Apply IDP Permissions to search operations

TimCsaky · TimCsaky · commit 3f5749abc8d6 · 2026-03-04T16:00:10.000-08:00
Check for READ permissions granted to user's IDP
in addition to user-level permissions, when config.privacyMask is ON.
This allows users to see objects shared with their IDP,
even if they don't have direct permissions on the object.
diff --git a/app/src/controllers/object.js b/app/src/controllers/object.js
@@ -653,6 +653,7 @@ const controller = {
       // if scoping to current user permissions on objects
       if (getConfigBoolean('server.privacyMask')) {
         params.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
+        params.idp = req.currentUser.tokenPayload ? req.currentUser.tokenPayload.identity_provider : undefined;
       }
       const response = await metadataService.fetchMetadataForObject(params);
       res.status(200).json(response);
@@ -682,6 +683,8 @@ const controller = {
       // if scoping to current user permissions on objects
       if (getConfigBoolean('server.privacyMask')) {
         params.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
+        // params.idp = 'bc-box-local-4545';
+        params.idp = req.currentUser.tokenPayload ? req.currentUser.tokenPayload.identity_provider : undefined;
       }
       const response = await tagService.fetchTagsForObject(params);
       res.status(200).json(response);
@@ -1062,23 +1065,25 @@ const controller = {
       };
       // if scoping to current user permissions on objects
       if (getConfigBoolean('server.privacyMask')) {
+        params.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
+        params.idp = req.currentUser.tokenPayload ? req.currentUser.tokenPayload.identity_provider : undefined;
 
-        if (req.currentUser.authType === AuthType.NONE) {
+      }
 
-          // no-auth requests MUST have all of the following:
-          //  (a) an object or bucket id; (b) ?public=true; (c) not search by S3 path
-          if (!(params.bucketId || params.id) || !params.public || params.path) {
-            throw new Problem(403, {
-              detail: 'User lacks permission to complete this action',
-              instance: req.originalUrl
-            });
-          }
+      // if no-auth, MUST have ALL of the following:
+      //  (a) an object or bucket id; (b) ?public=true; (c) not search by S3 path
+      if (req.currentUser.authType === AuthType.NONE) {
+        if (!(params.bucketId || params.id) || !params.public || params.path) {
+          throw new Problem(403, {
+            detail: 'User lacks permission to complete this action',
+            instance: req.originalUrl
+          });
         }
-        params.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
       }
 
       const response = await objectService.searchObjects(params);
 
+      // if no-auth request, redact sensitive fields from response
       if (req.currentUser.authType === AuthType.NONE) {
         const redactedFields = ['path', 'createdBy', 'updatedBy', 'lastSyncedDate'];
         const redactedResponseData = response.data.map(object => utils.redactSecrets(object, redactedFields));
diff --git a/app/src/controllers/version.js b/app/src/controllers/version.js
@@ -38,6 +38,7 @@ const controller = {
       // if scoping to current user permissions on objects
       if (getConfigBoolean('server.privacyMask')) {
         params.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
+        params.idp = req.currentUser.tokenPayload ? req.currentUser.tokenPayload.identity_provider : undefined;
         params.bucketId = bucketId?.length ? bucketId : undefined;
       }
       const response = await metadataService.fetchMetadataForVersion(params);
@@ -70,6 +71,7 @@ const controller = {
       // if scoping to current user permissions on objects
       if (getConfigBoolean('server.privacyMask')) {
         params.userId = await userService.getCurrentUserId(getCurrentIdentity(req.currentUser, SYSTEM_USER));
+        params.idp = req.currentUser.tokenPayload ? req.currentUser.tokenPayload.identity_provider : undefined;
         params.bucketId = bucketId?.length ? bucketId : undefined;
       }
       const response = await tagService.fetchTagsForVersion(params);
diff --git a/app/src/db/models/tables/objectModel.js b/app/src/db/models/tables/objectModel.js
@@ -14,6 +14,8 @@ class ObjectModel extends Timestamps(Model) {
     const Bucket = require('./bucket');
     const ObjectPermission = require('./objectPermission');
     const BucketPermission = require('./bucketPermission');
+    const ObjectIdpPermission = require('./objectIdpPermission');
+    const BucketIdpPermission = require('./bucketIdpPermission');
     const Version = require('./version');
 
     return {
@@ -48,7 +50,23 @@ class ObjectModel extends Timestamps(Model) {
           from: 'object.bucketId',
           to: 'bucket_permission.bucketId'
         }
-      }
+      },
+      objectIdpPermission: {
+        relation: Model.HasManyRelation,
+        modelClass: ObjectIdpPermission,
+        join: {
+          from: 'object.id',
+          to: 'object_idp_permission.objectId'
+        }
+      },
+      bucketIdpPermission: {
+        relation: Model.HasManyRelation,
+        modelClass: BucketIdpPermission,
+        join: {
+          from: 'object.bucketId',
+          to: 'bucket_idp_permission.bucketId'
+        }
+      },
     };
   }
 
