Fix handling for accessing the Group Model directly

Tom Kirkpatrick · Tom Kirkpatrick · commit adcddc98ec82 · 2016-02-04T23:20:32.000+01:00
diff --git a/lib/utils.js b/lib/utils.js
@@ -332,6 +332,12 @@ module.exports = class AccessUtils {
     debug('getCurrentGroupId context.remotingContext.args: %o', context.remotingContext.args);
     let groupId = null;
 
+    // If we are accessing the group model directly, the group id is the model id.
+    if (this.isGroupModel(context.model)) {
+      process.nextTick(() => cb(null, context.modelId));
+      return cb.promise;
+    }
+
     // If we are accessing an existing model, get the store id from the existing model instance.
     // TODO: Cache this result so that it can be reused across each ACL lookup attempt.
     if (context.modelId) {
diff --git a/test/fixtures/simple-app/common/models/store.json b/test/fixtures/simple-app/common/models/store.json
@@ -45,30 +45,41 @@
     {
       "accessType": "READ",
       "principalType": "ROLE",
-      "principalId": "admin",
-      "permission": "ALLOW",
-      "property": "find"
+      "principalId": "$group:member",
+      "permission": "ALLOW"
     },
     {
       "accessType": "READ",
       "principalType": "ROLE",
-      "principalId": "$group:member",
+      "principalId": "$group:manager",
+      "permission": "ALLOW"
+    },
+    {
+      "accessType": "WRITE",
+      "principalType": "ROLE",
+      "principalId": "$group:manager",
       "permission": "ALLOW",
-      "property": "findById"
+      "property": "create"
     },
     {
-      "accessType": "EXECUTE",
+      "accessType": "WRITE",
       "principalType": "ROLE",
-      "principalId": "$authenticated",
+      "principalId": "$group:manager",
       "permission": "ALLOW",
-      "property": "addUser"
+      "property": "updateAttributes"
     },
     {
-      "accessType": "EXECUTE",
+      "accessType": "WRITE",
       "principalType": "ROLE",
-      "principalId": "$authenticated",
+      "principalId": "$group:manager",
       "permission": "ALLOW",
-      "property": "removeUser"
+      "property": "upsert"
+    },
+    {
+      "accessType": "*",
+      "principalType": "ROLE",
+      "principalId": "$group:admin",
+      "permission": "ALLOW"
     }
   ],
   "methods": {}
diff --git a/test/rest-test.js b/test/rest-test.js
@@ -64,6 +64,26 @@ describe('REST API', function() {
 
   users.forEach(user => {
     describe(`${user.username} (User with ${user.abilities.join(', ')} permissions):`, function() {
+      // related group content
+      describe('group model', function() {
+        if (_includes(user.abilities, 'read')) {
+          it('should get a teams store', function() {
+            return logInAs(user.username)
+              .then(res => json('get', `/api/stores/A?access_token=${res.body.id}`)
+                .expect(200))
+              .then(res => {
+                expect(res.body).to.be.an('object');
+                expect(res.body).to.have.property('name', 'Store A');
+              });
+          });
+        }
+        it('should not get another teams store', function() {
+          return logInAs(user.username)
+            .then(res => json('get', `/api/stores/B?access_token=${res.body.id}`)
+              .expect(401));
+        });
+      });
+
       // related group content
       describe('related group content', function() {
         if (_includes(user.abilities, 'read')) {
