allowing multiple auth levels

chrismatix · chrismatix · commit a91071ff513e · 2018-01-17T19:11:01.000+01:00
diff --git a/README.md b/README.md
@@ -89,7 +89,7 @@ In the example above we extended the **userSchema** by adding a *permissions* ob
 The permissions object consists or properties that represent your authorization levels (or groups). For each group, there are 4 permissions you can configure.
 * `save` (create) - Boolean
 * `remove` - Boolean
-* `update` - [array of fields] *NOTE: if `upsert: true`, the group will need to have `save` permissions too*
+* `write` - [array of fields] *NOTE: if `upsert: true`, the group will need to have `save` permissions too*
 * `read` (find) - [array of fields]
 
 You can also specify a `defaults` group, which represents permissions that are available to all groups.
@@ -100,6 +100,8 @@ You can also specify a `defaults` group, which represents permissions that are a
 
 ***example update***
 
+You can also specify an array of authentication levels. This would merge the settings of each auth level.
+
 ```
 users.update({user_id: userUpdate.user_id}, userUpdate, {
   authLevel: 'admin'
diff --git a/index.js b/index.js
@@ -2,140 +2,187 @@
 
 var _ = require('lodash');
 
-module.exports = function(schema) {
-  schema.pre('save', function(next) {
-    save(this, next);
-  });
-  schema.pre('findOneAndRemove', function(next) {
-    remove(this, next);
-  });
-  schema.pre('find', function(next) {
-    find(this, next);
-  });
-  schema.pre('findOne', function(next) {
-    find(this, next);
-  });
-  schema.pre('update', function(next) {
-    update(this, next);
-  });
-  schema.pre('findOneAndUpdate', function(next) {
-    update(this, next);
-  });
-
-  function save(schema, next) {
-    var vm = schema;
-    if (vm.options && vm.options.authLevel) {
-      if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].save) {
-        //check to see if the group has permission to save a new document
-        return next();
-      } else {
-        return next({message: 'permission denied', reason: 'you do not have access to the following permissions: [save]'});
-      }
-    } else {
-      return next();
+module.exports = function (schema) {
+    schema.pre('save', function (next) {
+        save(this, next);
+    });
+    schema.pre('findOneAndRemove', function (next) {
+        remove(this, next);
+    });
+    schema.pre('find', function (next) {
+        find(this, next);
+    });
+    schema.pre('findOne', function (next) {
+        find(this, next);
+    });
+    schema.pre('update', function (next) {
+        update(this, next);
+    });
+    schema.pre('findOneAndUpdate', function (next) {
+        update(this, next);
+    });
+
+    function hasPermission(vm, action) {
+        if (!vm.schema.permissions[vm.options.authLevel]) {
+            return false;
+        }
+        var authLevel = vm.options.authLevel;
+
+        if (Array.isArray(authLevel)) {
+            return authLevel.filter(function (level) {
+                return !!vm.schema.permissions[level][action];
+            }).length > 0;
+        } else {
+            return vm.schema.permissions[authLevel][action];
+        }
     }
-  }
-
-  function remove(schema, next) {
-    var vm = schema;
-    if (vm.options && vm.options.authLevel) {
-      if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].remove) {
-        //check to see if the group has permission to remove a document
-        return next();
-      } else {
-        return next({message: 'permission denied', reason: 'you do not have access to the following permissions: [remove]'});
-      }
-    } else {
-      return next();
+
+    function authOptionPresent(vm) {
+        return vm.options && vm.options.authLevel;
     }
-  }
-
-  function find(schema, next) {
-    var vm = schema;
-    var authorizedFields = [];
-    if (vm.options && vm.options.authLevel) {
-      if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].read) {
-        //check to see if the group has any read permissions and add to the authorizedFields array
-        authorizedFields = authorizedFields.concat(vm.schema.permissions[vm.options.authLevel].read);
-      }
-      if (vm.schema.permissions.defaults && vm.schema.permissions.defaults.read) {
-        //check to see if there are any default read permissions and add to the authorizedFields array
-        authorizedFields = authorizedFields.concat(vm.schema.permissions.defaults.read);
-      }
-
-      //create a projection object for mongoose based on the authorizedFields array
-      var sanitizedFind = {};
-      authorizedFields.forEach(function(field) {
-        sanitizedFind[field] = 1;
-      });
-
-      //Check to see if group has the permission to permorm a find using the specified fields
-      var discrepancies = _.difference(Object.keys(vm._conditions), Object.keys(sanitizedFind));
-      if (discrepancies[0]) {
-        //if a group is searching by a field they do not have access to, return an error
