Add new setting "applyToStatic" to make the application of filtering on static methods optional

Author: Tom Kirkpatrick

README.md

@@ -117,13 +117,18 @@ Options:
 
   [String] : The name of the model that should be used to store and check group access roles. *(default: 'GroupAccess')*
 
+- `foreignKey`
+
+  [String] : The foreign key that should be used to determine which access group a model belongs to. *(default: 'groupId')*
+
 - `groupRoles`
 
   [Array] : A list of group names. *(default: [ '$group:admin', '$group:member' ])*
 
-- `foreignKey`
+- `applyToStatic`
+
+  [Boolean] : Set to *true* to apply ACLs to static methods (by means of query filtering). *(default: false)*
 
-  [String] : The foreign key that should be used to determine which access group a model belongs to. *(default: 'groupId')*
 
 ## Tests
 

lib/index.js

@@ -27,9 +27,10 @@ module.exports = function loopbackComponentAccess(app, options) {
   // Set up role resolvers.
   accessUtils.setupRoleResolvers();
 
-  // TODO: Rethink wether access filtering can be applied safely.
-  // Set up model opertion hooks
-  // accessUtils.setupModels();
+  // Set up model opertion hooks.
+  if (options.applyToStatic) {
+    accessUtils.setupModels();
+  }
 
   // TODO: Create Group Access model automatically if one hasn't been specified
 };

lib/utils.js

@@ -13,12 +13,14 @@ module.exports = class AccessUtils {
     this.options = _defaults({ }, options, {
       userModel: 'User',
       roleModel: 'Role',
-      groupModel: 'Group',
       groupAccessModel: 'GroupAccess',
+      groupModel: 'Group',
+      foreignKey: 'groupId',
       groupRoles: [
         '$group:admin',
         '$group:member'
-      ]
+      ],
+      applyToStatic: false
     });
     // Default the foreignKey to the group model name + Id.
     this.options.foreignKey = this.options.foreignKey || `${this.options.groupModel.toLowerCase()}Id`;
@@ -279,21 +281,8 @@ module.exports = class AccessUtils {
       const GroupAccess = this.app.models[this.options.groupAccessModel];
       const scope = { };
 
-      if (userId) {
-        this.app.loopback.getCurrentContext().set('groupAccessApplied', true);
-      }
-
       debug(`Role resolver for ${role}: evaluate ${modelClass.modelName} with id: ${modelId} for user: ${userId}`);
 
-      if (!context || !context.model || !context.modelId) {
-        process.nextTick(() => {
-          debug('Deny access (context: %s, context.model: %s, context.modelId: %s)',
-            !!context, !!context.model, !!context.modelId);
-          if (cb) cb(null, false);
-        });
-        return;
-      }
-
       // No userId is present
       if (!userId) {
         process.nextTick(() => {
@@ -303,53 +292,92 @@ module.exports = class AccessUtils {
         return;
       }
 
