--- /dev/null
+/* Copyright (c) 2019 AT&T Intellectual Property. #\r
+# #\r
+# Licensed under the Apache License, Version 2.0 (the "License"); #\r
+# you may not use this file except in compliance with the License. #\r
+# You may obtain a copy of the License at #\r
+# #\r
+# http://www.apache.org/licenses/LICENSE-2.0 #\r
+# #\r
+# Unless required by applicable law or agreed to in writing, software #\r
+# distributed under the License is distributed on an "AS IS" BASIS, #\r
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #\r
+# See the License for the specific language governing permissions and #\r
+# limitations under the License. #\r
+##############################################################################*/\r
+\r
+\r
+const { AbilityBuilder, Ability } = require('@casl/ability');\r
+const config = require('../../../../config/default.json');\r
+\r
+Ability.addAlias('read', ['get', 'find']);\r
+Ability.addAlias('write', ['create', 'update', 'patch']);\r
+Ability.addAlias('delete', ['remove']);\r
+Ability.addAlias('execute', ['create', 'remove']);\r
+module.exports.defineAbilitiesFor = function (user, groups) {\r
+ const { rules, can, cannot } = AbilityBuilder.extract();\r
+ \r
+ // If user is a site wide admin, they get all access\r
+ if(user.permissions.includes('admin')){\r
+ can('execute', 'all');\r
+ can('management', 'all');\r
+ can('crud', 'all');\r
+ can('patch', 'all');\r
+ return new Ability(rules);\r
+ }\r
+\r
+ //Permissions associated to roles within groups\r
+ groups.forEach((elem, val) => {\r
+\r
+ if(elem.permissions.includes('management')){\r
+ can('management', 'groups', {_id: elem._id});\r
+ can('write', 'groups', ['groupDescription', 'members', 'mechanizedIds', 'roles', 'updatedAt', 'updatedBy'], { _id: elem._id });\r
+ can('write', 'groups', ['ownerId'], { _id: elem._id, ownerId: user._id});\r
+\r
+ //remove management from the array of permissions\r
+ elem.permissions.splice(elem.permissions.indexOf('management'), 1);\r
+ }\r
+\r
+ //Executing Test Instances\r
+ if(elem.permissions.includes('execute')){\r
+ can('execute', 'execute');\r
+ can('execute', 'testInstances', { groupId: elem._id });\r
+ can('create', 'jobs');\r
+ can('remove', 'jobs');\r
+ \r
+ //remove execute permission from the array of permissions\r
+ elem.permissions.splice(elem.permissions.indexOf('execute'), 1);\r
+ }\r
+\r
+ //Test Heads can be accessed by members of the group\r
+ can(elem.permissions, 'testHeads', { groupId: elem._id });\r
+\r
+ //Test Definitions can be accessed by members of the group\r
+ can(elem.permissions, 'testDefinitions', { groupId: elem._id });\r
+\r
+ //Test Instances can be accessed by members of the group\r
+ can(elem.permissions, 'testInstances', { groupId: elem._id });\r
+\r
+ //Test Executions can be accessed by members of the group\r
+ can('read', 'testExecutions', { groupId: elem._id });\r
+ can('read', 'testExecutions', ["_id", "groupId", "testHeadResults.testHeadId", "testHeadResults.testHeadName", "testHeadResults.testHeadGroupId", "testHeadResults.startTime", "testHeadResults.endTime"], {"testHeadResults.testHeadGroupId": elem._id});\r
+\r
+ });\r
+\r
+ /*************************************\r
+ * TEST HEADS access\r
+ */\r
+\r
+ //-- READ\r
+ // Users can read all public test heads\r
+ can('read', 'testHeads', { isPublic: true });\r
+\r
+ // Users should never be able to read the credential \r
+ cannot('read', 'testHeads', ['authorizationCredential']);\r
+\r
+ //-- EXECUTE\r
+ // Users can execute all public test heads\r
+ can('execute', 'testHeads', { isPublic: true });\r
+\r
+ /*************************************\r
+ * USERS access\r
+ */\r
+\r
+ //-- READ\r
+\r
+ // Users should be able to view all users' basic information, and can read more information if it is their user object\r
+ can('read', 'users', ['_id', 'firstName', 'lastName', 'email']);\r
+ can('read', 'users', ['permissions', 'favorites', 'defaultGroup', 'defaultGroupEnabled'], { _id: user._id });\r
+\r
+ //-- WRITE\r
+\r
+ // Users should be able to only edit specific fields from their user object\r
+ can('write', 'users', ['password', 'favorites', 'defaultGroup', 'defaultGroupEnabled', 'updatedBy', 'updatedAt'], { _id: user._id })\r
+\r
+ \r
+\r
+ //Authentication\r
+ can(['create', 'remove'], 'authentication');\r
+ \r
+ return new Ability(rules);\r
+}
\ No newline at end of file