From aa59e531bd334189a631756334fcedae8fb70e05 Mon Sep 17 00:00:00 2001 From: Christian Hofmaier Date: Sun, 29 Mar 2020 15:54:49 +0000 Subject: [permissionmanager] allow whitelist inside blacklist --- server/lib/permissions/permissionhelper.js | 47 +++++++++++++++++------------- 1 file changed, 27 insertions(+), 20 deletions(-) (limited to 'server') diff --git a/server/lib/permissions/permissionhelper.js b/server/lib/permissions/permissionhelper.js index 8e6b7cb..175f0a1 100644 --- a/server/lib/permissions/permissionhelper.js +++ b/server/lib/permissions/permissionhelper.js @@ -101,22 +101,18 @@ async function hasPermissionForGroup (userid, permissionName, groupId) { for (let i = 0; i < user.roles.length; i++) { for (let j = 0; j < user.roles[i].groups.length; j++) { if (user.roles[i].groups[j].role_x_group.blacklist) { + // Shortcut + if (user.roles[i].groups[j].id === groupId) return false blacklist.push(user.roles[i].groups[j].id) } else { + // Shortcut + if (user.roles[i].groups[j].id === groupId) return true whitelist.push(user.roles[i].groups[j].id) } } } - // Shortcut - if (blacklist.includes(groupId)) { - return false - } - // Remember it was found, check if any parent is in the blacklist tho. - if (whitelist.includes(groupId)) { - result = true - } // Check parents for white-/blacklist entries. - result = await checkParents(groupId, whitelist, blacklist, result) + result = await checkParents(groupId, whitelist, blacklist) return result } } @@ -183,46 +179,57 @@ async function hasPermissionForClient (userid, permissionName, clientId) { if (clients.includes(clientId)) return false blacklist.push(user.roles[i].groups[j].id) } else { - // Remember it was found, check if any parent is in the blacklist tho. + // Remember it was found, check if client is in any blacklisted group on same layer tho. if (clients.includes(clientId)) result = true whitelist.push(user.roles[i].groups[j].id) } } } + + // no blacklist shortcut used, but whitelist found + if (result) return true + // Get groups the client is assigned to var client = await db.client.findOne({ where: { id: clientId }, include: [{ as: 'groups', model: db.group }] }) var groupIds = client.groups.map(g => g.id) + // Check parents for white-/blacklist entries. - result = await checkParents(groupIds, whitelist, blacklist, result) + result = await checkParents(groupIds, whitelist, blacklist) return result } } // Check if parents of groupIds are in the whitelist / blacklist -async function checkParents (groupIds, whitelist, blacklist, result) { - // No whitelist means the group cant be in one +// Whitelist returns true, blacklist or no parent in either list returns false +async function checkParents (groupIds, whitelist, blacklist) { + // No whitelist means the group can't be in one if (whitelist.length === 0) return false - // No blacklist means the result can't be changed once it's true - if (blacklist.length === 0 && result) return true + var result = false var parentIds = [] var groups = await db.group.findAll({ where: { id: groupIds }, include: ['parents'] }) + for (let i = 0; i < groups.length; i++) { for (let j = 0; j < groups[i].parents.length; j++) { var id = groups[i].parents[j].id - // blacklisted + // Parent is blacklisted if (blacklist.includes(id)) return false - // Remember, but a further parent can still be blacklisted, so continue. + // Parent is whitelisted, continue loop to see if another parent on SAME LAYER is blacklisted, as blacklisted > whitelisted if (whitelist.includes(id)) result = true if (!parentIds.includes(id)) parentIds.push(id) } } - // No further parents found, result is the result. - if (parentIds.length === 0) return result + + // A parent is whitelisted + if (result) return true + + // No further parents found + if (parentIds.length === 0) return false + // Check next layer of parents - result = await checkParents(parentIds, whitelist, blacklist, result) + result = await checkParents(parentIds, whitelist, blacklist) return result } -- cgit v1.2.3-55-g7522