Allow permissions to be embedded in saved documents

Use a post save hook to insert the new permissions into the document

Author: makinde

.vscode/settings.json

@@ -2,6 +2,9 @@
   "cSpell.words": [
     "adhoc",
     "authz",
-    "nodeunit"
+    "nodeunit",
+    "permissioned",
+    "subpath",
+    "upsert"
   ]
 }

index.js

@@ -9,6 +9,8 @@ const getEmbeddedPermission = require('./src/getEmbeddedPermission');
 const PermissionDeniedError = require('./src/PermissionDeniedError');
 const IncompatibleMethodError = require('./src/IncompatibleMethodError');
 
+const docOptionsSymbol = Symbol('documentOptions');
+
 module.exports = (schema, installationOptions) => {
   async function save(doc, options) {
     let authorizedFields = getEmbeddedPermission(doc, options, 'write');
@@ -110,11 +112,25 @@ module.exports = (schema, installationOptions) => {
   // is to have arguments to the middleware function. If we have arguments, mongoose
   // assume we want to use a `next()` function. FML
   schema.pre('save', function preSave(next, options) {
+    // Embed the options into the doc so we have access to them in post save hooks
+    this[docOptionsSymbol] = options;
     if (authIsDisabled(options)) { return next(); }
+
     return save(this, options)
       .then(() => next())
       .catch(next);
   });
+  schema.post('save', (doc, next) => {
+    const options = doc[docOptionsSymbol];
+    if (authIsDisabled(options)) { return next(); }
+
+    // Nothing will likely be removed, but this allows people to specify that
+    // permissions should be returned, so this will recalculate permissions
+    // with the new  document data (after changes) and embed it if asked for
+    return sanitizeDocumentList(schema, options, doc)
+      .then(() => next())
+      .catch(next);
+  });
   // TODO, WTF, how to prevent someone from Model.find().remove().exec(); That doesn't
   // fire any remove hooks. Does it fire a find hook?
   schema.pre('remove', function preRemove(next, options) {
@@ -149,13 +165,6 @@ module.exports = (schema, installationOptions) => {
     return this;
   };
 
-  // TODO add tests for this function
-  schema.statics.canCreate = async function canCreate(options) {
-    // Check just the blank document since nothing exists yet
-    const authLevels = await resolveAuthLevel(schema, options, {});
-    return hasPermission(this.schema, authLevels, 'create');
-  };
-
   const allowedMethods = _.get(installationOptions, 'allowedMethods');
   if (!_.includes(allowedMethods, 'create')) {
     schema.statics.create = function cannotCreate() {

src/sanitizeDocumentList.js

@@ -6,7 +6,7 @@ const embedPermissions = require('./embedPermissions');
 async function sanitizeDocument(schema, options, doc) {
   if (!doc) { return; }
 
-  // If there are subschemas that need to be authorized, store a reference to the top
+  // If there are sub-schemas that need to be authorized, store a reference to the top
   // level doc so they have context when doing their authorization checks
   const optionAddition = {};
   if (!options.originalDoc && !_.isEmpty(schema.pathsWithPermissionedSchemas)) {