1 | const httpError = require('http-errors')
|
2 | const isEmpty = obj => !Object.keys(obj || {}).length
|
3 | const pick = require('lodash.pick')
|
4 | const omit = require('lodash.omit')
|
5 |
|
6 | module.exports = (acl, library = 'role-acl', opts) => {
|
7 | if (!acl) throw new Error('acl is a required parameter!')
|
8 | if (typeof library === 'object') {
|
9 | throw new Error(
|
10 | 'objection-authorize@3 now has the signature (acl, library, opts)'
|
11 | )
|
12 | }
|
13 |
|
14 | const defaultOpts = {
|
15 | defaultRole: 'anonymous',
|
16 | unauthenticatedErrorCode: 401,
|
17 | unauthorizedErrorCode: 403,
|
18 | userFromResult: false,
|
19 |
|
20 | contextKey: 'req',
|
21 | roleFromUser: user => user.role,
|
22 | resourceAugments: { true: true, false: false, undefined: undefined }
|
23 | }
|
24 | opts = Object.assign(defaultOpts, opts)
|
25 |
|
26 | const lib = require(`./lib/${library}`)
|
27 |
|
28 | return Model => {
|
29 | class AuthQueryBuilder extends Model.QueryBuilder {
|
30 | get _shouldCheckAccess () {
|
31 | return this.context()._authorize
|
32 | }
|
33 |
|
34 |
|
35 |
|
36 | set _resource (_resource) {
|
37 |
|
38 |
|
39 |
|
40 | if (!_resource || !_resource.$query)
|
41 | _resource = this.modelClass().fromJson(_resource, {
|
42 | skipValidation: true
|
43 | })
|
44 | this.mergeContext({ _resource })
|
45 | }
|
46 |
|
47 |
|
48 | _checkAccess (action, body) {
|
49 | if (!this._shouldCheckAccess) return body
|
50 |
|
51 | const {
|
52 | _user: user,
|
53 | _resource: resource,
|
54 | _opts: opts,
|
55 | _action
|
56 | } = this.context()
|
57 |
|
58 | action = _action || action
|
59 |
|
60 | const access = lib.getAccess(acl, user, resource, action, body, opts)
|
61 |
|
62 |
|
63 | if (!lib.isAuthorized(access, action, resource))
|
64 | throw httpError(
|
65 | user.role === opts.defaultRole
|
66 | ? opts.unauthenticatedErrorCode
|
67 | : opts.unauthorizedErrorCode
|
68 | )
|
69 |
|
70 | return access
|
71 | }
|
72 |
|
73 |
|
74 | _filterBody (action, body) {
|
75 | if (!this._shouldCheckAccess) return body
|
76 |
|
77 | const access = this._checkAccess(action, body)
|
78 | const { _resource: resource } = this.context()
|
79 |
|
80 |
|
81 | const pickFields = lib.pickFields(access, action, resource)
|
82 | const omitFields = lib.omitFields(access, action, resource)
|
83 |
|
84 | if (pickFields.length) body = pick(body, pickFields)
|
85 | if (omitFields.length) body = omit(body, omitFields)
|
86 |
|
87 | return body
|
88 | }
|
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 | insert (body) {
|
96 | return super.insert(this._filterBody('create', body))
|
97 | }
|
98 |
|
99 | insertAndFetch (body) {
|
100 | return super.insertAndFetch(this._filterBody('create', body))
|
101 | }
|
102 |
|
103 | patch (body) {
|
104 | return super.patch(this._filterBody('update', body))
|
105 | }
|
106 |
|
107 | patchAndFetch (body) {
|
108 | return super.patchAndFetch(this._filterBody('update', body))
|
109 | }
|
110 |
|
111 |
|
112 | patchAndFetchById (id, body) {
|
113 | return super.patchAndFetchById(id, this._filterBody('update', body))
|
114 | }
|
115 |
|
116 |
|
117 | update (body) {
|
118 | return super.update(this._filterBody('update', body))
|
119 | }
|
120 |
|
121 |
|
122 | updateAndFetch (body) {
|
123 | return super.updateAndFetch(this._filterBody('update', body))
|
124 | }
|
125 |
|
126 |
|
127 | updateAndFetchById (id, body) {
|
128 | return super.updateAndFetchById(id, this._filterBody('update', body))
