mirror of
https://github.com/node-red/node-red.git
synced 2023-10-10 13:36:53 +02:00
Enable finer grained permissions in adminAuth
This commit is contained in:
parent
75a7be41eb
commit
44693dd23a
@ -56,7 +56,7 @@ function needsPermission(permission) {
|
|||||||
if (permissions.hasPermission(req.authInfo.scope,permission)) {
|
if (permissions.hasPermission(req.authInfo.scope,permission)) {
|
||||||
return next();
|
return next();
|
||||||
}
|
}
|
||||||
log.audit({event: "permission.fail"},req);
|
log.audit({event: "permission.fail", permissions: permission},req);
|
||||||
return res.status(401).end();
|
return res.status(401).end();
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/**
|
/**
|
||||||
* Copyright 2015 IBM Corp.
|
* Copyright 2015, 2016 IBM Corp.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
@ -20,41 +20,44 @@ var readRE = /^((.+)\.)?read$/
|
|||||||
var writeRE = /^((.+)\.)?write$/
|
var writeRE = /^((.+)\.)?write$/
|
||||||
|
|
||||||
function hasPermission(userScope,permission) {
|
function hasPermission(userScope,permission) {
|
||||||
var i;
|
|
||||||
if (util.isArray(userScope)) {
|
|
||||||
if (userScope.length === 0) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
for (i=0;i<userScope.length;i++) {
|
|
||||||
if (!hasPermission(userScope[i],permission)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (permission === "") {
|
if (permission === "") {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
var i;
|
||||||
if (userScope === "*") {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (util.isArray(permission)) {
|
if (util.isArray(permission)) {
|
||||||
|
// Multiple permissions requested - check each one
|
||||||
for (i=0;i<permission.length;i++) {
|
for (i=0;i<permission.length;i++) {
|
||||||
if (!hasPermission(userScope,permission[i])) {
|
if (!hasPermission(userScope,permission[i])) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// All permissions check out
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (userScope === "read") {
|
if (util.isArray(userScope)) {
|
||||||
return readRE.test(permission);
|
if (userScope.length === 0) {
|
||||||
} else {
|
return false;
|
||||||
return false; // anything not allowed is disallowed
|
|
||||||
}
|
}
|
||||||
|
for (i=0;i<userScope.length;i++) {
|
||||||
|
if (hasPermission(userScope[i],permission)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (userScope === "*" || userScope === permission) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (userScope === "read" || userScope === "*.read") {
|
||||||
|
return readRE.test(permission);
|
||||||
|
} else if (userScope === "write" || userScope === "*.write") {
|
||||||
|
return writeRE.test(permission);
|
||||||
|
}
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/**
|
/**
|
||||||
* Copyright 2015 IBM Corp.
|
* Copyright 2015, 2016 IBM Corp.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
@ -31,14 +31,22 @@ describe("Auth permissions", function() {
|
|||||||
permissions.hasPermission(["read"],"node.read").should.be.true;
|
permissions.hasPermission(["read"],"node.read").should.be.true;
|
||||||
permissions.hasPermission(["read"],"write").should.be.false;
|
permissions.hasPermission(["read"],"write").should.be.false;
|
||||||
permissions.hasPermission(["read"],"node.write").should.be.false;
|
permissions.hasPermission(["read"],"node.write").should.be.false;
|
||||||
|
permissions.hasPermission(["*.read"],"read").should.be.true;
|
||||||
|
permissions.hasPermission(["*.read"],"node.read").should.be.true;
|
||||||
|
permissions.hasPermission(["*.read"],"write").should.be.false;
|
||||||
|
permissions.hasPermission(["*.read"],"node.write").should.be.false;
|
||||||
});
|
});
|
||||||
it('a user with foo permissions',function() {
|
it('a user with foo permissions',function() {
|
||||||
permissions.hasPermission("foo","foo").should.be.false;
|
permissions.hasPermission("foo","foo").should.be.true;
|
||||||
});
|
});
|
||||||
it('an array of permissions', function() {
|
it('an array of permissions', function() {
|
||||||
permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true;
|
permissions.hasPermission(["*"],["foo.read","foo.write"]).should.be.true;
|
||||||
permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
|
permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
|
||||||
permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true;
|
permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true;
|
||||||
|
permissions.hasPermission(["flows.read"],["flows.read"]).should.be.true;
|
||||||
|
permissions.hasPermission(["flows.read"],["flows.write"]).should.be.false;
|
||||||
|
permissions.hasPermission(["flows.read","nodes.write"],["flows.write"]).should.be.false;
|
||||||
|
permissions.hasPermission(["flows.read","nodes.write"],["nodes.write"]).should.be.true;
|
||||||
});
|
});
|
||||||
it('permits an empty permission', function() {
|
it('permits an empty permission', function() {
|
||||||
permissions.hasPermission("*","").should.be.true;
|
permissions.hasPermission("*","").should.be.true;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user