-      return this.isGroupMemberWithRole(modelClass, modelId, userId, roleName)
-        .then(res => {
-          cb(null, res);
+      this.app.loopback.getCurrentContext().set('groupAccessApplied', true);
+
+      /**
+       * Basic application that does not cover static methods.
+       * Similar to $owner.
+       */
+      if (!this.options.applyToStatic) {
+        if (!context || !context.model || !context.modelId) {
+          process.nextTick(() => {
+            debug('Deny access (context: %s, context.model: %s, context.modelId: %s)',
+              !!context, !!context.model, !!context.modelId);
+            if (cb) cb(null, false);
+          });
+          return;
+        }
+
+        return this.isGroupMemberWithRole(modelClass, modelId, userId, roleName)
+          .then(res => {
+            cb(null, res);
+          })
+          .catch(cb);
+      }
+
+      /**
+       * More complex application that also covers static methods.
+       */
+      return Promise.join(this.getCurrentGroupId(context), this.getTargetGroupId(context),
+        (currentGroupId, targetGroupId) => {
+          if (!currentGroupId) {
+            // TODO: Use promise cancellation to abort the chain early.
+            // Causes the access check to be bypassed (see below).
+            return [ false ];
+          }
+
+          scope.currentGroupId = currentGroupId;
+          scope.targetGroupId = targetGroupId;
+          const actions = [ ];
+          const conditions = {
+            userId: userId,
+            role: roleName
+          };
+
+          conditions[this.options.foreignKey] = currentGroupId;
+          actions.push(GroupAccess.count(conditions));
+
+          // If this is an attempt to save the item into a new group, check the user has access to the target group.
+          if (targetGroupId && targetGroupId !== currentGroupId) {
+            conditions[this.options.foreignKey] = targetGroupId;
+            actions.push(GroupAccess.count(conditions));
+          }
+
+          return actions;
+        })
+        .spread((currentGroupCount, targetGroupCount) => {
+          let res = false;
+
+          if (currentGroupCount === false) {
+            // No group context was determined, so allow passthrough access.
+            res = true;
+          }
+          else {
+            // Determine grant based on the current/target group context.
+            res = currentGroupCount > 0;
+
+            debug(`user ${userId} ${res ? 'is a' : 'is not a'} ${roleName} of group ${scope.currentGroupId}`);
+
+            // If it's an attempt to save  into a new group, also ensure the user has access to the target group.
+            if (scope.targetGroupId && scope.targetGroupId !== scope.currentGroupId) {
+              const tMember = targetGroupCount > 0;
+
+              debug(`user ${userId} ${tMember ? 'is a' : 'is not a'} ${roleName} of group ${scope.targetGroupId}`);
+              res = res && tMember;
+            }
+          }
+
+          // Note the fact that we are allowing access due to passing an ACL.
+          if (res) {
+            this.app.loopback.getCurrentContext().set('groupAccessApplied', true);
+          }
+
+          return cb(null, res);
         })
         .catch(cb);
 
-      // return this.getTargetGroupId(context)
-      //   .then(targetGroupId => {
-      //     const actions = [ ];
-      //
-      //     actions.push(this.isGroupMemberWithRole(modelClass, modelId, userId, roleName));
-      //
-      //     // If this is an attempt to save the item into a new group, check the user has access to the target group.
-      //     if (targetGroupId && targetGroupId !== modelId) {
-      //       scope.targetGroupId = targetGroupId;
-      //       actions.push(this.isGroupMemberWithRole(modelClass, targetGroupId, userId, roleName));
-      //     }
-      //
-      //     return actions;
-      //   })
-      //   .spread((currentGroupCount, targetGroupCount) => {
-      //     let res = false;
-      //
-      //     // Determine grant based on the current/target group context.
-      //     res = currentGroupCount > 0;
-      //
-      //     debug(`user ${userId} ${res ? 'is a' : 'is not a'} ${roleName} of group ${modelId}`);
-      //
-      //     // If it's an attempt to save into a new group, also ensure the user has access to the target group.
-      //     if (scope.targetGroupId && scope.targetGroupId !== modelId) {
-      //       const tMember = targetGroupCount > 0;
-      //
-      //       debug(`user ${userId} ${tMember ? 'is a' : 'is not a'} ${roleName} of group ${scope.targetGroupId}`);
-      //       res = res && tMember;
-      //     }
-      //
-      //     // Note the fact that we are allowing access due to passing an ACL.
-      //     if (res) {
-      //       this.app.loopback.getCurrentContext().set('groupAccessApplied', true);
-      //     }
-      //
-      //     debug(`${accessGroup} role resolver returns ${res} for user ${userId}`);
-      //     return cb(null, res);
-      //   })
-      //   .catch(cb);
-    });
-  }
+      });
+  };
 
   /**
    * Check if a given user ID has a given role in the model instances group.

test/fixtures/simple-app/server/component-config.json

@@ -17,6 +17,7 @@
       "$group:admin",
       "$group:manager",
       "$group:member"
-    ]
+    ],
+    "applyToStatic": true
   }
 }