Adding support for actions!

See readme for details.

Author: makinde

README.md

@@ -50,7 +50,8 @@ userSchema.permissions = {
   admin: {
     read: ['status'],
     write: ['status'],
-    create: true
+    create: true,
+    actions: ['merge'],
   },
   owner: {
     read: ['status'],
@@ -71,6 +72,7 @@ The permissions object consists of properties that represent your authorization
 * `remove` - Boolean
 * `write` - [array of fields] *NOTE: if `upsert: true`, the group will need to have `create` permissions too*
 * `read` - [array of fields]
+* `actions` - An array or arbitrary strings that lets you define more complicated actions (usually involving multiple fields or documents) that are allowed. Your own application code will need to handle the updates (likely disabling field level checking for those updates).
 
 You can also specify a `defaults` group, which represents permissions that are available to all groups.
 
@@ -145,7 +147,8 @@ console.log(user.permissions);
 // {
 //   read: [...],
 //   write: [...],
-//   remove: [boolean]
+//   remove: [boolean],
+//   actions: [...],
 // }
 
 // OR
@@ -156,7 +159,8 @@ console.log(user.foo);
 // {
 //   read: [...],
 //   write: [...],
-//   remove: [boolean]
+//   remove: [boolean],
+//   actions: [...],
 // }
 ```
 

__tests__/embedPermissions.test.js

@@ -11,6 +11,7 @@ test.before((t) => {
       write: ['friend'],
       create: true,
       remove: true,
+      actions: ['like'],
     },
   };
   t.context.schema = schema;
@@ -54,6 +55,7 @@ test('Permissions embedded under default key', (t) => {
       read: ['friend'],
       write: ['friend'],
       remove: true,
+      actions: ['like'],
     },
     'Incorrect permissions embedded',
   );
@@ -66,6 +68,7 @@ test('Permissions embedded under default key', (t) => {
       read: [],
       write: [],
       remove: false,
+      actions: [],
     },
     'Incorrect permissions embedded',
   );
@@ -79,6 +82,7 @@ test('Permissions embedded under custom key', (t) => {
       read: ['friend'],
       write: ['friend'],
       remove: true,
+      actions: ['like'],
     },
     'Incorrect permissions embedded',
   );
@@ -91,6 +95,7 @@ test('Permissions embedded under custom key', (t) => {
       read: [],
       write: [],
       remove: false,
+      actions: [],
     },
     'Incorrect permissions embedded',
   );
@@ -135,11 +140,36 @@ test('Verify that the permissions data cannot be changed', (t) => {
     'The permissions object shouldn\'t be writable [remove]',
   );
 
+  t.throws(
+    () => { doc.permissions.actions = []; },
+    Error,
+    'The permissions object shouldn\'t be writable [actions]',
+  );
+
   t.throws(
     () => { doc.permissions = {}; },
     Error,
     'The permissions field should not be writable',
   );
+
+  // Try to directly edit the fields. These won't throw, but also shouldn't
+  // affect the permissions on the object.
+  doc.permissions.read.push('foo');
+  doc.permissions.write.push('foo');
+  doc.permissions.actions.push('foo');
+  doc.permissions.read.shift();
+  doc.permissions.write.shift();
+  doc.permissions.actions.shift();
+  t.deepEqual(
+    doc.permissions,
+    {
+      read: ['friend'],
+      write: ['friend'],
+      remove: true,
+      actions: ['like'],
+    },
+    'Permissions able to be mutated when they should not be.',
+  );
 });
 
 test.todo('Make sure enumerable is set to true for the embedded permissions');

__tests__/exampleSchemas/bareBonesSchema.js

@@ -7,6 +7,7 @@ bareBonesSchema.permissions = {
     write: ['address', 'phone', 'birthday', 'not_here_either'],
     create: true,
     remove: true,
+    actions: ['sayHello', 'jumpRealHigh'],
   },
 };
 

__tests__/exampleSchemas/goodSchema.js

@@ -12,16 +12,19 @@ goodSchema.permissions = {
     read: ['_id', 'name'],
     write: [],
     create: false,
+    actions: ['wave'],
   },
   admin: {
     read: ['address', 'phone', 'birthday'],
     write: ['address', 'phone', 'birthday'],
     create: true,
     remove: true,
+    actions: ['combine'],
   },
   self: {
     read: ['address', 'phone', 'birthday'],
     write: ['address', 'phone'],
+    actions: ['combine'],
   },
   stranger: {},
   hasVirtuals: {

__tests__/getAuthorizedActions.test.js

@@ -0,0 +1,39 @@
+const test = require('ava');
+const goodSchema = require('./exampleSchemas/goodSchema');
+const bareBonesSchema = require('./exampleSchemas/bareBonesSchema');
+const getAuthorizedActions = require('../src/getAuthorizedActions');
+
+test('No matching authLevels', (t) => {
+  t.deepEqual(
+    getAuthorizedActions(bareBonesSchema, 'foobar'),
+    [],
+  );
+});
+
+test('Handles non-existent authLevels', (t) => {
+  t.deepEqual(
+    getAuthorizedActions(goodSchema, ['defaults', 'foobar']),
+    ['wave'],
+  );
+});
+
+test('Combines basic authLevel actions', (t) => {
+  t.deepEqual(
+    getAuthorizedActions(goodSchema, ['defaults', 'admin']).sort(),
+    ['combine', 'wave'].sort(),
+  );
+});
+
+test('Handles authLevels that have no actions specified', (t) => {
+  t.deepEqual(
+    getAuthorizedActions(goodSchema, ['defaults', 'stranger']),
+    ['wave'],
+  );
+});
+
+test('Correctly deduping actions that are mentioned in multiple authLevels', (t) => {
+  t.deepEqual(
+    getAuthorizedActions(goodSchema, ['defaults', 'self', 'admin']).sort(),
+    ['combine', 'wave'].sort(),
+  );
+});

src/embedPermissions.js

@@ -1,5 +1,6 @@
 const _ = require('lodash');
 const getAuthorizedFields = require('./getAuthorizedFields');
+const getAuthorizedActions = require('./getAuthorizedActions');
 const hasPermission = require('./hasPermission');
 
 const embedPermissionsSymbol = Symbol('Embedded Permissions');
@@ -24,10 +25,16 @@ function embedPermissions(schema, options, authLevels, doc) {
     });
   }
 
+  const read = getAuthorizedFields(schema, authLevels, 'read');
+  const write = getAuthorizedFields(schema, authLevels, 'write');
+  const hasRemovePermission = hasPermission(schema, authLevels, 'remove');
+  const actions = getAuthorizedActions(schema, authLevels);
+
   doc[embedPermissionsSymbol] = Object.freeze({
-    read: getAuthorizedFields(schema, authLevels, 'read'),
-    write: getAuthorizedFields(schema, authLevels, 'write'),
-    remove: hasPermission(schema, authLevels, 'remove'),
+    get read() { return [...read]; },
+    get write() { return [...write]; },
+    remove: hasRemovePermission,
+    get actions() { return [...actions]; },
   });
 }
 

src/getAuthorizedActions.js

@@ -0,0 +1,14 @@
+const _ = require('lodash');
+const cleanAuthLevels = require('./cleanAuthLevels');
+
+function getAuthorizedActions(schema, authLevels) {
+  const cleanedLevels = cleanAuthLevels(schema, authLevels);
+
+  return _.chain(cleanedLevels)
+    .flatMap(level => schema.permissions[level].actions)
+    .filter()
+    .uniq() // dropping duplicates
+    .value();
+}
+
+module.exports = getAuthorizedActions;