UserExecutable flag should be false if user has no Call permission #1197

node-opcua · Oct 2, 2022 · b5735d8 · b5735d8
1 parent 1c7bd0a
commit b5735d8
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 5 deletions.
diff --git a/packages/node-opcua-address-space/src/base_node_impl.ts b/packages/node-opcua-address-space/src/base_node_impl.ts
@@ -1281,7 +1281,7 @@ export class BaseNodeImpl extends EventEmitter implements BaseNode {
         // https://reference.opcfoundation.org/v104/Core/docs/Part3/4.8.3/
 
         // to do check that current user can read permission
-        if (context && !context?.checkPermission(this as any, PermissionType.ReadRolePermissions)) {
+        if (context && !context.checkPermission(this, PermissionType.ReadRolePermissions)) {
             return new DataValue({
                 statusCode: StatusCodes.BadSecurityModeInsufficient
             });
@@ -1314,7 +1314,7 @@ export class BaseNodeImpl extends EventEmitter implements BaseNode {
     private _readUserRolePermissions(context: ISessionContext | null): DataValue {
 
         // to do check that current user can read permission
-        if (context && !context?.checkPermission(this as any, PermissionType.ReadRolePermissions)) {
+        if (context && !context.checkPermission(this, PermissionType.ReadRolePermissions)) {
             return new DataValue({
                 statusCode: StatusCodes.BadSecurityModeInsufficient
             });

diff --git a/packages/node-opcua-address-space/src/ua_method_impl.ts b/packages/node-opcua-address-space/src/ua_method_impl.ts
@@ -85,7 +85,13 @@ export class UAMethodImpl extends BaseNodeImpl implements UAMethod {
         }
         return true;
     }
-
+    public getUserExecutableFlag(context: ISessionContext | null): boolean {
+        if (context && !context.checkPermission(this, PermissionType.Call)) {
+            return false;
+        }
+        if (!this.getExecutableFlag(context)) return false;
+        return true;
+    }
     /**
      *
      * @returns  true if the method is bound
@@ -107,7 +113,7 @@ export class UAMethodImpl extends BaseNodeImpl implements UAMethod {
                 options.statusCode = StatusCodes.Good;
                 break;
             case AttributeIds.UserExecutable:
-                options.value = { dataType: DataType.Boolean, value: this.getExecutableFlag(context) };
+                options.value = { dataType: DataType.Boolean, value: this.getUserExecutableFlag(context) };
                 options.statusCode = StatusCodes.Good;
                 break;
             default:

diff --git a/packages/node-opcua-address-space/test/test_set_permissions.ts b/packages/node-opcua-address-space/test/test_set_permissions.ts
@@ -108,7 +108,11 @@ describe("Variable#setPermissions & checkPermission", () => {
     });
 });
 
-async function defaultMethod(this: UAMethod, inputArguments: Variant[], context: ISessionContext): Promise<CallMethodResultOptions> {
+async function defaultMethod(
+    this: UAMethod,
+    inputArguments: Variant[],
+    context: ISessionContext
+): Promise<CallMethodResultOptions> {
     /** empty */
     return { statusCode: StatusCodes.Good };
 }
@@ -185,6 +189,26 @@ describe("Method#setPermissions & checkPermission", () => {
 
         context.checkPermission(someMethod3, PermissionType.Call).should.eql(false);
     });
+    it("checkPermission-m3 UserExecutable flag should be false if user has no Call permission #1197", () => {
+        const namespace1 = addressSpace.getOwnNamespace();
+        const context = new SessionContext();
+
+        const someMethod = addressSpace.getOwnNamespace().addMethod(someObject, {
+            browseName: "MethodForTest3",
+            executable: true,
+            userExecutable: true
+        });
+        someMethod.bindMethod(defaultMethod);
+        someMethod.setRolePermissions([{ roleId: WellKnownRoles.Engineer, permissions: makePermissionFlag("Call") }]);
+
+        context.getCurrentUserRoles = () => makeRoles([WellKnownRoles.AuthenticatedUser, WellKnownRoles.Engineer]);
+        someMethod.readAttribute(context, AttributeIds.Executable).value.value.should.eql(true);
+        someMethod.readAttribute(context, AttributeIds.UserExecutable).value.value.should.eql(true);
+
+        context.getCurrentUserRoles = () => makeRoles([WellKnownRoles.Anonymous]);
+        someMethod.readAttribute(context, AttributeIds.Executable).value.value.should.eql(true);
+        someMethod.readAttribute(context, AttributeIds.UserExecutable).value.value.should.eql(false);
+    });
 });
 
 describe("Namespace Permission", () => {