Enable finer grained permissions in adminAuth

2025-03-01 10:36:34 +00:00 · 2016-04-10 15:23:03 +01:00
parent 75a7be41eb
commit 44693dd23a
3 changed files with 36 additions and 25 deletions
--- a/red/api/auth/index.js
+++ b/red/api/auth/index.js
@@ -56,7 +56,7 @@ function needsPermission(permission) {
                if (permissions.hasPermission(req.authInfo.scope,permission)) {
                    return next();
                }
-                log.audit({event: "permission.fail"},req);
+                log.audit({event: "permission.fail", permissions: permission},req);
                return res.status(401).end();
            });
        } else {
--- a/red/api/auth/permissions.js
+++ b/red/api/auth/permissions.js
@@ -1,5 +1,5 @@
 /**
- * Copyright 2015 IBM Corp.
+ * Copyright 2015, 2016 IBM Corp.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -20,41 +20,44 @@ var readRE = /^((.+)\.)?read$/
 var writeRE = /^((.+)\.)?write$/

 function hasPermission(userScope,permission) {
-    var i;
-    if (util.isArray(userScope)) {
-        if (userScope.length === 0) {
-            return false;
-        }
-        for (i=0;i<userScope.length;i++) {
-            if (!hasPermission(userScope[i],permission)) {
-                return false;
-            }
-        }
-        return true;
-    }
-
    if (permission === "") {
        return true;
    }
-
-    if (userScope === "*") {
-        return true;
-    }
+    var i;

    if (util.isArray(permission)) {
+        // Multiple permissions requested - check each one
        for (i=0;i<permission.length;i++) {
            if (!hasPermission(userScope,permission[i])) {
                return false;
            }
        }
+        // All permissions check out
        return true;
    }

-    if (userScope === "read") {
-        return readRE.test(permission);
-    } else {
-        return false; // anything not allowed is disallowed
+    if (util.isArray(userScope)) {
+        if (userScope.length === 0) {
+            return false;
+        }
+        for (i=0;i<userScope.length;i++) {
+            if (hasPermission(userScope[i],permission)) {
+                return true;
+            }
+        }
+        return false;
    }
+
+    if (userScope === "*" || userScope === permission) {
+        return true;
+    }
+
+    if (userScope === "read" || userScope === "*.read") {
+        return readRE.test(permission);
+    } else if (userScope === "write" || userScope === "*.write") {
+        return writeRE.test(permission);
+    }
+    return false;
 }

 module.exports = {