Allow pass through access if no group context is found

Author: Tom Kirkpatrick

lib/utils.js

@@ -48,7 +48,9 @@ module.exports = class AccessUtils {
    * Add operation hooks to limit access.
    */
   setupModels() {
-    this.getGroupContentModels().forEach(modelName => {
+    const models = [ this.options.groupModel ].concat(this.getGroupContentModels());
+
+    models.forEach(modelName => {
       const Model = this.app.models[modelName];
 
       if (typeof Model.observe === 'function') {
@@ -81,15 +83,15 @@ module.exports = class AccessUtils {
             debug('%s observe access: query=%s, options=%o, hookState=%o',
               Model.modelName, JSON.stringify(ctx.query, null, 4), ctx.options, ctx.hookState);
 
-            return this.buildFilter(currentUser.getId())
+            return this.buildFilter(currentUser.getId(), ctx.Model)
               .then(filter => {
-                debug('filter: %o', filter);
+                debug('original query: %o', JSON.stringify(ctx.query, null, 4));
                 const where = ctx.query.where ? {
                   and: [ ctx.query.where, filter ]
                 } : filter;
 
                 ctx.query.where = where;
-                debug('where query modified to: %s', JSON.stringify(ctx.query, null, 4));
+                debug('modified query: %s', JSON.stringify(ctx.query, null, 4));
               });
           }
           return next();
@@ -101,16 +103,19 @@ module.exports = class AccessUtils {
   /**
    * Build a where filter to restrict search results to a users group
    *
-   * @param {String} userId UserId to build filter for,
+   * @param {String} userId UserId to build filter for.
+   * @param {Object} Model Model to build filter for,
    * @returns {Object} A where filter.
    */
-  buildFilter(userId) {
+  buildFilter(userId, Model) {
     const filter = { };
+    const key = this.isGroupModel(Model)? Model.getIdName() : this.options.foreignKey;
+    // TODO: Support key determination based on the belongsTo relationship.
 
     return this.getUserGroups(userId)
       .then(userGroups => {
         userGroups = Array.from(userGroups, group => group[this.options.foreignKey]);
-        filter[this.options.foreignKey] = { inq: userGroups };
+        filter[key] = { inq: userGroups };
         return filter;
       });
   }
@@ -132,6 +137,23 @@ module.exports = class AccessUtils {
     return false;
   }
 
+  /**
+   * Check if a model class is the configured group access model.
+   *
+   * @param {String|Object} modelClass Model class to check.
+   * @returns {Boolean} Returns true if the principalId is on the expected format.
+   */
+  isGroupAccessModel(modelClass) {
+    if (modelClass) {
+      const groupAccessModel = this.app.models[this.options.groupAccessModel];
+
+      return modelClass === groupAccessModel ||
+        modelClass.prototype instanceof groupAccessModel ||
+        modelClass === this.options.groupAccessModel;
+    }
+    return false;
+  }
+
   /**
    * Get a list of group content models (models that have a belongs to relationship to the group model)
    *
@@ -143,8 +165,8 @@ module.exports = class AccessUtils {
     Object.keys(this.app.models).forEach(modelName => {
       const modelClass = this.app.models[modelName];
 
-      // TODO: Should we allow the access group model to be treated as a group content model too?
-      if (modelName === this.options.groupAccessModel) {
+      // Mark the group itself as a group or the group access model.
+      if (this.isGroupModel(modelClass) || this.isGroupAccessModel(modelClass)) {
         return;
       }
 
@@ -153,7 +175,7 @@ module.exports = class AccessUtils {
         rel = modelClass.relations[rel];
         // debug('Checking relation %s to %s: %j', r, rel.modelTo.modelName, rel);
         if (rel.type === 'belongsTo' && this.isGroupModel(rel.modelTo)) {
-          models.push(modelName);
+          return models.push(modelName);
         }
       }
     });
@@ -206,15 +228,6 @@ module.exports = class AccessUtils {
   getCurrentUser() {
     const ctx = this.app.loopback.getCurrentContext();
     const currentUser = ctx && ctx.get('currentUser') || null;
-
-    if (ctx) {
-      debug('getCurrentUser() - currentUser: %o', currentUser);
-    }
-    else {
-      // this means its a server-side logic call w/o any HTTP req/resp aspect to it.
-      debug('getCurrentUser() - no loopback context');
-    }
-
     return currentUser;
   }
 
@@ -226,15 +239,6 @@ module.exports = class AccessUtils {
   getCurrentUserGroups() {
     const ctx = this.app.loopback.getCurrentContext();
     const currentUserGroups = ctx && ctx.get('currentUserGroups') || [];
-
-    if (ctx) {
-      debug('currentUserGroups(): %o', currentUserGroups);
-    }
-    else {
-      // this means its a server-side logic call w/o any HTTP req/resp aspect to it.
-      debug('currentUserGroups(): no loopback context');
-    }
-
     return currentUserGroups;
   }
 
