mirror of
https://github.com/node-red/node-red.git
synced 2023-10-10 13:36:53 +02:00
Enable finer grained permissions in adminAuth
This commit is contained in:
parent
75a7be41eb
commit
44693dd23a
@ -56,7 +56,7 @@ function needsPermission(permission) {
|
||||
if (permissions.hasPermission(req.authInfo.scope,permission)) {
|
||||
return next();
|
||||
}
|
||||
log.audit({event: "permission.fail"},req);
|
||||
log.audit({event: "permission.fail", permissions: permission},req);
|
||||
return res.status(401).end();
|
||||
});
|
||||
} else {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2015 IBM Corp.
|
||||
* Copyright 2015, 2016 IBM Corp.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -20,41 +20,44 @@ var readRE = /^((.+)\.)?read$/
|
||||
var writeRE = /^((.+)\.)?write$/
|
||||
|
||||
function hasPermission(userScope,permission) {
|
||||
var i;
|
||||
if (util.isArray(userScope)) {
|
||||
if (userScope.length === 0) {
|
||||
return false;
|
||||
}
|
||||
for (i=0;i<userScope.length;i++) {
|
||||
if (!hasPermission(userScope[i],permission)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
if (permission === "") {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (userScope === "*") {
|
||||
return true;
|
||||
}
|
||||
var i;
|
||||
|
||||
if (util.isArray(permission)) {
|
||||
// Multiple permissions requested - check each one
|
||||
for (i=0;i<permission.length;i++) {
|
||||
if (!hasPermission(userScope,permission[i])) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
// All permissions check out
|
||||
return true;
|
||||
}
|
||||
|
||||
if (userScope === "read") {
|
||||
return readRE.test(permission);
|
||||
} else {
|
||||
return false; // anything not allowed is disallowed
|
||||
if (util.isArray(userScope)) {
|
||||
if (userScope.length === 0) {
|
||||
return false;
|
||||
}
|
||||
for (i=0;i<userScope.length;i++) {
|
||||
if (hasPermission(userScope[i],permission)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
if (userScope === "*" || userScope === permission) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (userScope === "read" || userScope === "*.read") {
|
||||
return readRE.test(permission);
|
||||
} else if (userScope === "write" || userScope === "*.write") {
|
||||
return writeRE.test(permission);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/**
|
||||
* Copyright 2015 IBM Corp.
|
||||
* Copyright 2015, 2016 IBM Corp.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -31,14 +31,22 @@ describe("Auth permissions", function() {
|
||||
permissions.hasPermission(["read"],"node.read").should.be.true;
|
||||
permissions.hasPermission(["read"],"write").should.be.false;
|
||||
permissions.hasPermission(["read"],"node.write").should.be.false;
|
||||
permissions.hasPermission(["*.read"],"read").should.be.true;
|
||||
permissions.hasPermission(["*.read"],"node.read").should.be.true;
|
||||
permissions.hasPermission(["*.read"],"write").should.be.false;
|
||||
permissions.hasPermission(["*.read"],"node.write").should.be.false;
|
||||
});
|
||||
it('a user with foo permissions',function() {
|
||||
permissions.hasPermission("foo","foo").should.be.false;
|
||||
permissions.hasPermission("foo","foo").should.be.true;
|
||||
});
|
||||
it('an array of permissions', function() {
|
||||
permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true;
|
||||
permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
|
||||
permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true;
|
||||
permissions.hasPermission(["flows.read"],["flows.read"]).should.be.true;
|
||||
permissions.hasPermission(["flows.read"],["flows.write"]).should.be.false;
|
||||
permissions.hasPermission(["flows.read","nodes.write"],["flows.write"]).should.be.false;
|
||||
permissions.hasPermission(["flows.read","nodes.write"],["nodes.write"]).should.be.true;
|
||||
});
|
||||
it('permits an empty permission', function() {
|
||||
permissions.hasPermission("*","").should.be.true;
|
||||
|
Loading…
Reference in New Issue
Block a user