Closes #435 - Improved Team/Permission logic

package.json

@@ -32,36 +32,36 @@
     "cors": "^2.8.5",
     "express": "^4.18.2",
     "express-basic-auth": "^1.2.1",
-    "express-rate-limit": "^6.7.0",
+    "express-rate-limit": "^6.7.1",
     "express-validator": "^7.0.1",
     "graphql": "^16.7.1",
-    "graphql-http": "^1.19.0",
+    "graphql-http": "^1.20.0",
     "graphql-tag": "^2.12.6",
     "helmet": "^7.0.0",
-    "jsonwebtoken": "^9.0.0",
+    "jsonwebtoken": "^9.0.1",
     "moment": "^2.29.4",
-    "mongodb": "^5.6.0",
-    "mongoose": "^7.3.1",
+    "mongodb": "^5.7.0",
+    "mongoose": "^7.3.2",
     "pino": "^8.14.1",
-    "pino-pretty": "^10.0.0",
-    "swagger-ui-express": "^4.6.3",
+    "pino-pretty": "^10.0.1",
+    "swagger-ui-express": "^5.0.0",
     "switcher-client": "^3.1.8",
     "validator": "^13.9.0"
   },
   "devDependencies": {
-    "@babel/cli": "^7.22.5",
-    "@babel/core": "^7.22.5",
-    "@babel/node": "^7.22.5",
-    "@babel/preset-env": "^7.22.5",
+    "@babel/cli": "^7.22.6",
+    "@babel/core": "^7.22.8",
+    "@babel/node": "^7.22.6",
+    "@babel/preset-env": "^7.22.7",
     "@babel/register": "^7.22.5",
-    "babel-jest": "^29.5.0",
+    "babel-jest": "^29.6.1",
     "babel-polyfill": "^6.26.0",
     "env-cmd": "^10.1.0",
     "eslint": "^8.44.0",
-    "jest": "^29.5.0",
+    "jest": "^29.6.1",
     "jest-sonar-reporter": "^2.0.0",
     "node-notifier": "^10.0.1",
-    "nodemon": "^2.0.22",
+    "nodemon": "^3.0.1",
     "sinon": "^15.2.0",
     "supertest": "^6.3.3"
   },

src/helpers/index.js

@@ -119,16 +119,32 @@ export async function verifyOwnership(admin, element, domainId, action, routerTy
     }
 
     const teams = await getTeams({ _id: { $in: admin.teams }, domain: domain._id, active: true });
-    if (teams.length && admin.teams.length) {
-        for (const team of teams) {
-            if (cascade) {
-                element = await verifyPermissionsCascade(team, element, action, routerType);
-            } else {
-                element = await verifyPermissions(team, element, action, routerType);
-            }
-        }
-    } else {
+    if (!teams.length || !admin.teams.length) {
         throw new PermissionError('It was not possible to find any team that allows you to proceed with this operation');
+    } 
+
+    let hasPermission = [];
+    let allowedElement;
+    for (const team of teams) {
+        if (cascade) {
+            allowedElement = await verifyPermissionsCascade(team, element, action, routerType);
+        } else {
+            allowedElement = await verifyPermissions(team, element, action, routerType);
+        }
+
+        if (allowedElement) {
+            hasPermission.push(allowedElement);
+        }
+    }
+
+    if (!hasPermission.length) {
+        throw new PermissionError('Action forbidden');
+    }
+
+    if (Array.isArray(element)) {
+        hasPermission = hasPermission.flat(Infinity);
+        hasPermission = [...new Set(hasPermission)];
+        return hasPermission;
     }
 
     return element;

src/helpers/permission.js

@@ -1,4 +1,3 @@
-import { PermissionError } from '../exceptions';
 import { ActionTypes, RouterTypes } from '../models/permission';
 import { getPermission, getPermissions } from '../services/permission';
 
@@ -10,11 +9,11 @@ export async function verifyPermissions(team, element, action, routerType) {
         router: { $in: [routerType, RouterTypes.ALL] }
     });
 
-    if (permission) {
-        return verifyIdentifiers(permission, element);
-    } else {
-        throw new PermissionError(`Permission not found for this operation: '${action}' - '${routerType}'`);
+    if (!permission) {
+        return undefined;
     }
+
+    return verifyIdentifiers(permission, element);
 }
 
 export async function verifyPermissionsCascade(team, element, action, routerType) {
@@ -66,13 +65,12 @@ function verifyIdentifiers(permission, element) {
                     return element;
                 }
             }
-        } else {
-            if (permission.values.includes(element[`${permission.identifiedBy}`])) {
-                return element;
-            }
+        } else if (permission.values.includes(element[`${permission.identifiedBy}`])) {
+            return element;
         }
-    } else {
-        return element;
+
+        return undefined;
     }
-    throw new PermissionError('It was not possible to match the requiring element to the current permission');
+
+    return element;
 }

tests/fixtures/db_team_permission.js

@@ -76,6 +76,24 @@ export const permission2 = {
     values: [groupConfig2Document.name]
 };
 
+export const permission21Id = new mongoose.Types.ObjectId();
+export const permission21 = {
+    _id: permission21Id,
+    action: ActionTypes.READ,
+    active: true,
+    router: RouterTypes.GROUP
+};
+
+export const permission22Id = new mongoose.Types.ObjectId();
+export const permission22 = {
+    _id: permission22Id,
+    action: ActionTypes.READ,
+    active: true,
+    router: RouterTypes.GROUP,
+    identifiedBy: KeyTypes.NAME,
+    values: ['RANDOM_VALUE']
+};
+
 export const permission3Id = new mongoose.Types.ObjectId();
 export const permission3 = {
     _id: permission3Id,
@@ -112,14 +130,23 @@ export const team2 = {
     permissions: [permission4Id]
 };
 
+export const team3Id = new mongoose.Types.ObjectId();
+export const team3 = {
+    _id: team3Id,
+    domain: domainId,
+    name: 'Team 3',
+    active: true,
+    permissions: [permission21Id, permission22Id]
+};
+
 export const adminAccountId = new mongoose.Types.ObjectId();
 export const adminAccount = {
     _id: adminAccountId,
     name: 'Member Admin',
     email: 'member@admin.com',
     password: '123123123123',
     active: true,
-    teams: [team1Id]
+    teams: [team1Id, team3Id]
 };
 
 export const adminAccount2Id = new mongoose.Types.ObjectId();
@@ -162,8 +189,11 @@ export const setupDatabase = async () => {
     await new Config(configDocument).save();
     await new Permission(permission1).save();
     await new Permission(permission2).save();
+    await new Permission(permission21).save();
+    await new Permission(permission22).save();
     await new Permission(permission3).save();
     await new Permission(permission4).save();
     await new Team(team1).save();
     await new Team(team2).save();
+    await new Team(team3).save();
 };