Ghost/core/server/permissions/effective.js

var _ = require('lodash'),
    Models = require('../models'),
    errors = require('../errors');

var effective = {
    user: function (id) {
        return Models.User.findOne({id: id, status: 'all'}, { include: ['permissions', 'roles', 'roles.permissions'] })
            .then(function (foundUser) {
                var seenPerms = {},
                    rolePerms = _.map(foundUser.related('roles').models, function (role) {
                        return role.related('permissions').models;
                    }),
                    allPerms = [],
                    user = foundUser.toJSON();

                rolePerms.push(foundUser.related('permissions').models);

                _.each(rolePerms, function (rolePermGroup) {
                    _.each(rolePermGroup, function (perm) {
                        var key = perm.get('action_type') + '-' + perm.get('object_type') + '-' + perm.get('object_id');

                        // Only add perms once
                        if (seenPerms[key]) {
                            return;
                        }

                        allPerms.push(perm);
                        seenPerms[key] = true;
                    });
                });

                return {permissions: allPerms, roles: user.roles};
            }, errors.logAndThrowError);
    },

    app: function (appName) {
        return Models.App.findOne({name: appName}, { withRelated: ['permissions'] })
            .then(function (foundApp) {
                if (!foundApp) {
                    return [];
                }

                return {permissions: foundApp.related('permissions').models};
            }, errors.logAndThrowError);
    }
};

module.exports = effective;
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`var _ = require('lodash'),`
			`Models = require('../models'),`
Only reference model properties through the models module. This frees us up to enforce one single point of access, thus paving the way towards allowing us to initialize the models at are request, and not when it's require(). addresses #2170 2014-05-16 06:29:42 +04:00			`errors = require('../errors');`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00
			`var effective = {`
			`user: function (id) {`
Changing User.read API to default to active users. refs #3542 - Properly handle forgotten screen (ember) - Change Users API to only return active users on read - Adjust tests 2014-08-05 22:11:17 +04:00			`return Models.User.findOne({id: id, status: 'all'}, { include: ['permissions', 'roles', 'roles.permissions'] })`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`.then(function (foundUser) {`
			`var seenPerms = {},`
			`rolePerms = _.map(foundUser.related('roles').models, function (role) {`
			`return role.related('permissions').models;`
			`}),`
Owner has all user permissions closes #3075 - added special treatment for role with name ‚Owner‘ 2014-07-09 15:34:38 +04:00			`allPerms = [],`
			`user = foundUser.toJSON();`

Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`rolePerms.push(foundUser.related('permissions').models);`

			`_.each(rolePerms, function (rolePermGroup) {`
			`_.each(rolePermGroup, function (perm) {`
			`var key = perm.get('action_type') + '-' + perm.get('object_type') + '-' + perm.get('object_id');`

			`// Only add perms once`
			`if (seenPerms[key]) {`
			`return;`
			`}`

			`allPerms.push(perm);`
			`seenPerms[key] = true;`
			`});`
			`});`

Permissions Improvements refs #3083, #3096 In order to implement advanced permissions based on roles for specific actions, we need to know what role the current context user has and also what action we are granting permissions for: - Permissible gets passed the action type - Effective permissions keeps the user role and eventually passes it to permissible - Fixed spelling - Still needs tests 2014-07-23 22:17:29 +04:00			`return {permissions: allPerms, roles: user.roles};`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`}, errors.logAndThrowError);`
			`},`

			`app: function (appName) {`
Only reference model properties through the models module. This frees us up to enforce one single point of access, thus paving the way towards allowing us to initialize the models at are request, and not when it's require(). addresses #2170 2014-05-16 06:29:42 +04:00			`return Models.App.findOne({name: appName}, { withRelated: ['permissions'] })`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`.then(function (foundApp) {`
			`if (!foundApp) {`
			`return [];`
			`}`

Permissions Improvements refs #3083, #3096 In order to implement advanced permissions based on roles for specific actions, we need to know what role the current context user has and also what action we are granting permissions for: - Permissible gets passed the action type - Effective permissions keeps the user role and eventually passes it to permissible - Fixed spelling - Still needs tests 2014-07-23 22:17:29 +04:00			`return {permissions: foundApp.related('permissions').models};`
Add app permission checking to canThis - Pass permissions loading to buildObjectTypeHandlers to eliminate shared state - Load both app and user permissions to check - Check app permissions if present - Create apps table and App model - Move effectiveUserPermissions to permissions/effective - Change permissable interface to take context; user and app. - Add unit tests for app canThis checks and effective permissions 2014-02-12 07:40:39 +04:00			`}, errors.logAndThrowError);`
			`}`
			`};`

			`module.exports = effective;`