Enhancement/permission engine (#191)

Wardormeur · web-flow · commit d30306c3555d · 2016-06-23T11:33:12.000+01:00
* Add support for config-oriented permissions
first draft for permission per act

* Adapt to new strcture of cp-perms

* Fix unreachable context

Change cb for an object for cross µs calls as bollean (true) get lost through seneca-transport

* Add missing dep

* Change repo for cp-perms
diff --git a/config/perm/profiles.js b/config/perm/profiles.js
@@ -0,0 +1,164 @@
+'use strict';
+
+module.exports = function(){
+  return {
+      'create': [{
+        role: 'basic-user',
+      }],
+      'user_profile_data': [{
+        role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      }, {
+        role: 'basic-user',
+        userType: 'parent-guardian',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_parent_of'
+        }]
+      }, {
+        role: 'basic-user',
+        userType: 'champion',
+        customValidator: [{
+          role: 'cd-dojos',
+          cmd: 'belongs_to_dojo'
+        }]
+      }],
+      'load': [{
+        role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      }, {
+        role: 'basic-user',
+        userType: 'parent-guardian',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_parent_of'
+        }]
+      }
+    ],
+      'load_user_profile': [{
+        role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      }, {
+        role: 'basic-user',
+        userType: 'parent-guardian',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_parent_of'
+        }]
+      }],
+      'save-youth-profile': [{
+        role: 'basic-user',
+        userType: 'parent-guardian'
+      }],
+      'save': [{
+        role: 'basic-user',
+      }],
+      'update-youth-profile': [{
+        role: 'basic-user',
+        userType: 'parent-guardian',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_parent_of'
+        }]
+      }, { role: 'basic-user',
+        userType: 'attendee-u13',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      }, { role: 'basic-user',
+        userType: 'attendee-o13',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      }],
+      //  TODO : ensure you're calling it for yourself?
+      //  TODO : strict mode to avoid the permission hierarchy
+      'invite-parent-guardian': [{
+        role: 'basic-user',
+        userType: 'attendee-o13'
+      }],
+
+      'accept-parent-invite': [{
+        role: 'basic-user',
+        userType: 'parent-guardian',
+      }],
+      // TODO: ??usage
+      'search': [{
+        role: 'basic-user',
+
+      }],
+
+      'load_hidden_fields': [{
+        role: 'none'
+      }],
+      'list': [{
+        role: 'basic-user',
+      }],
+      'change_avatar': [{
+        role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+      }]}],
+      'get_avatar': [{
+        role: 'none',
+      }],
+      'load_parents_for_user': [
+      { role: 'basic-user',
+        userType: 'champion'
+      },
+      { role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      },
+      { role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_parent_of'
+        }]
+      }],
+
+      'invite_ninja': [{
+        role: 'basic-user',
+        userType: 'parent-guardian'
+      },
+      {
+        role: 'basic-user',
+        userType: 'champion'
+      },
+      {
+        role: 'basic-user',
+        userType: 'mentor'
+      }],
+      //  TODO : check if approved = the one supposed to open
+      'approve_invite_ninja': [{
+        role: 'basic-user',
+        userType: 'attendee-o13'
+      }],
+      'ninjas_for_user': [{
+        role: 'basic-user',
+        userType: 'parent-guardian'
+      },
+      { role: 'basic-user',
+        userType: 'champion'
+      },
+      { role: 'basic-user',
+        customValidator:[ {
+          role: 'cd-users',
+          cmd: 'is_self'
+      }]}],
+  };
+};
diff --git a/config/perm/users.js b/config/perm/users.js
@@ -0,0 +1,128 @@
+'use strict';
+
+module.exports = function(){
+  return {
+      'load': [{
+        role: 'basic-user',
+        userTypes: 'champion'
+      },
+      { role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      },
+      { role: 'basic-user',
+        userType: 'parent',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_parent_of',
+        }]
+      }],
+      'list': [{
+        role: 'basic-user',
+        userTypes: 'champion'
+      }],
+      'register': [{
+        role: 'none',
+      }],
+      'promote': [{
+        role: 'cdf-admin',
+      }],
+
+      //  TODO : check if own dojo members?
+      'get_users_by_emails': [{ role: 'basic-user',
+        //NOTE: isn't perm a customVal now ?
+        customValidator: [{
+          role: 'cd-dojos',
+          cmd: 'is_having_perm',
+          param: {
+            perm: 'dojo-admin'
+          }
+        }]
+      }],
+
+      'update': [{
+        role: 'basic-user',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_self'
+        }]
+      },
+      { role: 'basic-user',
+        userType: 'parent',
+        customValidator: [{
+          role: 'cd-users',
+          cmd: 'is_parent_of'
+        }]
+      }],
+
+      'get_init_user_types': [{
+        role: 'none',
+      }],
+      //  Could be public as champion are public by design
+      'is_champion': [{
+        role: 'basic-user',
+      }],
+
+      'reset_password': [{
+        role: 'none',
+      }],
+
+      'execute_reset': [{
+        role: 'none',
+      }],
+
+      'load_champions_for_user': [{
+        role: 'basic-user',
+        customValidator: [
+          { role: 'cd-users',
+            cmd: 'is_self'
+          }]
+      }, {
+        role: 'basic-user',
+        userType: 'champion',
+        customValidator: [{
+          role: 'cd-dojos',
+          cmd: 'belongs_to_dojo'
+        }]
+      }],
+      'load_dojo_admins_for_user': [{
+        role: 'basic-user',
+        customValidator: [
+          { role: 'cd-users',
+            cmd: 'is_self'
+          }]
+      }, {
+        role: 'basic-user',
+        userType: 'champion',
+        customValidator: [{
+          role: 'cd-dojos',
+          cmd: 'belongs_to_dojo'
+        }]
+      }],
+      'record_login': [{
+        role: 'basic-user',
+      }],
+
+      //  TODO: lookup
+      'load_prev_founder': [{
+        role: 'basic-user',
+        //TODO : how to pass a require a context which is not accessible in the first place ?
+        // customValidator: [{
+        //   role: 'cd-dojos',
+        //   cmd: 'have_permissions',
+        //   perm: 'dojo-admin'
+        // }]
+      }],
+      'kpi_number_of_youths_registered': [{
+        role: 'cdf-admin',
+      }],
+      'kpi_number_of_champions_and_mentors_registered': [{
+        role: 'cdf-admin',
+      }],
+      'kpi_number_of_youth_females_registered': [{
+        role: 'cdf-admin',
+      }],
+  };
+};
diff --git a/config/permissions.js b/config/permissions.js
@@ -0,0 +1,23 @@
+'use strict';
+
+module.exports = function(){
+  return {
+      'cd-users': require('./perm/users.js')(),
+      'cd-profiles': require('./perm/profiles.js')(),
+
+      'auth': {
+        'create_reset': [{
+          role: 'none',
+        }],
+      },
+      'user': {
+        'login': [{
+          role: 'none',
+        }],
+        'logout': [{
+          role: 'none',
+        }],
+      },
+
+  };
+};
diff --git a/lib/users/is-parent-of.js b/lib/users/is-parent-of.js
@@ -0,0 +1,23 @@
+'use strict';
+var async = require('async');
+var _ = require('lodash');
+
+
+function isParentOf (args, cb) {
+  var seneca = this;
+  var plugin = args.role;
+  var userId = args.user.id;
+  var childrenId = args.params.userId
+  if(_.isUndefined(childrenId) && args.params.profile) childrenId = args.params.profile.userId;
+  if(_.isUndefined(childrenId) && args.params.query) childrenId = args.params.query.userId;
+  var isParent = false;
+  //  Could also check the opposite way, from child to Parent
+  seneca.act({role: 'cd-profiles', cmd: 'load_user_profile', userId: userId},
+    function(err, user){
+      if(err) return cb(null, {'allowed': false});
+      if(_.includes(user.children, childrenId )) isParent = true;
+      return cb(null, {'allowed': isParent});
+  });
+}
+
+module.exports = isParentOf;
diff --git a/lib/users/is-self.js b/lib/users/is-self.js
@@ -0,0 +1,21 @@
+'use strict';
+var async = require('async');
+var _ = require('lodash');
+
+
+function isSelf (args, cb) {
+  var seneca = this;
+  var plugin = args.role;
+  var userId = args.user.id;
+  var refUserId = args.params.userId || args.params.id ;
+  if(args.params.query && _.isUndefined(refUserId))
+    refUserId = args.params.query.userId || args.params.query.id ;
+  var isSelf = false;
+  // Could check upon profile, but seems like an overkill to me
+  if( userId === refUserId ){
+    isSelf = true;
+  }
+  return cb(null, {'allowed': isSelf});
+}
+
+module.exports = isSelf;
diff --git a/package.json b/package.json
@@ -39,6 +39,7 @@
     "seneca-mail": "0.2.1",
     "seneca-postgresql-store": "1.1.3",
     "seneca-user": "0.2.10",
+    "cp-permissions": "git://github.com/CoderDojo/cp-permissions-plugin#0.0.1",
     "shortid": "2.2.2",
     "xoauth2": "1.1.0"
   },
diff --git a/profiles.js b/profiles.js
@@ -419,7 +419,6 @@ module.exports = function (options) {
         if (err) {
           return done(err);
         }
-
         return done(null, profile, usersDojos);
       });
     }
diff --git a/service.js b/service.js
@@ -36,6 +36,9 @@ require('./migrate-psql-db.js')(function (err) {
               'users': config['users']
             });
   seneca.use(require('./nodebb-api.js'), config.nodebb);
+  seneca.use(require('cp-permissions'), {
+    config: __dirname + '/config/permissions'
+  });
 
