summaryrefslogblamecommitdiffstats
path: root/server/lib/permissions/permissionutil.js
blob: fee2181e275bdaca64da4b637fbd8d5030a353d0 (plain) (tree)
1
2
3
4
5
6




                                                                
                                                                                                                      












































































                                                                                                                






















































                                                                                                                                 
/* global __appdir */
const path = require('path')
var db = require(path.join(__appdir, 'lib', 'sequelize'))
var groupUtil = require(path.join(__appdir, 'lib', 'grouputil'))

module.exports = { hasPermission, getAllowedGroups, hasPermissionForGroup, getAllowedClients, hasPermissionForClient }

async function hasPermission (userid, permissionid) {
  var user = await db.user.findOne({
    where: { id: userid, '$roles.permissions.id$': permissionid },
    include: [{ as: 'roles', model: db.role, include: ['permissions'] }]
  })
  return user !== null
}

async function getAllowedGroups (userid, permissionid) {
  var user = await db.user.findOne({
    where: { id: userid, '$roles.permissions.id$': permissionid },
    include: [{ as: 'roles', model: db.role, include: ['permissions', 'groups'] }]
  })
  // User doesn't have the permission
  if (user === null) return []
  // User has permission, permission is not groupdependent
  else if (!user.roles[0].permissions[0].groupdependent) return [0]
  // User has permission, permission is groupdependent
  else {
    var permGrps = []
    for (let i = 0; i < user.roles.length; i++) {
      // Add groups of the roles to the result
      permGrps = permGrps.concat(user.roles[i].groups.map(g => g.id))
      if (user.roles[i].recursiveGroups) {
        // The role is flagged recursive, so add child ids to result
        var subChilds = await groupUtil.getAllChildren(user.roles[i].groups)
        permGrps = permGrps.concat(subChilds.subgroups.map(s => s.id))
      }
    }
    // Filter result for unique entries
    return permGrps.filter(function (elem, pos, arr) { return arr.indexOf(elem) === pos })
  }
}

async function hasPermissionForGroup (userid, permissionid, groupid) {
  var user = await db.user.findOne({
    where: { id: userid, '$roles.permissions.id$': permissionid },
    include: [{ as: 'roles', model: db.role, include: ['permissions', 'groups'] }]
  })
  // User doesn't have permission
  if (user === null) return false
  // User has permission, permission is not groupdependent
  else if (!user.roles[0].permissions[0].groupdependent) return true
  // User has permission, permission is groupdependent, check for group
  else {
    if (user.roles.map(r => r.groups.map(g => g.id)).includes(groupid)) return true
    var permGrps = []
    for (let i = 0; i < user.roles.length; i++) {
      if (user.roles[i].recursiveGroups) permGrps = permGrps.concat(user.roles[i].groups.map(g => g.id))
    }
    permGrps = permGrps.filter(function (elem, pos, arr) { return arr.indexOf(elem) === pos })
    // get all parents of groupId and check if any parentid is in the list of groups of RECURSIVE flagged roles.
    var result = await checkParentsForIds(groupid, permGrps)
    return result
  }
}

async function checkParentsForIds (groupIds, listOfIds) {
  if (listOfIds.length === 0) return false
  if (groupIds.length === 0) return false

  var parentIds = []
  return db.group.findAll({ where: { id: groupIds }, include: ['parents'] }).then(groups => {
    for (let i = 0; i < groups.length; i++) {
      for (let j = 0; j < groups[i].parents.length; j++) {
        var id = groups[i].parents[j].id
        if (listOfIds.includes(id)) return true
        if (!parentIds.includes(id)) parentIds.push(id)
      }
    }
    if (parentIds.length === 0) return false
    return checkParentsForIds(parentIds, listOfIds).then(response => {
      return response
    })
  })
}

async function getAllowedClients (userid, permissionid) {
  var user = await db.user.findOne({
    where: { id: userid, '$roles.permissions.id$': permissionid },
    include: [{ as: 'roles', model: db.role, include: ['permissions', { as: 'groups', model: db.group, include: ['clients'] }] }]
  })
  // User doesn't have the permission
  if (user === null) return []
  // User has permission, permission is not groupdependent
  else if (!user.roles[0].permissions[0].groupdependent) return [0]
  // User has permission, permission is groupdependent
  else {
    var permClients = []
    for (let i = 0; i < user.roles.length; i++) {
      if (user.roles[i].recursiveGroups) {
        // The role is flagged recursive, so add clients of childs to result
        var subChilds = await groupUtil.getAllChildren(user.roles[i].groups)
        permClients = permClients.concat(subChilds.clients.map(c => c.id))
      } else {
        for (let j = 0; j < user.roles[i].groups.length; j++) {
          permClients = permClients.concat(user.roles[i].groups[j].clients.map(c => c.id))
        }
      }
    }
    // Filter result for unique entries
    return permClients.filter(function (elem, pos, arr) { return arr.indexOf(elem) === pos })
  }
}

async function hasPermissionForClient (userid, permissionid, clientid) {
  var user = await db.user.findOne({
    where: { id: userid, '$roles.permissions.id$': permissionid },
    include: [{ as: 'roles', model: db.role, include: ['permissions', { as: 'groups', model: db.group, include: ['clients'] }] }]
  })
  if (user === null) return false
  else if (!user.roles[0].permissions[0].groupdependent) return true
  else {
    var permGrps = []
    for (let i = 0; i < user.roles.length; i++) {
      for (let j = 0; j < user.roles[i].groups.length; j++) {
        var groupClients = user.roles[i].groups[j].clients.map(c => c.id)
        if (groupClients.includes(clientid)) return true
      }
      if (user.roles[i].recursiveGroups) permGrps = permGrps.concat(user.roles[i].groups.map(g => g.id))
    }
    permGrps = permGrps.filter(function (elem, pos, arr) { return arr.indexOf(elem) === pos })
    var client = await db.client.findOne({
      where: { id: clientid },
      include: [{ as: 'groups', model: db.group }]
    })
    var groupids = client.groups.map(g => g.id)
    var result = await checkParentsForIds(groupids, permGrps)
    return result
  }
}