summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Hofmaier2020-03-29 17:54:49 +0200
committerChristian Hofmaier2020-03-29 17:54:49 +0200
commitaa59e531bd334189a631756334fcedae8fb70e05 (patch)
tree82ad58f01f784c4b54019b93438b6ebbb9cd834f
parent[eventmanager] fix lang tag delete modal (diff)
downloadbas-aa59e531bd334189a631756334fcedae8fb70e05.tar.gz
bas-aa59e531bd334189a631756334fcedae8fb70e05.tar.xz
bas-aa59e531bd334189a631756334fcedae8fb70e05.zip
[permissionmanager] allow whitelist inside blacklist
-rw-r--r--server/lib/permissions/permissionhelper.js47
1 files changed, 27 insertions, 20 deletions
diff --git a/server/lib/permissions/permissionhelper.js b/server/lib/permissions/permissionhelper.js
index 8e6b7cb..175f0a1 100644
--- a/server/lib/permissions/permissionhelper.js
+++ b/server/lib/permissions/permissionhelper.js
@@ -101,22 +101,18 @@ async function hasPermissionForGroup (userid, permissionName, groupId) {
for (let i = 0; i < user.roles.length; i++) {
for (let j = 0; j < user.roles[i].groups.length; j++) {
if (user.roles[i].groups[j].role_x_group.blacklist) {
+ // Shortcut
+ if (user.roles[i].groups[j].id === groupId) return false
blacklist.push(user.roles[i].groups[j].id)
} else {
+ // Shortcut
+ if (user.roles[i].groups[j].id === groupId) return true
whitelist.push(user.roles[i].groups[j].id)
}
}
}
- // Shortcut
- if (blacklist.includes(groupId)) {
- return false
- }
- // Remember it was found, check if any parent is in the blacklist tho.
- if (whitelist.includes(groupId)) {
- result = true
- }
// Check parents for white-/blacklist entries.
- result = await checkParents(groupId, whitelist, blacklist, result)
+ result = await checkParents(groupId, whitelist, blacklist)
return result
}
}
@@ -183,46 +179,57 @@ async function hasPermissionForClient (userid, permissionName, clientId) {
if (clients.includes(clientId)) return false
blacklist.push(user.roles[i].groups[j].id)
} else {
- // Remember it was found, check if any parent is in the blacklist tho.
+ // Remember it was found, check if client is in any blacklisted group on same layer tho.
if (clients.includes(clientId)) result = true
whitelist.push(user.roles[i].groups[j].id)
}
}
}
+
+ // no blacklist shortcut used, but whitelist found
+ if (result) return true
+
// Get groups the client is assigned to
var client = await db.client.findOne({
where: { id: clientId },
include: [{ as: 'groups', model: db.group }]
})
var groupIds = client.groups.map(g => g.id)
+
// Check parents for white-/blacklist entries.
- result = await checkParents(groupIds, whitelist, blacklist, result)
+ result = await checkParents(groupIds, whitelist, blacklist)
return result
}
}
// Check if parents of groupIds are in the whitelist / blacklist
-async function checkParents (groupIds, whitelist, blacklist, result) {
- // No whitelist means the group cant be in one
+// Whitelist returns true, blacklist or no parent in either list returns false
+async function checkParents (groupIds, whitelist, blacklist) {
+ // No whitelist means the group can't be in one
if (whitelist.length === 0) return false
- // No blacklist means the result can't be changed once it's true
- if (blacklist.length === 0 && result) return true
+ var result = false
var parentIds = []
var groups = await db.group.findAll({ where: { id: groupIds }, include: ['parents'] })
+
for (let i = 0; i < groups.length; i++) {
for (let j = 0; j < groups[i].parents.length; j++) {
var id = groups[i].parents[j].id
- // blacklisted
+ // Parent is blacklisted
if (blacklist.includes(id)) return false
- // Remember, but a further parent can still be blacklisted, so continue.
+ // Parent is whitelisted, continue loop to see if another parent on SAME LAYER is blacklisted, as blacklisted > whitelisted
if (whitelist.includes(id)) result = true
if (!parentIds.includes(id)) parentIds.push(id)
}
}
- // No further parents found, result is the result.
- if (parentIds.length === 0) return result
+
+ // A parent is whitelisted
+ if (result) return true
+
+ // No further parents found
+ if (parentIds.length === 0) return false
+
// Check next layer of parents
- result = await checkParents(parentIds, whitelist, blacklist, result)
+ result = await checkParents(parentIds, whitelist, blacklist)
return result
}