   seneca.listen()
   .client({ type: 'web', port: 10304, pin: { role: 'cd-salesforce', cmd: '*' } })
diff --git a/users.js b/users.js
@@ -32,6 +32,8 @@ module.exports = function (options) {
   seneca.add({role: plugin, cmd: 'kpi_number_of_youths_registered'}, cmd_kpi_number_of_youths_registered);
   seneca.add({role: plugin, cmd: 'kpi_number_of_champions_and_mentors_registered'}, cmd_kpi_number_of_champions_and_mentors_registered);
   seneca.add({role: plugin, cmd: 'kpi_number_of_youth_females_registered'}, cmd_kpi_number_of_youth_females_registered);
+  seneca.add({role: 'cd-users', cmd: 'is_self'}, require('./lib/users/is-self'));
+  seneca.add({role: 'cd-users', cmd: 'is_parent_of'}, require('./lib/users/is-parent-of'));
 
   function cmd_load_prev_founder (args, done) {
     var seneca = this;

Original file line number	Diff line number	Diff line change
`@@ -419,7 +419,6 @@ module.exports = function (options) {`
`419`	`419`	`if (err) {`
`420`	`420`	`return done(err);`
`421`	`421`	`}`
`422`		`-`
`423`	`422`	`return done(null, profile, usersDojos);`
`424`	`423`	`});`
`425`	`424`	`}`