|
129 | }
|
130 |
|
131 | delete (body) {
|
132 | this._checkAccess('delete', body)
|
133 | return super.delete()
|
134 | }
|
135 |
|
136 |
|
137 | deleteById (id, body) {
|
138 | this._checkAccess('delete', body)
|
139 | return super.deleteById(id)
|
140 | }
|
141 |
|
142 |
|
143 | action (_action) {
|
144 | this.mergeContext({ _action })
|
145 | return this
|
146 | }
|
147 |
|
148 |
|
149 |
|
150 | first () {
|
151 | this.mergeContext({ _first: true })
|
152 | return super.first()
|
153 | }
|
154 |
|
155 |
|
156 |
|
157 | authorize (user, resource, optOverride) {
|
158 | resource = resource || this.context()._instance || {}
|
159 | this._resource = resource
|
160 | this.mergeContext({
|
161 | _user: Object.assign({ role: opts.defaultRole }, user),
|
162 | _opts: Object.assign({}, opts, optOverride),
|
163 | _authorize: true
|
164 | })
|
165 |
|
166 |
|
167 |
|
168 |
|
169 |
|
170 |
|
171 | .runBefore(async (result, query) => {
|
172 | if (query.isFind() && !isEmpty(resource)) {
|
173 | const readAccess = query._checkAccess('read')
|
174 |
|
175 |
|
176 | query.mergeContext({ readAccess })
|
177 | }
|
178 |
|
179 | return result
|
180 | })
|
181 | .runAfter(async (result, query) => {
|
182 |
|
183 | if (typeof result !== 'object' || !query._shouldCheckAccess)
|
184 | return result
|
185 |
|
186 | const isArray = Array.isArray(result)
|
187 |
|
188 | let {
|
189 | _resource: resource,
|
190 | _first: first,
|
191 | _opts: opts,
|
192 | _user: user,
|
193 | _readAccess: readAccess
|
194 | } = query.context()
|
195 |
|
196 |
|
197 |
|
198 |
|
199 |
|
200 |
|
201 |
|
202 |
|
203 | if (isEmpty(resource) && (!isArray || first)) {
|
204 | resource = isArray ? result[0] : result
|
205 | resource = query.modelClass().fromJson(resource, {
|
206 | skipValidation: true
|
207 | })
|
208 | query.mergeContext({ _resource: resource })
|
209 | }
|
210 |
|
211 |
|
212 | if (
|
213 | (query.isInsert() || query.isUpdate()) &&
|
214 | !isArray &&
|
215 | opts.userFromResult
|
216 | ) {
|
217 |
|
218 | const resultIsUser =
|
219 | typeof opts.userFromResult === 'function'
|
220 | ? opts.userFromResult(user, result)
|
221 | : true
|
222 |
|
223 |
|
224 | if (resultIsUser) {
|
225 |
|
226 | query.mergeContext({ _user: result })
|
227 |
|
228 | readAccess = query._checkAccess('read')
|
229 | }
|
230 | }
|
231 |
|
232 | readAccess = readAccess || query._checkAccess('read')
|
233 |
|
234 |
|
235 |
|
236 |
|
237 |
|
238 |
|
239 | return isArray
|
240 | ? result.map(model => model._filterModel(readAccess))
|
241 | : result._filterModel(readAccess)
|
242 | })
|
243 |
|
244 |
|
245 | return this
|
246 | }
|
247 | }
|
248 |
|
249 | return class extends Model {
|
250 |
|
251 | _filterModel (readAccess) {
|
252 | const pickFields = lib.pickFields(readAccess, 'read', this)
|
253 | const omitFields = lib.omitFields(readAccess, 'read', this)
|
254 |
|
255 | if (pickFields.length) this.$pick(pickFields)
|
256 | if (omitFields.length) this.$omit(omitFields)
|
257 |
|
258 | return this
|
259 | }
|
260 |
|
261 |
|
262 | $query (trx) {
|
263 | return super.$query(trx).mergeContext({ _instance: this })
|
264 | }
|
265 |
|
266 | $relatedQuery (relation, trx) {
|
267 | return super
|
268 | .$relatedQuery(relation, trx)
|
269 | .mergeContext({ _instance: this })
|
270 | }
|
271 |
|
272 | static get QueryBuilder () {
|
273 | return AuthQueryBuilder
|
274 | }
|
275 | }
|
276 | }
|
277 | }
|