Upgrade permissions (#22)

makinde · web-flow · commit 8cb26a88ff07 · 2018-10-22T14:55:44.000-07:00
* Making the permissions key unwritable

We'll be able to trust it more that way

* Document.save and Document.remove now check for embedded permissions first
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,6 @@
 # 2.0.0
 
 - Removing the ability to call Model.remove() and Model.create() since those aren't compatible with how this library works.
--
+- Muuuuch better tests
+- Embedded permissions object cannot be overwritten
+- When a document has embedded permissions, those permissions will be checks when a save or remove is being done. That way someone cannot write to an object in a way that changes their permssions and then try to save it.
diff --git a/__tests__/embedPermissions.test.js b/__tests__/embedPermissions.test.js
@@ -121,4 +121,10 @@ test('Verify that the permissions data cannot be changed', (t) => {
     Error,
     'The permissions object shouldn\'t be writable [remove]',
   );
+
+  t.throws(
+    () => { doc.permissions = {}; },
+    Error,
+    'The permissions field should not be writable',
+  );
 });
diff --git a/__tests__/getEmbeddedPermission.test.js b/__tests__/getEmbeddedPermission.test.js
@@ -0,0 +1,3 @@
+const test = require('ava');
+
+test.todo('Write tests for getEmbeddedPermissions');
diff --git a/index.js b/index.js
@@ -5,17 +5,25 @@ const authIsDisabled = require('./src/authIsDisabled');
 const sanitizeDocumentList = require('./src/sanitizeDocumentList');
 const getUpdatePaths = require('./src/getUpdatePaths');
 const resolveAuthLevel = require('./src/resolveAuthLevel');
+const getEmbeddedPermission = require('./src/getEmbeddedPermission');
 const PermissionDeniedError = require('./src/PermissionDeniedError');
 const IncompatibleMethodError = require('./src/IncompatibleMethodError');
 
 module.exports = (schema, installationOptions) => {
   async function save(doc, options) {
-    const authLevels = await resolveAuthLevel(schema, options, doc);
-    if (doc.isNew && !hasPermission(schema, authLevels, 'create')) {
+    let authorizedFields = getEmbeddedPermission(doc, options, 'write');
+    let canCreate = false;
+
+    if (authorizedFields === undefined) {
+      const authLevels = await resolveAuthLevel(schema, options, doc);
+      authorizedFields = getAuthorizedFields(schema, authLevels, 'write');
+      canCreate = hasPermission(schema, authLevels, 'create');
+    }
+
+    if (doc.isNew && !canCreate) {
       throw new PermissionDeniedError('create');
     }
 
-    const authorizedFields = getAuthorizedFields(schema, authLevels, 'write');
     const modifiedPaths = doc.modifiedPaths();
     const discrepancies = _.difference(modifiedPaths, authorizedFields);
 
@@ -32,8 +40,14 @@ module.exports = (schema, installationOptions) => {
   }
 
   async function removeDoc(doc, options) {
-    const authLevels = await resolveAuthLevel(schema, options, doc);
-    if (!hasPermission(schema, authLevels, 'remove')) {
+    let canRemove = getEmbeddedPermission(doc, options, 'remove');
+
+    if (canRemove === undefined) {
+      const authLevels = await resolveAuthLevel(schema, options, doc);
+      canRemove = hasPermission(schema, authLevels, 'remove');
+    }
+
+    if (!canRemove) {
       throw new PermissionDeniedError('remove');
     }
   }
diff --git a/src/embedPermissions.js b/src/embedPermissions.js
@@ -12,11 +12,14 @@ function embedPermissions(schema, options, authLevels, doc) {
     throw new Error(`Cannot embed permissions into mongoose document at \`${permsKey}\`because the key is already present in the document. Please specify a custom key.`);
   }
 
-  doc[permsKey] = {
-    read: getAuthorizedFields(schema, authLevels, 'read'),
-    write: getAuthorizedFields(schema, authLevels, 'write'),
-    remove: hasPermission(schema, authLevels, 'remove'),
-  };
+  Object.defineProperty(doc, permsKey, {
+    value: {
+      read: getAuthorizedFields(schema, authLevels, 'read'),
+      write: getAuthorizedFields(schema, authLevels, 'write'),
+      remove: hasPermission(schema, authLevels, 'remove'),
+    },
+    writable: false,
+  });
 
   // Freeze the object so this data can't be altered (even accidentally)
   Object.freeze(doc[permsKey]);
diff --git a/src/getEmbeddedPermission.js b/src/getEmbeddedPermission.js
@@ -0,0 +1,10 @@
+const _ = require('lodash');
+
+module.exports = function getEmbeddedPermission(doc, options, action) {
+  let permsKey = 'permissions';
+  if (options.permissions && options.permissions !== true) {
+    permsKey = options.permissions;
+  }
+
+  return _.get(doc, `${permsKey}.${action}`);
+};

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+const test = require('ava');`
	`2`	`+`
	`3`	`+test.todo('Write tests for getEmbeddedPermissions');`