@@ -269,7 +273,16 @@ module.exports = class AccessUtils {
 
     Role.registerResolver(accessGroup, (role, context, cb) => {
       if (!context || !context.model || !context.modelId) {
-        process.nextTick(function() {
+        process.nextTick(() => {
+          debug('Allow passthrough access (context: %s, context.model: %s, context.modelId: %s)',
+            !!context, !!context.model, !!context.modelId);
+
+          const currentUser = this.getCurrentUser();
+
+          if (currentUser) {
+            this.app.loopback.getCurrentContext().set('groupAccessApplied', true);
+          }
+
           if (cb) cb(null, false);
         });
         return;
@@ -284,56 +297,41 @@ module.exports = class AccessUtils {
 
       debug(`Role resolver for ${role}: evaluate ${modelClass.modelName} with id: ${modelId} for user: ${userId}`);
 
-      this.isGroupMemberWithRole(modelClass, modelId, userId, roleName)
+      return this.isGroupMemberWithRole(modelClass, modelId, userId, roleName)
         .then(res => {
           debug('Resolved to', res);
           cb(null, res);
         })
         .catch(cb);
 
-      // return Promise.join(this.getCurrentGroupId(context), this.getTargetGroupId(context),
-      //   (currentGroupId, targetGroupId) => {
-      //     if (!currentGroupId) {
-      //       // TODO: Use promise cancellation to abort the chain early.
-      //       // Causes the access check to be bypassed (see below).
-      //       return [ false ];
-      //     }
-      //
-      //     scope.currentGroupId = currentGroupId;
-      //     scope.targetGroupId = targetGroupId;
+      // return this.getTargetGroupId(context)
+      //   .then(targetGroupId => {
       //     const actions = [ ];
       //
-      //     actions.push(this.hasRoleInGroup(userId, roleName, currentGroupId, context));
+      //     actions.push(this.isGroupMemberWithRole(modelClass, modelId, userId, roleName));
       //
       //     // If this is an attempt to save the item into a new group, check the user has access to the target group.
-      //     if (targetGroupId && targetGroupId !== currentGroupId) {
-      //       actions.push(this.hasRoleInGroup(userId, roleName, targetGroupId, context));
+      //     if (targetGroupId && targetGroupId !== modelId) {
+      //       scope.targetGroupId = targetGroupId;
+      //       actions.push(this.isGroupMemberWithRole(modelClass, targetGroupId, userId, roleName));
       //     }
       //
       //     return actions;
       //   })
       //   .spread((currentGroupCount, targetGroupCount) => {
       //     let res = false;
       //
-      //     if (currentGroupCount === false) {
-      //       // No group context was determined, so allow passthrough access.
-      //       res = true;
-      //     }
-      //     else {
-      //       // Determine grant based on the current/target group context.
-      //       res = currentGroupCount > 0;
+      //     // Determine grant based on the current/target group context.
+      //     res = currentGroupCount > 0;
       //
-      //       debug(`user ${userId} ${res ? 'is a' : 'is not a'}` +
-      //         ` ${roleName} of group ${scope.currentGroupId}`);
+      //     debug(`user ${userId} ${res ? 'is a' : 'is not a'} ${roleName} of group ${modelId}`);
       //
-      //       // If it's an attempt to save  into a new group, also ensure the user has access to the target group.
-      //       if (scope.targetGroupId && scope.targetGroupId !== scope.currentGroupId) {
-      //         const tMember = targetGroupCount > 0;
+      //     // If it's an attempt to save into a new group, also ensure the user has access to the target group.
+      //     if (scope.targetGroupId && scope.targetGroupId !== modelId) {
+      //       const tMember = targetGroupCount > 0;
       //
-      //         debug(`user ${userId} ${tMember ? 'is a' : 'is not a'}` +
-      //           ` ${roleName} of group ${scope.targetGroupId}`);
-      //         res = res && tMember;
-      //       }
+      //       debug(`user ${userId} ${tMember ? 'is a' : 'is not a'} ${roleName} of group ${scope.targetGroupId}`);
+      //       res = res && tMember;
       //     }
       //
       //     // Note the fact that we are allowing access due to passing an ACL.
@@ -358,7 +356,6 @@ module.exports = class AccessUtils {
    */
   isGroupMemberWithRole(modelClass, modelId, userId, roleId, cb) {
     cb = cb || createPromiseCallback();
-    assert(modelClass, 'Model class is required');
     debug('isGroupMemberWithRole: modelClass: %o, modelId: %o, userId: %o, roleId: %o',
       modelClass && modelClass.modelName, modelId, userId, roleId);