Enabling permissions to be updated.

makinde · makinde · commit e98b144e411a · 2019-12-01T16:30:47.000-05:00
This flow was erroring before.
1) Load document with permissions embedded.
2) write to that object
3) have the permissions get updated with post-write permissions

It broke because we were doing a really simple check to make sure we didn't overwrite data. In the case, we want to.

So the checks now only error if we haven't already embedded permissions.
diff --git a/__tests__/embedPermissions.test.js b/__tests__/embedPermissions.test.js
@@ -111,6 +111,12 @@ test('Verify that the permissions data cannot be changed', (t) => {
   const doc = { _id: 'foobar' };
   embedPermissions(t.context.schema, { permissions: true }, ['manager'], doc);
 
+  t.throws(
+    () => { doc.permissions = {}; },
+    Error,
+    'The permissions object shouldn\'t be writable overall',
+  );
+
   t.throws(
     () => { doc.permissions.read = []; },
     Error,
diff --git a/src/embedPermissions.js b/src/embedPermissions.js
@@ -2,29 +2,33 @@ const _ = require('lodash');
 const getAuthorizedFields = require('./getAuthorizedFields');
 const hasPermission = require('./hasPermission');
 
+const embedPermissionsSymbol = Symbol('Embedded Permissions');
+
 function embedPermissions(schema, options, authLevels, doc) {
   if (!schema || !options || !options.permissions || _.isEmpty(doc)) { return; }
 
   const permsKey = options.permissions === true ? 'permissions' : options.permissions;
 
-  if (doc[permsKey]) {
-    // There's already something at the key where we're supposed to inset the permissions
-    // Throw an exception to help the developer avoid this error.
-    throw new Error(`Cannot embed permissions into mongoose document at \`${permsKey}\`because the key is already present in the document. Please specify a custom key.`);
+  if (permsKey in doc) {
+    if (!doc[embedPermissionsSymbol]) {
+      // We haven't embedded permissions, but there is already a value at the path where
+      // we're supposed to insert the permissions. Throw an exception for the developer
+      // knows that something is wrong.
+      throw new Error(`Cannot embed permissions into mongoose document at \`${permsKey}\`because the key is already present in the document. Please specify a custom key.`);
+    }
+  } else {
+    Object.defineProperty(doc, permsKey, {
+      get() { return this[embedPermissionsSymbol]; },
+      set() { throw new Error('Permissions are not writable'); },
+      enumerable: true,
+    });
   }
 
-  Object.defineProperty(doc, permsKey, {
-    value: {
-      read: getAuthorizedFields(schema, authLevels, 'read'),
-      write: getAuthorizedFields(schema, authLevels, 'write'),
-      remove: hasPermission(schema, authLevels, 'remove'),
-    },
-    writable: false,
-    enumerable: true,
+  doc[embedPermissionsSymbol] = Object.freeze({
+    read: getAuthorizedFields(schema, authLevels, 'read'),
+    write: getAuthorizedFields(schema, authLevels, 'write'),
+    remove: hasPermission(schema, authLevels, 'remove'),
   });
-
-  // Freeze the object so this data can't be altered (even accidentally)
-  Object.freeze(doc[permsKey]);
 }
 
 module.exports = embedPermissions;
