restrict to owner now takes an array in the userId field (#231)

feathersjs-ecosystem · Jul 7, 2016 · 50a37a2 · 50a37a2
1 parent 961713e
commit 50a37a2
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 5 deletions.
diff --git a/src/hooks/restrict-to-owner.js b/src/hooks/restrict-to-owner.js
@@ -28,7 +28,7 @@ export default function(options = {}){
     }
 
     options = Object.assign({}, defaults, hook.app.get('auth'), options);
-    
+
     const id = hook.params.user[options.idField];
 
     if (id === undefined) {
@@ -51,17 +51,22 @@ export default function(options = {}){
 
         let field = data[options.ownerField];
 
-        // Handle nested Sequelize or Mongoose models 
+        // Handle nested Sequelize or Mongoose models
         if (isPlainObject(field)) {
           field = field[options.idField];
         }
 
-        if ( field === undefined || field.toString() !== id.toString() ) {
+        if (Array.isArray(field)) {
+          const fieldArray = field.map(idValue => idValue.toString());
+          if (fieldArray.length === 0 || fieldArray.indexOf(id.toString()) < 0) {
+            reject(new errors.Forbidden('You do not have the permissions to access this.'));
+          }
+        } else if ( field === undefined || field.toString() !== id.toString() ) {
           reject(new errors.Forbidden('You do not have the permissions to access this.'));
         }
 
         resolve(hook);
       }).catch(reject);
     });
   };
-}
+}
diff --git a/test/src/hooks/restrict-to-owner.test.js b/test/src/hooks/restrict-to-owner.test.js
@@ -3,17 +3,26 @@ import sinon from 'sinon';
 import { restrictToOwner } from '../../../src/hooks';
 
 let MockData;
+let MockData2;
 let MockService;
+let MockService2;
 
 describe('restrictToOwner', () => {
   beforeEach(() => {
     MockData = {
       userId: '1',
       text: 'hey'
     };
+    MockData2 = {
+      userId: ['1'],
+      text: 'hey'
+    };
     MockService = {
       get: sinon.stub().returns(Promise.resolve(MockData))
     };
+    MockService2 = {
+      get: sinon.stub().returns(Promise.resolve(MockData2))
+    };
   });
 
   describe('when not called as a before hook', () => {
@@ -137,6 +146,45 @@ describe('restrictToOwner', () => {
       });
     });
 
+    describe('when an empty array is passed', () => {
+      it('throws an error', () => {
+        hook.userId = [];
+
+        try {
+          restrictToOwner()(hook);
+        }
+        catch(error) {
+          expect(error).to.not.equal(undefined);
+        }
+      });
+    });
+
+    describe('when user does not own the resource and idField is an array', () => {
+      it('returns a Forbidden error', done => {
+        hook.userId = ['1'];
+        hook.params.user._id = '2';
+        let fn = restrictToOwner();
+
+        fn.call(MockService2, hook).then(done).catch(error => {
+          expect(error.code).to.equal(403);
+          done();
+        });
+      });
+    });
+
+    describe('when user owns the resource and idField is an array', () => {
+      it('does nothing', done => {
+        hook.userId = ['1'];
+
+        let fn = restrictToOwner();
+
+        fn.call(MockService2, hook).then(returnedHook => {
+          expect(returnedHook).to.deep.equal(hook);
+          done();
+        }).catch(done);
+      });
+    });
+
     describe('when user owns the resource', () => {
       it('does nothing', done => {
         let fn = restrictToOwner();
@@ -148,4 +196,4 @@ describe('restrictToOwner', () => {
       });
     });
   });
-});
+});