Only apply filters if there is an ACL in place

Author: Tom Kirkpatrick

lib/utils.js

@@ -4,7 +4,7 @@ const debug = require('debug')('loopback:componenet:access');
 const createPromiseCallback = require('loopback-datasource-juggler/lib/utils').createPromiseCallback;
 const _defaults = require('lodash').defaults;
 const _get = require('lodash').get;
-const Promise = require("bluebird");
+const Promise = require('bluebird');
 
 module.exports = class AccessUtils {
   constructor(app, options) {
@@ -57,18 +57,27 @@ module.exports = class AccessUtils {
           const currentUser = this.getCurrentUser();
 
           if (currentUser) {
-            // Do noinvoice if options.skipAccess has been set.
+            // Do not filter if options.skipAccess has been set.
             if (ctx.options.skipAccess) {
               debug('skipAccess: true - skipping access filters');
               return next();
             }
 
-            // Do noinvoice if the request is being made against a single model instance.
+            // Do not filter if the request is being made against a single model instance.
             if (_get(ctx.query, 'where.id')) {
               debug('looking up by Id - skipping access filters');
               return next();
             }
 
+            // Do not apply filters if no group access acls were applied.
+            const loopbackContext = this.app.loopback.getCurrentContext();
+            const groupAccessApplied = loopbackContext && loopbackContext.get('groupAccessApplied') || false;
+
+            if (!groupAccessApplied) {
+              debug('acls not appled - skipping access filters');
+              return next();
+            }
+
             debug('%s observe access: query=%s, options=%o, hookState=%o',
               Model.modelName, JSON.stringify(ctx.query, null, 4), ctx.options, ctx.hookState);
 
@@ -259,19 +268,19 @@ module.exports = class AccessUtils {
     const Role = this.app.models[this.options.roleModel];
 
     Role.registerResolver(accessGroup, (role, context, cb) => {
-      const currentUserId = context.accessToken.userId;
+      const currentUser = this.getCurrentUser();
       const roleName = this.extractRoleName(role);
       const GroupAccess = this.app.models[this.options.groupAccessModel];
       const scope = { };
 
       // Do not allow anonymous users.
-      if (!currentUserId) {
+      if (!currentUser) {
         debug('access denied for anonymous user');
         return process.nextTick(() => cb(null, false));
       }
 
       debug(`Role resolver for ${role}: evaluate ${context.model.definition.name} with id: ${context.modelId}` +
-        ` for currentUserId: ${currentUserId}`);
+        ` for currentUser.getId(): ${currentUser.getId()}`);
 
       return Promise.join(this.getCurrentGroupId(context), this.getTargetGroupId(context),
         (currentGroupId, targetGroupId) => {
@@ -284,7 +293,10 @@ module.exports = class AccessUtils {
           scope.currentGroupId = currentGroupId;
           scope.targetGroupId = targetGroupId;
           const actions = [ ];
-          const conditions = { userId: currentUserId, role: roleName };
+          const conditions = {
+            userId: currentUser.getId(),
+            role: roleName
+          };
 
           conditions[this.options.foreignKey] = currentGroupId;
           actions.push(GroupAccess.count(conditions));
@@ -298,24 +310,35 @@ module.exports = class AccessUtils {
           return actions;
         })
         .spread((currentGroupCount, targetGroupCount) => {
+          let res = false;
+
           if (currentGroupCount === false) {
             // No group context was determined, so allow passthrough access.
-            return cb(null, true);
+            res = true;
           }
-          const cMember = currentGroupCount > 0;
+          else {
+            // Determine grant based on the current/target group context.
+            res = currentGroupCount > 0;
+
+            debug(`user ${currentUser.getId()} ${res ? 'is a' : 'is not a'}` +
+              `${roleName} of group ${scope.currentGroupId}`);
 
-          debug(`user ${currentUserId} ${cMember ? 'is a' : 'is not a'} ${roleName} of group ${scope.currentGroupId}`);
+            // If it's an attempt to save  into a new group, also ensure the user has access to the target group.
+            if (scope.targetGroupId && scope.targetGroupId !== scope.currentGroupId) {
+              const tMember = targetGroupCount > 0;
 
-          // If it's an attempt to save the item into a new group, also ensure the user has access to the target group.
-          if (scope.targetGroupId && scope.targetGroupId !== scope.currentGroupId) {
-            const tMember = targetGroupCount > 0;
+              debug(`user ${currentUser.getId()} ${tMember ? 'is a' : 'is not a'}` +
+                `${roleName} of group ${scope.targetGroupId}`);
+              res = res && tMember;
+            }
+          }
 
-            debug(`user ${currentUserId} ${tMember ? 'is a' : 'is not a'} ${roleName} of group ${scope.targetGroupId}`);
-            return cb(null, cMember && tMember);
+          // Note the fact that we are allowing access due to passing an ACL.
+          if (res) {
+            this.app.loopback.getCurrentContext().set('groupAccessApplied', true);
           }
 
-          // Otherwise, base access on the current group membership only.
-          return cb(null, cMember);
+          return cb(null, res);
         })
         .catch(cb);
     });