From 1294bae32b9837288356abb1d6e6662e0ab3b7cb Mon Sep 17 00:00:00 2001 From: Christian Hofmaier Date: Sat, 23 May 2020 00:04:44 +0000 Subject: [permissionmanager] fix loop in checks for group/client --- server/lib/permissions/permissionhelper.js | 67 +++++++++++++++++------------- 1 file changed, 39 insertions(+), 28 deletions(-) (limited to 'server/lib') diff --git a/server/lib/permissions/permissionhelper.js b/server/lib/permissions/permissionhelper.js index 606820e..65f160d 100644 --- a/server/lib/permissions/permissionhelper.js +++ b/server/lib/permissions/permissionhelper.js @@ -94,15 +94,18 @@ async function hasPermissionForGroup (userid, permissionName, groupId) { else if (!user.roles[0].permissions[0].groupdependent) return true // User has permission, permission is groupdependent, check for group else { - var result = false - var whitelist = [] - var blacklist = [] - // Fill in white- and blacklist for (let i = 0; i < user.roles.length; i++) { + var whitelist = [] + var blacklist = [] + var blacklistBreak = false + // Fill in white- and blacklist for (let j = 0; j < user.roles[i].groups.length; j++) { if (user.roles[i].groups[j].role_x_group.blacklist) { - // Shortcut - if (user.roles[i].groups[j].id === groupId) return false + // Shortcut, check next role + if (user.roles[i].groups[j].id === groupId) { + blacklistBreak = true + break + } blacklist.push(user.roles[i].groups[j].id) } else { // Shortcut @@ -110,10 +113,14 @@ async function hasPermissionForGroup (userid, permissionName, groupId) { whitelist.push(user.roles[i].groups[j].id) } } + // Break by blacklist, do not check parents + if (blacklistBreak) continue + + // Check parents for white-/blacklist entries + let result = await checkParents(groupId, whitelist, blacklist) + if (result) return true } - // Check parents for white-/blacklist entries. - result = await checkParents(groupId, whitelist, blacklist) - return result + return false } } @@ -167,16 +174,20 @@ async function hasPermissionForClient (userid, permissionName, clientId) { else if (!user.roles[0].permissions[0].groupdependent) return true // User has permission, permission is groupdependent, check for client else { - var result = false - var whitelist = [] - var blacklist = [] - // Fill in white- and blacklist for (let i = 0; i < user.roles.length; i++) { + var whitelist = [] + var blacklist = [] + var blacklistBreak = false + var result = false + // Fill in white- and blacklist for (let j = 0; j < user.roles[i].groups.length; j++) { var clients = user.roles[i].groups[j].clients.map(c => c.id) if (user.roles[i].groups[j].role_x_group.blacklist) { // Shortcut - if (clients.includes(clientId)) return false + if (clients.includes(clientId)) { + blacklistBreak = true + break + } blacklist.push(user.roles[i].groups[j].id) } else { // Remember it was found, check if client is in any blacklisted group on same layer tho. @@ -184,21 +195,21 @@ async function hasPermissionForClient (userid, permissionName, clientId) { whitelist.push(user.roles[i].groups[j].id) } } + if (blacklistBreak) continue + // no blacklist shortcut used, but whitelist found + if (result) return true + // Get groups the client is assigned to + var client = await db.client.findOne({ + where: { id: clientId }, + include: [{ as: 'groups', model: db.group }] + }) + var groupIds = client.groups.map(g => g.id) + + // Check parents for white-/blacklist entries. + result = await checkParents(groupIds, whitelist, blacklist) + if (result) return true } - - // no blacklist shortcut used, but whitelist found - if (result) return true - - // Get groups the client is assigned to - var client = await db.client.findOne({ - where: { id: clientId }, - include: [{ as: 'groups', model: db.group }] - }) - var groupIds = client.groups.map(g => g.id) - - // Check parents for white-/blacklist entries. - result = await checkParents(groupIds, whitelist, blacklist) - return result + return false } } -- cgit v1.2.3-55-g7522