summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Hofmaier2020-05-23 02:04:44 +0200
committerChristian Hofmaier2020-05-23 02:04:44 +0200
commit1294bae32b9837288356abb1d6e6662e0ab3b7cb (patch)
tree5a75bd9afbba9332d033ec9d39f7f2f0f2985b00
parent[webapp/external-backends] Remove step 3 from stepper & eslint fixes (diff)
downloadbas-1294bae32b9837288356abb1d6e6662e0ab3b7cb.tar.gz
bas-1294bae32b9837288356abb1d6e6662e0ab3b7cb.tar.xz
bas-1294bae32b9837288356abb1d6e6662e0ab3b7cb.zip
[permissionmanager] fix loop in checks for group/client
-rw-r--r--server/lib/permissions/permissionhelper.js67
1 files changed, 39 insertions, 28 deletions
diff --git a/server/lib/permissions/permissionhelper.js b/server/lib/permissions/permissionhelper.js
index 606820e..65f160d 100644
--- a/server/lib/permissions/permissionhelper.js
+++ b/server/lib/permissions/permissionhelper.js
@@ -94,15 +94,18 @@ async function hasPermissionForGroup (userid, permissionName, groupId) {
else if (!user.roles[0].permissions[0].groupdependent) return true
// User has permission, permission is groupdependent, check for group
else {
- var result = false
- var whitelist = []
- var blacklist = []
- // Fill in white- and blacklist
for (let i = 0; i < user.roles.length; i++) {
+ var whitelist = []
+ var blacklist = []
+ var blacklistBreak = false
+ // Fill in white- and blacklist
for (let j = 0; j < user.roles[i].groups.length; j++) {
if (user.roles[i].groups[j].role_x_group.blacklist) {
- // Shortcut
- if (user.roles[i].groups[j].id === groupId) return false
+ // Shortcut, check next role
+ if (user.roles[i].groups[j].id === groupId) {
+ blacklistBreak = true
+ break
+ }
blacklist.push(user.roles[i].groups[j].id)
} else {
// Shortcut
@@ -110,10 +113,14 @@ async function hasPermissionForGroup (userid, permissionName, groupId) {
whitelist.push(user.roles[i].groups[j].id)
}
}
+ // Break by blacklist, do not check parents
+ if (blacklistBreak) continue
+
+ // Check parents for white-/blacklist entries
+ let result = await checkParents(groupId, whitelist, blacklist)
+ if (result) return true
}
- // Check parents for white-/blacklist entries.
- result = await checkParents(groupId, whitelist, blacklist)
- return result
+ return false
}
}
@@ -167,16 +174,20 @@ async function hasPermissionForClient (userid, permissionName, clientId) {
else if (!user.roles[0].permissions[0].groupdependent) return true
// User has permission, permission is groupdependent, check for client
else {
- var result = false
- var whitelist = []
- var blacklist = []
- // Fill in white- and blacklist
for (let i = 0; i < user.roles.length; i++) {
+ var whitelist = []
+ var blacklist = []
+ var blacklistBreak = false
+ var result = false
+ // Fill in white- and blacklist
for (let j = 0; j < user.roles[i].groups.length; j++) {
var clients = user.roles[i].groups[j].clients.map(c => c.id)
if (user.roles[i].groups[j].role_x_group.blacklist) {
// Shortcut
- if (clients.includes(clientId)) return false
+ if (clients.includes(clientId)) {
+ blacklistBreak = true
+ break
+ }
blacklist.push(user.roles[i].groups[j].id)
} else {
// Remember it was found, check if client is in any blacklisted group on same layer tho.
@@ -184,21 +195,21 @@ async function hasPermissionForClient (userid, permissionName, clientId) {
whitelist.push(user.roles[i].groups[j].id)
}
}
+ if (blacklistBreak) continue
+ // no blacklist shortcut used, but whitelist found
+ if (result) return true
+ // Get groups the client is assigned to
+ var client = await db.client.findOne({
+ where: { id: clientId },
+ include: [{ as: 'groups', model: db.group }]
+ })
+ var groupIds = client.groups.map(g => g.id)
+
+ // Check parents for white-/blacklist entries.
+ result = await checkParents(groupIds, whitelist, blacklist)
+ if (result) return true
}
-
- // no blacklist shortcut used, but whitelist found
- if (result) return true
-
- // Get groups the client is assigned to
- var client = await db.client.findOne({
- where: { id: clientId },
- include: [{ as: 'groups', model: db.group }]
- })
- var groupIds = client.groups.map(g => g.id)
-
- // Check parents for white-/blacklist entries.
- result = await checkParents(groupIds, whitelist, blacklist)
- return result
+ return false
}
}