summaryrefslogtreecommitdiffstats
path: root/server/lib/permissions
diff options
context:
space:
mode:
authorChristian Hofmaier2019-01-14 03:18:03 +0100
committerChristian Hofmaier2019-01-14 03:18:03 +0100
commit3992a6221201276ed6e6574d7a03650c2f0d8536 (patch)
tree199539d20fae07f1fcab06f321b87d9e0a6cac0d /server/lib/permissions
parent[server] eslint fixes (diff)
downloadbas-3992a6221201276ed6e6574d7a03650c2f0d8536.tar.gz
bas-3992a6221201276ed6e6574d7a03650c2f0d8536.tar.xz
bas-3992a6221201276ed6e6574d7a03650c2f0d8536.zip
Add permission functions for groups
Diffstat (limited to 'server/lib/permissions')
-rw-r--r--server/lib/permissions/permissionutil.js83
1 files changed, 83 insertions, 0 deletions
diff --git a/server/lib/permissions/permissionutil.js b/server/lib/permissions/permissionutil.js
new file mode 100644
index 0000000..790739a
--- /dev/null
+++ b/server/lib/permissions/permissionutil.js
@@ -0,0 +1,83 @@
+/* global __appdir */
+const path = require('path')
+var db = require(path.join(__appdir, 'lib', 'sequelize'))
+var groupUtil = require(path.join(__appdir, 'lib', 'grouputil'))
+
+module.exports = { hasPermission, getAllowedGroups, hasPermissionForGroup }
+
+async function hasPermission (userid, permissionid) {
+ var user = await db.user.findOne({
+ where: { id: userid, '$roles.permissions.id$': permissionid },
+ include: [{ as: 'roles', model: db.role, include: ['permissions'] }]
+ })
+ return user !== null
+}
+
+async function getAllowedGroups (userid, permissionid) {
+ var user = await db.user.findOne({
+ where: { id: userid, '$roles.permissions.id$': permissionid },
+ include: [{ as: 'roles', model: db.role, include: ['permissions', 'groups'] }]
+ })
+ // User doesn't have the permission
+ if (user === null) return []
+ // User has permission, permission is not groupdependent
+ else if (!user.roles[0].permissions[0].groupdependent) return [0]
+ // User has permission, permission is groupdependent
+ else {
+ var permGrps = []
+ for (let i = 0; i < user.roles.length; i++) {
+ // Add groups of the roles to the result
+ permGrps = permGrps.concat(user.roles[i].groups.map(g => g.id))
+ if (user.roles[i].recursiveGroups) {
+ // The role is flagged recursive, so add child ids to result
+ var subChilds = await groupUtil.getAllChildren(user.roles[i].groups)
+ permGrps = permGrps.concat(subChilds.subgroups.map(s => s.id))
+ }
+ }
+ // Filter result for unique entries
+ return permGrps.filter(function (elem, pos, arr) { return arr.indexOf(elem) === pos })
+ }
+}
+
+async function hasPermissionForGroup (userid, permissionid, groupid) {
+ var user = await db.user.findOne({
+ where: { id: userid, '$roles.permissions.id$': permissionid },
+ include: [{ as: 'roles', model: db.role, include: ['permissions', 'groups'] }]
+ })
+ // User doesn't have permission
+ if (user === null) return false
+ // User has permission, permission is not groupdependent
+ else if (!user.roles[0].permissions[0].groupdependent) return true
+ // User has permission, permission is groupdependent, check for group
+ else {
+ if (user.roles.map(r => r.groups.map(g => g.id)).includes(groupid)) return true
+ var permGrps = []
+ for (let i = 0; i < user.roles.length; i++) {
+ if (user.roles[i].recursiveGroups) permGrps = permGrps.concat(user.roles[i].groups.map(g => g.id))
+ }
+ permGrps = permGrps.filter(function (elem, pos, arr) { return arr.indexOf(elem) === pos })
+ // get all parents of groupId and check if any parentid is in the list of groups of RECURSIVE flagged roles.
+ var result = await checkParentsForIds(groupid, permGrps)
+ return result
+ }
+}
+
+async function checkParentsForIds (groupIds, listOfIds) {
+ if (listOfIds.length === 0) return false
+ if (groupIds.length === 0) return false
+
+ var parentIds = []
+ return db.group.findAll({ where: { id: groupIds }, include: ['parents'] }).then(groups => {
+ for (let i = 0; i < groups.length; i++) {
+ for (let j = 0; j < groups[i].parents.length; j++) {
+ var id = groups[i].parents[j].id
+ if (listOfIds.includes(id)) return true
+ if (!parentIds.includes(id)) parentIds.push(id)
+ }
+ }
+ if (parentIds.length === 0) return false
+ return checkParentsForIds(parentIds, listOfIds).then(response => {
+ return response
+ })
+ })
+}