-        return next({message: 'permission denied', reason: 'you do not have access to the following fields: [' + discrepancies.toString() + ']'});
-      } else {
-        vm._fields = sanitizedFind;
-        return next();
-      }
-    } else {
-      return next();
+
+    function getAuthorizedFields(vm, action) {
+        var authLevel = vm.options.authLevel;
+
+        if (Array.isArray(authLevel)) {
+            return authLevel.reduce(function (acc, level) {
+                var fields = vm.schema.permissions[level][action] || [];
+                return acc.concat(fields)
+            }, []);
+        } else {
+            return vm.schema.permissions[authLevel][action] || [];
+        }
     }
-  }
-
-  function update(schema, next) {
-    var vm = schema;
-    var authorizedFields = [];
-    var authorizedReturnFields = [];
-    if (vm.options && vm.options.authLevel) {
-      if (vm.options.upsert && !vm.schema.permissions[vm.options.authLevel].save) {
-        //check to see if 'upsert: true' option is set, then verify if group has save permission
-        return next({message: 'permission denied', reason: 'you do not have access to the following permissions: [save]'});
-      }
-      if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].write) {
-        //check to see if group has any write permissions and add to the authorizedFields array
-        authorizedFields = authorizedFields.concat(vm.schema.permissions[vm.options.authLevel].write);
-      }
-      if (vm.schema.permissions.defaults && vm.schema.permissions.defaults.write) {
-        //check to see if there are any default write permissions and add to the authorizedFields array
-        authorizedFields = authorizedFields.concat(vm.schema.permissions.defaults.write);
-      }
-
-      //create an update object that has been sanitized based on permissions
-      var sanitizedUpdate = {};
-      authorizedFields.forEach(function(field) {
-        sanitizedUpdate[field] = vm._update[field];
-      });
-
-      //check to see if the group is trying to update a field it does not have permission to
-      var discrepancies = _.difference(Object.keys(vm._update), Object.keys(sanitizedUpdate));
-      if (discrepancies[0]) {
-        //if a group is searching by a field they do not have access to, return an error
-        return next({message: 'permission denied', reason: 'you do not have access to the following fields: [' + discrepancies.toString() + ']'});
-      } else {
-
-        //Detect which fields can be returned if 'new: true' is set
-        if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].read) {
-
-          //check to see if the group has any read permissions and add to the authorizedFields array
-          authorizedReturnFields = authorizedReturnFields.concat(vm.schema.permissions[vm.options.authLevel].read);
+
+    function save(schema, next) {
+        var vm = schema;
+        if (authOptionPresent(vm)) {
+            if (hasPermission(vm, 'save')) {
+                //check to see if the group has permission to save a new document
+                return next();
+            } else {
+                return next({
+                    message: 'permission denied',
+                    reason: 'you do not have access to the following permissions: [save]'
+                });
+            }
+        } else {
+            return next();
         }
-        if (vm.schema.permissions.defaults && vm.schema.permissions.defaults.read) {
+    }
 
-          //check to see if there are any default read permissions and add to the authorizedFields array
-          authorizedReturnFields = authorizedReturnFields.concat(vm.schema.permissions.defaults.read);
+    function remove(schema, next) {
+        var vm = schema;
+        if (authOptionPresent(vm)) {
+            if (hasPermission(vm, 'remove')) {
+                //check to see if the group has permission to remove a document
+                return next();
+            } else {
+                return next({
+                    message: 'permission denied',
+                    reason: 'you do not have access to the following permissions: [remove]'
+                });
+            }
+        } else {
+            return next();
         }
+    }
+
+    function find(schema, next) {
+        var vm = schema;
+        var authorizedFields = [];
+        if (authOptionPresent(vm)) {
+            if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].read) {
+                //check to see if the group has any read permissions and add to the authorizedFields array
+                authorizedFields = authorizedFields.concat(getAuthorizedFields(vm, 'read'));
+            }
+            if (vm.schema.permissions.defaults && vm.schema.permissions.defaults.read) {
+                //check to see if there are any default read permissions and add to the authorizedFields array
+                authorizedFields = authorizedFields.concat(vm.schema.permissions.defaults.read);
+            }
 
-        //create a sanitizedReturnFields object that will be used to return only the fields that a group has access to read
