sasjs/server
1
0
Fork 0
mirror of https://github.com/sasjs/server.git synced 2025-12-11 19:44:35 +00:00
Code Issues Projects Releases Wiki Activity

fix: show non-admin user his own permissions only

Browse Source
This commit is contained in:
Sabir Hassan
2022-07-30 00:01:15 +05:00
parent a531de2adb
commit 8a3054e19a
4 changed files with 67 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
api/src/controllers/permission.ts
View File

@@ -1,3 +1,4 @@
import express from 'express'
import { import {
Security, Security,
Route, Route,
@@ -8,7 +9,8 @@ import {
Post, Post,
Patch, Patch,
Delete, Delete,
Body Body,
Request
} from 'tsoa' } from 'tsoa'
import Permission from '../model/Permission' import Permission from '../model/Permission'
@@ -71,7 +73,7 @@ export interface PermissionDetailsResponse {
@Tags('Permission') @Tags('Permission')
export class PermissionController { export class PermissionController {
/** /**
* @summary Get list of all permissions (uri, setting and userDetail). * @summary Get a list of user's permissions, if user is admin all permissions are returned.
* *
*/ */
@Example<PermissionDetailsResponse[]>([ @Example<PermissionDetailsResponse[]>([
@@ -100,8 +102,10 @@ export class PermissionController {
} }
]) ])
@Get('/') @Get('/')
public async getAllPermissions(): Promise<PermissionDetailsResponse[]> { public async getAllPermissions(
return getAllPermissions() @Request() request: express.Request
): Promise<PermissionDetailsResponse[]> {
return getAllPermissions(request)
} }
/** /**
@@ -161,24 +165,32 @@ export class PermissionController {
} }
} }
const getAllPermissions = async (): Promise<PermissionDetailsResponse[]> => const getAllPermissions = async (
(await Permission.find({}) req: express.Request
.select({ ): Promise<PermissionDetailsResponse[]> => {
_id: 0, const { user } = req
permissionId: 1,
uri: 1, if (user?.isAdmin) return await Permission.get({})
setting: 1 else {
}) const permissions: PermissionDetailsResponse[] = []
.populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
.populate({ const dbUser = await User.findOne({ id: user?.userId })
path: 'group', if (!dbUser)
select: 'groupId name description -_id', throw {
populate: { code: 404,
path: 'users', status: 'Not Found',
select: 'id username displayName isAdmin -_id', message: 'User not found.'
options: { limit: 15 }
} }
})) as unknown as PermissionDetailsResponse[]
permissions.push(...(await Permission.get({ user: dbUser._id })))
for (const group of dbUser.groups) {
permissions.push(...(await Permission.get({ group })))
}
return permissions
}
}
const createPermission = async ({ const createPermission = async ({
uri, uri,

33
api/src/model/Permission.ts
View File

@@ -1,5 +1,11 @@
import mongoose, { Schema, model, Document, Model } from 'mongoose' import mongoose, { Schema, model, Document, Model } from 'mongoose'
const AutoIncrement = require('mongoose-sequence')(mongoose) const AutoIncrement = require('mongoose-sequence')(mongoose)
import { PermissionDetailsResponse } from '../controllers'
interface GetPermissionBy {
user?: Schema.Types.ObjectId
group?: Schema.Types.ObjectId
}
interface IPermissionDocument extends Document { interface IPermissionDocument extends Document {
uri: string uri: string
@@ -11,7 +17,9 @@ interface IPermissionDocument extends Document {
interface IPermission extends IPermissionDocument {} interface IPermission extends IPermissionDocument {}
interface IPermissionModel extends Model<IPermission> {} interface IPermissionModel extends Model<IPermission> {
get(getBy: GetPermissionBy): Promise<PermissionDetailsResponse[]>
}
const permissionSchema = new Schema<IPermissionDocument>({ const permissionSchema = new Schema<IPermissionDocument>({
uri: { uri: {
@@ -28,6 +36,29 @@ const permissionSchema = new Schema<IPermissionDocument>({
permissionSchema.plugin(AutoIncrement, { inc_field: 'permissionId' }) permissionSchema.plugin(AutoIncrement, { inc_field: 'permissionId' })
// Static Methods
permissionSchema.static('get', async function (getBy: GetPermissionBy): Promise<
PermissionDetailsResponse[]
> {
return (await this.find(getBy)
.select({
_id: 0,
permissionId: 1,
uri: 1,
setting: 1
})
.populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
.populate({
path: 'group',
select: 'groupId name description -_id',
populate: {
path: 'users',
select: 'id username displayName isAdmin -_id',
options: { limit: 15 }
}
})) as unknown as PermissionDetailsResponse[]
})
export const Permission: IPermissionModel = model< export const Permission: IPermissionModel = model<
IPermission, IPermission,
IPermissionModel IPermissionModel

2
api/src/routes/api/permission.ts
View File

@@ -11,7 +11,7 @@ const controller = new PermissionController()
permissionRouter.get('/', async (req, res) => { permissionRouter.get('/', async (req, res) => {
try { try {
const response = await controller.getAllPermissions() const response = await controller.getAllPermissions(req)
res.send(response) res.send(response)
} catch (err: any) { } catch (err: any) {
const statusCode = err.code const statusCode = err.code

3
api/src/utils/getAuthorizedRoutes.ts
View File

@@ -9,8 +9,7 @@ const StaticAuthorizedRoutes = [
'/SASjsApi/drive/file', '/SASjsApi/drive/file',
'/SASjsApi/drive/folder', '/SASjsApi/drive/folder',
'/SASjsApi/drive/fileTree', '/SASjsApi/drive/fileTree',
'/SASjsApi/drive/rename', '/SASjsApi/drive/rename'
'/SASjsApi/permission'
] ]
export const getAuthorizedRoutes = () => { export const getAuthorizedRoutes = () => {