Ghost/core/server/permissions/effective.js

var _ = require('lodash'),
    Models = require('../models'),
    errors = require('../errors');

var effective = {
    user: function (id) {
        return Models.User.findOne({id: id}, { include: ['permissions', 'roles', 'roles.permissions'] })
            .then(function (foundUser) {
                var seenPerms = {},
                    rolePerms = _.map(foundUser.related('roles').models, function (role) {
                        return role.related('permissions').models;
                    }),
                    allPerms = [],
                    user = foundUser.toJSON();

                // TODO: using 'Owner' as return value is a bit hacky.
                if (_.find(user.roles, { 'name': 'Owner' })) {
                    return 'Owner';
                }

                rolePerms.push(foundUser.related('permissions').models);

                _.each(rolePerms, function (rolePermGroup) {
                    _.each(rolePermGroup, function (perm) {
                        var key = perm.get('action_type') + '-' + perm.get('object_type') + '-' + perm.get('object_id');

                        // Only add perms once
                        if (seenPerms[key]) {
                            return;
                        }

                        allPerms.push(perm);
                        seenPerms[key] = true;
                    });
                });

                return allPerms;
            }, errors.logAndThrowError);
    },

    app: function (appName) {
        return Models.App.findOne({name: appName}, { withRelated: ['permissions'] })
            .then(function (foundApp) {
                if (!foundApp) {
                    return [];
                }

                return foundApp.related('permissions').models;
            }, errors.logAndThrowError);
    }
};

module.exports = effective;
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`var _ = require('lodash'),`
			`Models = require('../models'),`
Only reference model properties through the models module. This frees us up to enforce one single point of access, thus paving the way towards allowing us to initialize the models at are request, and not when it's require(). addresses #2170 2014-05-16 06:29:42 +04:00			`errors = require('../errors');`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00
			`var effective = {`
			`user: function (id) {`
Only reference model properties through the models module. This frees us up to enforce one single point of access, thus paving the way towards allowing us to initialize the models at are request, and not when it's require(). addresses #2170 2014-05-16 06:29:42 +04:00			`return Models.User.findOne({id: id}, { include: ['permissions', 'roles', 'roles.permissions'] })`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`.then(function (foundUser) {`
			`var seenPerms = {},`
			`rolePerms = _.map(foundUser.related('roles').models, function (role) {`
			`return role.related('permissions').models;`
			`}),`
Owner has all user permissions closes #3075 - added special treatment for role with name ‚Owner‘ 2014-07-09 15:34:38 +04:00			`allPerms = [],`
			`user = foundUser.toJSON();`

			`// TODO: using 'Owner' as return value is a bit hacky.`
Add edit roles refs #3087 - added ability to edit user/roles relation - user is not allowed assign roles to himself - only one role per user is supported atm - added tests 2014-07-22 00:50:43 +04:00			`if (_.find(user.roles, { 'name': 'Owner' })) {`
Owner has all user permissions closes #3075 - added special treatment for role with name ‚Owner‘ 2014-07-09 15:34:38 +04:00			`return 'Owner';`
			`}`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00
			`rolePerms.push(foundUser.related('permissions').models);`

			`_.each(rolePerms, function (rolePermGroup) {`
			`_.each(rolePermGroup, function (perm) {`
			`var key = perm.get('action_type') + '-' + perm.get('object_type') + '-' + perm.get('object_id');`

			`// Only add perms once`
			`if (seenPerms[key]) {`
			`return;`
			`}`

			`allPerms.push(perm);`
			`seenPerms[key] = true;`
			`});`
			`});`

			`return allPerms;`
			`}, errors.logAndThrowError);`
			`},`

			`app: function (appName) {`
Only reference model properties through the models module. This frees us up to enforce one single point of access, thus paving the way towards allowing us to initialize the models at are request, and not when it's require(). addresses #2170 2014-05-16 06:29:42 +04:00			`return Models.App.findOne({name: appName}, { withRelated: ['permissions'] })`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`.then(function (foundApp) {`
			`if (!foundApp) {`
			`return [];`
			`}`

			`return foundApp.related('permissions').models;`
			`}, errors.logAndThrowError);`
			`}`
			`};`

			`module.exports = effective;`