-        var sanitizedReturnFields = {};
-        authorizedReturnFields.forEach(function(field) {
-          sanitizedReturnFields[field] = 1;
-        });
-        vm._fields = sanitizedReturnFields;
-        return next();
-      }
-    } else {
-      return next();
+            //create a projection object for mongoose based on the authorizedFields array
+            var sanitizedFind = {};
+            authorizedFields.forEach(function (field) {
+                sanitizedFind[field] = 1;
+            });
+
+            //Check to see if group has the permission to perform a find using the specified fields
+            var discrepancies = _.difference(Object.keys(vm._conditions), Object.keys(sanitizedFind));
+            if (discrepancies[0]) {
+                //if a group is searching by a field they do not have access to, return an error
+                return next({
+                    message: 'permission denied',
+                    reason: 'you do not have access to the following fields: [' + discrepancies.toString() + ']'
+                });
+            } else {
+                vm._fields = sanitizedFind;
+                return next();
+            }
+        } else {
+            return next();
+        }
+    }
+
+    function update(schema, next) {
+        var vm = schema;
+        var authorizedFields = [];
+        var authorizedReturnFields = [];
+        if (authOptionPresent(vm)) {
+            if (vm.options.upsert && !hasPermission(vm, 'save')) {
+                //check to see if 'upsert: true' option is set, then verify if group has save permission
+                return next({
+                    message: 'permission denied',
+                    reason: 'you do not have access to the following permissions: [save]'
+                });
+            }
+            if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].write) {
+                //check to see if group has any write permissions and add to the authorizedFields array
+                authorizedFields = authorizedFields.concat(getAuthorizedFields(vm, 'write'));
+            }
+            if (vm.schema.permissions.defaults && vm.schema.permissions.defaults.write) {
+                //check to see if there are any default write permissions and add to the authorizedFields array
+                authorizedFields = authorizedFields.concat(vm.schema.permissions.defaults.write);
+            }
+
+            //create an update object that has been sanitized based on permissions
+            var sanitizedUpdate = {};
+            authorizedFields.forEach(function (field) {
+                sanitizedUpdate[field] = vm._update[field];
+            });
+
+            //check to see if the group is trying to update a field it does not have permission to
+            var discrepancies = _.difference(Object.keys(vm._update), Object.keys(sanitizedUpdate));
+            if (discrepancies[0]) {
+                //if a group is searching by a field they do not have access to, return an error
+                return next({
+                    message: 'permission denied',
+                    reason: 'you do not have access to the following fields: [' + discrepancies.toString() + ']'
+                });
+            } else {
+
+                //Detect which fields can be returned if 'new: true' is set
+                if (vm.schema.permissions[vm.options.authLevel] && vm.schema.permissions[vm.options.authLevel].read) {
+
+                    //check to see if the group has any read permissions and add to the authorizedFields array
+                    authorizedReturnFields = authorizedReturnFields.concat(getAuthorizedFields(vm, 'read'));
+                }
+                if (vm.schema.permissions.defaults && vm.schema.permissions.defaults.read) {
+
+                    //check to see if there are any default read permissions and add to the authorizedFields array
+                    authorizedReturnFields = authorizedReturnFields.concat(vm.schema.permissions.defaults.read);
+                }
+
+                //create a sanitizedReturnFields object that will be used to return only the fields that a group has access to read
+                var sanitizedReturnFields = {};
+                authorizedReturnFields.forEach(function (field) {
+                    sanitizedReturnFields[field] = 1;
+                });
+                vm._fields = sanitizedReturnFields;
+                return next();
+            }
+        } else {
+            return next();
+        }
     }
-  }
 };
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "mongoose-authorization",
-  "version": "0.0.7",
+  "version": "0.1.0",
   "description": "Data level authorization for Mongoose",
   "main": "index.js",
   "scripts": {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "mongoose-authorization",`
`3`		`- "version": "0.0.7",`
	`3`	`+ "version": "0.1.0",`
`4`	`4`	`"description": "Data level authorization for Mongoose",`
`5`	`5`	`"main": "index.js",`
`6`	`6`	`"scripts": {`