@@ -133,14 +151,17 @@ class ObjectModel extends Timestamps(Model) {
       findPath(query, value) {
         if (value) query.where('object.path', value);
       },
-      hasPermission(query, userId, permCode) {
-        if (userId && permCode) {
+      hasPermission(query, { userId, idp, permCode }) {
+        // userId will be defined if config.privacyMask is ON, in which case we want to filter by permissions. 
+        if (userId && idp && permCode) {
           query
             // withGraphFetched keep joining using default 'left join' operation,
             // to fix default behavior we are adding extra joinOperation which seems to be working with
             // corresponding JoinRelated
-            .withGraphFetched('[objectPermission, bucketPermission]', { joinOperation: 'fullOuterJoinRelated' })
-            .fullOuterJoinRelated('[objectPermission, bucketPermission]')
+            .withGraphFetched('[objectPermission, bucketPermission, objectIdpPermission, bucketIdpPermission]', {
+              joinOperation: 'fullOuterJoinRelated'
+            })
+            .fullOuterJoinRelated('[objectPermission, bucketPermission, objectIdpPermission, bucketIdpPermission]')
             // wrap in WHERE to make contained clauses exclusive of root query
             .where(query => {
               query
@@ -157,6 +178,20 @@ class ObjectModel extends Timestamps(Model) {
                       'bucketPermission.permCode': permCode,
                       'bucketPermission.userId': userId
                     });
+                })
+                .orWhere(query => {
+                  query
+                    .where({
+                      'objectIdpPermission.permCode': permCode,
+                      'objectIdpPermission.idp': idp
+                    });
+                })
+                .orWhere(query => {
+                  query
+                    .where({
+                      'bucketIdpPermission.permCode': permCode,
+                      'bucketIdpPermission.idp': idp
+                    });
                 });
             });
         } else {
diff --git a/app/src/middleware/authorization.js b/app/src/middleware/authorization.js
@@ -23,7 +23,7 @@ const {
  * @function _checkIdpPermission
  * Checks if the current user is authorized to perform the operation because 
  * they have the required permission through their identity provider (idp) 
- * the identity provider of their athentication (eg: idir, bcsc, etc)
+ * of their athentication (eg: idir, bcsc, etc)
  * @param {object} req.currentUser Express request object currentUser
  * @param {object} req.params Express request object params
  * @param {string} permission The permission to check against
diff --git a/app/src/services/metadata.js b/app/src/services/metadata.js
@@ -182,7 +182,7 @@ const service = {
   fetchMetadataForObject: (params) => {
     return ObjectModel.query()
       .select('object.id AS objectId', 'object.bucketId as bucketId')
-      .allowGraph('[bucketPermission, objectPermission, version.metadata]')
+      .allowGraph('[bucketPermission, objectPermission, objectIdpPermission, bucketIdpPermission, version.metadata]')
       .withGraphJoined('version.metadata')
       // get latest version that isn't a delete marker by default
       .modifyGraph('version', builder => {
@@ -206,14 +206,17 @@ const service = {
       // match on bucketIds parameter
       .modify('filterBucketIds', params.bucketIds)
       // scope to objects that user(s) has READ permission at object or bucket-level
-      .modify('hasPermission', params.userId, 'READ')
+      .modify('hasPermission', { userId: params.userId, idp: params.idp, permCode: 'READ' })
       // re-structure result like: [{ objectId: abc, metadata: [{ key: a, value: b }] }]
-      .then(result => result.map(row => {
-        return {
-          objectId: row.objectId,
-          metadata: row.version && row.version.length ? row.version[0].metadata : []
-        };
-      }));
+      .then(result =>
+        // de-dupe based on objectId, keeping all associated tags for each object
+        Array.from(new Map(result.map(item => [item.objectId, item])).values())
+          .map(row => {
+            return {
+              objectId: row.objectId,
+              metadata: row.version && row.version.length ? row.version[0].metadata : []
+            };
+          }));
   },
 
