1 /* Copyright (c) 2019 AT&T Intellectual Property. #
\r
3 # Licensed under the Apache License, Version 2.0 (the "License"); #
\r
4 # you may not use this file except in compliance with the License. #
\r
5 # You may obtain a copy of the License at #
\r
7 # http://www.apache.org/licenses/LICENSE-2.0 #
\r
9 # Unless required by applicable law or agreed to in writing, software #
\r
10 # distributed under the License is distributed on an "AS IS" BASIS, #
\r
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
\r
12 # See the License for the specific language governing permissions and #
\r
13 # limitations under the License. #
\r
14 ##############################################################################*/
\r
17 const { AbilityBuilder, Ability } = require('@casl/ability');
\r
18 const config = require('../../../../config/default.json');
\r
20 Ability.addAlias('read', ['get', 'find']);
\r
21 Ability.addAlias('write', ['create', 'update', 'patch']);
\r
22 Ability.addAlias('delete', ['remove']);
\r
23 Ability.addAlias('execute', ['create', 'remove']);
\r
24 module.exports.defineAbilitiesFor = function (user, groups) {
\r
25 const { rules, can, cannot } = AbilityBuilder.extract();
\r
27 // If user is a site wide admin, they get all access
\r
28 if(user.permissions.includes('admin')){
\r
29 can('execute', 'all');
\r
30 can('management', 'all');
\r
32 can('patch', 'all');
\r
33 return new Ability(rules);
\r
36 //Permissions associated to roles within groups
\r
37 groups.forEach((elem, val) => {
\r
39 if(elem.permissions.includes('management')){
\r
40 can('management', 'groups', {_id: elem._id});
\r
41 can('write', 'groups', ['groupDescription', 'members', 'mechanizedIds', 'roles', 'updatedAt', 'updatedBy'], { _id: elem._id });
\r
42 can('write', 'groups', ['ownerId'], { _id: elem._id, ownerId: user._id});
\r
44 //remove management from the array of permissions
\r
45 elem.permissions.splice(elem.permissions.indexOf('management'), 1);
\r
48 //Executing Test Instances
\r
49 if(elem.permissions.includes('execute')){
\r
50 can('execute', 'execute');
\r
51 can('execute', 'testInstances', { groupId: elem._id });
\r
52 can('create', 'jobs');
\r
53 can('remove', 'jobs');
\r
55 //remove execute permission from the array of permissions
\r
56 elem.permissions.splice(elem.permissions.indexOf('execute'), 1);
\r
59 //Test Heads can be accessed by members of the group
\r
60 can(elem.permissions, 'testHeads', { groupId: elem._id });
\r
62 //Test Definitions can be accessed by members of the group
\r
63 can(elem.permissions, 'testDefinitions', { groupId: elem._id });
\r
65 //Test Instances can be accessed by members of the group
\r
66 can(elem.permissions, 'testInstances', { groupId: elem._id });
\r
68 //Test Executions can be accessed by members of the group
\r
69 can('read', 'testExecutions', { groupId: elem._id });
\r
70 can('read', 'testExecutions', ["_id", "groupId", "testHeadResults.testHeadId", "testHeadResults.testHeadName", "testHeadResults.testHeadGroupId", "testHeadResults.startTime", "testHeadResults.endTime"], {"testHeadResults.testHeadGroupId": elem._id});
\r
74 /*************************************
\r
79 // Users can read all public test heads
\r
80 can('read', 'testHeads', { isPublic: true });
\r
82 // Users should never be able to read the credential
\r
83 cannot('read', 'testHeads', ['authorizationCredential']);
\r
86 // Users can execute all public test heads
\r
87 can('execute', 'testHeads', { isPublic: true });
\r
89 /*************************************
\r
95 // Users should be able to view all users' basic information, and can read more information if it is their user object
\r
96 can('read', 'users', ['_id', 'firstName', 'lastName', 'email']);
\r
97 can('read', 'users', ['permissions', 'favorites', 'defaultGroup', 'defaultGroupEnabled'], { _id: user._id });
\r
101 // Users should be able to only edit specific fields from their user object
\r
102 can('write', 'users', ['password', 'favorites', 'defaultGroup', 'defaultGroupEnabled', 'updatedBy', 'updatedAt'], { _id: user._id })
\r
107 can(['create', 'remove'], 'authentication');
\r
109 return new Ability(rules);
\r