner. (RECOMMENDED)
+       */
+      if (!this.options.applyToStatic) {
+        if (!context || !modelClass || !modelId) {
+          process.nextTick(() => {
+            debug('Deny access (context: %s, context.model: %s, context.modelId: %s)',
+              Boolean(context), Boolean(modelClass), Boolean(modelId));
+            cb(null, false);
+          });
+          return cb.promise;
+        }
+
+        this.isGroupMemberWithRole(modelClass, modelId, userId, roleName)
+          .then(res => cb(null, res))
+          .catch(cb);
 
-      return Promise.join(this.getCurrentGroupId(context), this.getTargetGroupId(context),
+        return cb.promise;
+      }
+
+      /**
+       * More complex application that also covers static methods. (EXPERIMENTAL)
+       */
+      Promise.join(this.getCurrentGroupId(context), this.getTargetGroupId(context),
         (currentGroupId, targetGroupId) => {
           if (!currentGroupId) {
             // TODO: Use promise cancellation to abort the chain early.
@@ -293,10 +331,7 @@ module.exports = class AccessUtils {
           scope.currentGroupId = currentGroupId;
           scope.targetGroupId = targetGroupId;
           const actions = [ ];
-          const conditions = {
-            userId: currentUser.getId(),
-            role: roleName
-          };
+          const conditions = { userId, role: roleName };
 
           conditions[this.options.foreignKey] = currentGroupId;
           actions.push(GroupAccess.count(conditions));
@@ -320,15 +355,13 @@ module.exports = class AccessUtils {
             // Determine grant based on the current/target group context.
             res = currentGroupCount > 0;
 
-            debug(`user ${currentUser.getId()} ${res ? 'is a' : 'is not a'}` +
-              `${roleName} of group ${scope.currentGroupId}`);
+            debug(`user ${userId} ${res ? 'is a' : 'is not a'} ${roleName} of group ${scope.currentGroupId}`);
 
             // If it's an attempt to save  into a new group, also ensure the user has access to the target group.
             if (scope.targetGroupId && scope.targetGroupId !== scope.currentGroupId) {
               const tMember = targetGroupCount > 0;
 
-              debug(`user ${currentUser.getId()} ${tMember ? 'is a' : 'is not a'}` +
-                `${roleName} of group ${scope.targetGroupId}`);
+              debug(`user ${userId} ${tMember ? 'is a' : 'is not a'} ${roleName} of group ${scope.targetGroupId}`);
               res = res && tMember;
             }
           }
@@ -341,7 +374,88 @@ module.exports = class AccessUtils {
           return cb(null, res);
         })
         .catch(cb);
+      return cb.promise;
+    });
+  }
+
+  /**
+   * Check if a given user ID has a given role in the model instances group.
+   * @param {Function} modelClass The model class
+   * @param {*} modelId The model ID
+   * @param {*} userId The user ID
+   * @param {*} roleId The role ID
+   * @param {Function} callback Callback function
+   */
+  isGroupMemberWithRole(modelClass, modelId, userId, roleId, cb) {
+    cb = cb || createPromiseCallback();
+    debug('isGroupMemberWithRole: modelClass: %o, modelId: %o, userId: %o, roleId: %o',
+      modelClass && modelClass.modelName, modelId, userId, roleId);
+
+    // No userId is present
+    if (!userId) {
+      process.nextTick(() => {
+        cb(null, false);
+      });
+      return cb.promise;
+    }
+
+    // Is the modelClass GroupModel or a subclass of GroupModel?
+    if (this.isGroupModel(modelClass)) {
+      debug('Access to Group Model %s attempted', modelId);
+      this.hasRoleInGroup(userId, roleId, modelId)
+        .then(res => cb(null, res));
+      return cb.promise;
+    }
+
+    modelClass.findById(modelId, (err, inst) => {
+      if (err || !inst) {
+        debug('Model not found for id %j', modelId);
+        return cb(err, false);
+      }
+      debug('Model found: %j', inst);
+      const groupId = inst[this.options.foreignKey];
+
+      // Ensure groupId exists and is not a function/relation
+      if (groupId && typeof groupId !== 'function') {
+        return this.hasRoleInGroup(userId, roleId, groupId)
+          .then(res => cb(null, res));
+      }
+      // Try to follow belongsTo
+      for (const relName in modelClass.relations) {
+        const rel = modelClass.relations[relName];
+
+        if (rel.type === 'belongsTo' && this.isGroupModel(rel.modelTo)) {
+          debug('Checking relation %s to %s: %j', relName, rel.modelTo.modelName, rel);
+          return inst[relName](function processRelatedGroup(error, group) {
+            if (!error && group) {
+              debug('Group found: %j', group.getId());
+              return cb(null, this.hasRoleInGroup(userId, roleId, group.getId()));
+            }
+            return cb(error, false);
+          });
+        }
+      }
+      debug('No matching belongsTo relation found for model %j and group: %j', modelId, groupId);
+      return cb(null, false);
     });
+    return cb.promise;
+  }
+
+  hasRoleInGroup(userId, role, group, cb) {
+    debug('hasRoleInGroup: role: %o, group: %o, userId: %o', role, group, userId);
+    cb = cb || createPromiseCallback();
+    const GroupAccess = this.app.models[this.options.groupAccessModel];
+    const conditions = { userId, role };
+
+    conditions[this.options.foreignKey] = group;
+    GroupAccess.count(conditions)
+      .then(count => {
+        const res = count > 0;
+
+        debug(`User ${userId} ${res ? 'HAS' : 'DOESNT HAVE'} ${role} role in group ${group}`);
+        cb(null, res);
+      });
+    return cb.promise;
   }
 
   /**
@@ -362,7 +476,7 @@ module.exports = class AccessUtils {
       return cb.promise;
     }
 
-    // If we are accessing an existing model, get the store id from the existing model instance.
+    // If we are accessing an existing model, get the group id from the existing model instance.
     // TODO: Cache this result so that it can be reused across each ACL lookup attempt.
     if (context.modelId) {
       debug(`fetching group id for existing model with id: ${context.modelId}`);
@@ -372,7 +486,7 @@ module.exports = class AccessUtils {
         .then(item => {
           // TODO: Attempt to follow relationships in addition to the foreign key.
           if (item) {
-            debug(`determined group id ${item[this.options.foreignKey]} from existing model %o`, item);
+            debug(`determined group id ${item[this.options.foreignKey]} from existing model ${context.modelId}`);
             groupId = item[this.options.foreignKey];
           }
           cb(null, groupId);