   /**
@@ -250,7 +253,11 @@ const service = {
             query
               .allowGraph('object')
               .withGraphJoined('object')
-              .modifyGraph('object', query => { query.modify('hasPermission', params.userId, 'READ'); })
+              .modifyGraph('object', query => {
+                query.modify('hasPermission', {
+                  userId: params.userId, idp: params.idp, permCode: 'READ'
+                });
+              })
               .whereNotNull('object.id');
           }
           if (params.bucketId) {
diff --git a/app/src/services/object.js b/app/src/services/object.js
@@ -128,7 +128,7 @@ const service = {
       // GroupBy() seems to be working faster with ObjectionJS Graphs
       // when comparing with distinct()
       response.data = await ObjectModel.query(trx)
-        .allowGraph('[bucketPermission, objectPermission, version]')
+        .allowGraph('[bucketPermission, objectPermission, objectIdpPermission, bucketIdpPermission, version]')
         .groupBy('object.id')
         // object
         .modify('filterIds', params.id)
@@ -149,9 +149,10 @@ const service = {
         // permissions
         // if userId is provided (privacyMask is ON) then filter where:
         // - user has READ on object
-        // - user has READ on parent folder
-        // - any parent folder.public is truthy
-        .modify('hasPermission', params.userId, 'READ')
+        // - OR user has READ on parent folder
+        // - OR user has READ permission granted to their IDP
+        // - OR any parent folder.public is truthy
+        .modify('hasPermission', { userId: params.userId, idp: params.idp, permCode: 'READ' })
         // pagination
         .modify('pagination', params.page, params.limit)
         // sort results
@@ -168,8 +169,16 @@ const service = {
           }
           return Promise.all(
             results.map(row => {
-              // eslint-disable-next-line no-unused-vars
-              const { objectPermission, bucketPermission, version, ...object } = row;
+              // destructure permissions out of the row for cleaner response formatting, 
+              // and filter down to only current user permissions if privacyMask is ON
+              /* eslint-disable */
+              const {
+                objectPermission,
+                bucketPermission,
+                objectIdpPermission,
+                bucketIdpPermission,
+                version, ...object } = row;
+              /* eslint-enable */
               if (row.id && params.permissions) {
                 object.permissions = [];
                 if (objectPermission && params.userId && params.userId !== SYSTEM_USER) {
diff --git a/app/src/services/tag.js b/app/src/services/tag.js
@@ -233,7 +233,7 @@ const service = {
   fetchTagsForObject: (params) => {
     return ObjectModel.query()
       .select('object.id AS objectId', 'object.bucketId as bucketId')
-      .allowGraph('[bucketPermission, objectPermission, version.tag]')
+      .allowGraph('[bucketPermission, objectPermission, objectIdpPermission, bucketIdpPermission, version.tag]')
       .withGraphJoined('version.tag')
       // get latest version that isn't a delete marker by default
       .modifyGraph('version', builder => {
@@ -257,14 +257,17 @@ const service = {
       // match on bucketIds parameter
       .modify('filterBucketIds', params.bucketIds)
       // scope to objects that user(s) has READ permission at object or bucket-level
-      .modify('hasPermission', params.userId, 'READ')
-      // re-structure result like: [{ objectId: abc, tagset: [{ key: a, value: b }] }]
-      .then(result => result.map(row => {
-        return {
-          objectId: row.objectId,
-          tagset: row.version && row.version.length ? row.version[0].tag : []
-        };
-      }));
+      .modify('hasPermission', { userId: params.userId, idp: params.idp, permCode: 'READ' })
+      .then(result =>
+        // de-dupe based on objectId, keeping all associated tags for each object
+        Array.from(new Map(result.map(item => [item.objectId, item])).values())
+          // re-structure result like: [{ objectId: abc, tagset: [{ key: a, value: b }] }]
+          .map(row => {
+            return {
+              objectId: row.objectId,
+              tagset: row.version && row.version.length ? row.version[0].tag : []
+            };
+          }));
   },
 
   /**
@@ -301,7 +304,11 @@ const service = {
             query
               .allowGraph('object')
               .withGraphJoined('object')
-              .modifyGraph('object', query => { query.modify('hasPermission', params.userId, 'READ'); })
+              .modifyGraph('object', query => {
+                query.modify('hasPermission', {
+                  userId: params.userId, idp: params.idp, permCode: 'READ'
+                });
+              })
               .whereNotNull('object.id');
           }
           if (params.bucketId) {
