1 /* Copyright (c) 2019 AT&T Intellectual Property. #
\r
3 # Licensed under the Apache License, Version 2.0 (the "License"); #
\r
4 # you may not use this file except in compliance with the License. #
\r
5 # You may obtain a copy of the License at #
\r
7 # http://www.apache.org/licenses/LICENSE-2.0 #
\r
9 # Unless required by applicable law or agreed to in writing, software #
\r
10 # distributed under the License is distributed on an "AS IS" BASIS, #
\r
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
\r
12 # See the License for the specific language governing permissions and #
\r
13 # limitations under the License. #
\r
14 ##############################################################################*/
\r
17 // Use this hook to manipulate incoming or outgoing data.
\r
18 // For more information on hooks see: http://docs.feathersjs.com/api/hooks.html
\r
19 const { iff, disallow } = require('feathers-hooks-common');
\r
20 const errors = require('@feathersjs/errors');
\r
21 const { ObjectID } = require('mongodb');
\r
22 //const getEntity = async (context) => await new Promise((resolve, reject) => context.app.services[context.path].get(context.id || context.data._id, context.params).then(r => {resolve(r)}).catch(e => {reject(e)}));
\r
24 module.exports.groupFilter = function (options = null) {
\r
25 return async context => {
\r
27 if (!context.params.provider) {
\r
28 return Promise.resolve(context);
\r
31 switch(context.method){
\r
33 context.params.query._id = new ObjectID(context.id);
\r
35 let result = await context.app.services[context.app.get('base-path') + 'groups'].find(context.params);
\r
36 if(result.data && result.data.length > 0){
\r
37 context.result = result.data[0];
\r
38 }else if(result.length > 0){
\r
39 context.result = result[0];
\r
41 context.result = [];
\r
45 if(typeof context.params.user._id === 'string'){
\r
46 context.params.user._id = new ObjectID(context.params.user._id);
\r
49 if(!context.params.user.permissions.includes('admin')){
\r
50 context.params.query['members.userId'] = context.params.user._id;
\r
53 let lookup = context.params.query.lookup;
\r
54 delete context.params.query.lookup;
\r
56 // If graphLookup is supplied in the query params as true, lookup all parents and children
\r
57 if(lookup == 'up' || lookup == 'both'){
\r
58 context.result = await new Promise((resolve, reject) => {
\r
59 context.app.services[context.app.get('base-path') + 'groups'].Model.aggregate([
\r
61 $match: context.params.query
\r
63 ]).then(async res => {
\r
65 for(let i = 0; i < res.length; i++){
\r
66 res[i]['parentGroups'] = await getParentGroups(context.app.services[context.app.get('base-path') + 'groups'].Model, res[i]);
\r
71 throw new errors.GeneralError(err);
\r
76 //if user is an admin in one of ther groups, find children groups
\r
77 if(lookup == 'down' || lookup == 'both'){
\r
78 //this will be set if lookup already occured
\r
80 for(let i = 0; i < context.result.length; i++){
\r
81 //only find children if they are admins
\r
82 if(checkGroupForPermission(context.result[i], context.params.user, 'management')){
\r
83 let children = await getChildGroups(context.app.services[context.app.get('base-path') + 'groups'].Model, context.result[i]);
\r
84 context.result[i]['childGroups'] = children;
\r
88 context.result = await new Promise(async (resolve, reject) => {
\r
89 context.app.services[context.app.get('base-path') + 'groups'].find(context.params).then(async res => {
\r
96 for(let i = 0; i < results.length; i++){
\r
97 if(checkGroupForPermission(results[i], context.params.user, 'management')){
\r
98 results[i]['childGroups'] = await getChildGroups(context.app.services[context.app.get('base-path') + 'groups'].Model, results[i]);
\r
103 throw new errors.GeneralError(err);
\r
129 getParentGroups = async function(model, group){
\r
130 return new Promise(async (resolve, reject) => {
\r
131 let parentGroups = [];
\r
132 if(group.parentGroupId){
\r
136 '_id': group.parentGroupId
\r
139 ]).then(async res => {
\r
140 if(res[0] && res[0].parentGroupId){
\r
141 parentGroups.unshift(res[0]);
\r
142 let parents = await getParentGroups(model, res[0]);
\r
143 parents.forEach(e => {
\r
144 parentGroups.unshift(e);
\r
147 resolve(parentGroups);
\r
158 getChildGroups = async function(model, group){
\r
159 return new Promise(async (resolve, reject) => {
\r
160 let childGroups = [];
\r
164 'parentGroupId': group._id
\r
167 ]).then(async res => {
\r
168 if(res.length > 0){
\r
169 for(let i = 0; i < res.length; i++){
\r
170 childGroups.push(res[i]);
\r
171 let childern = await getChildGroups(model, res[i]);
\r
172 childern.forEach((elem, val) => {
\r
173 childGroups.push(elem);
\r
177 resolve(childGroups);
\r
185 checkGroupForPermission = function(group, user, permission){
\r
186 let result = false;
\r
187 group.members.forEach((member, val) => {
\r
188 if(member.userId.toString() == user._id.toString()){
\r
189 group.roles.forEach((e,v) => {
\r
190 if(e.permissions.includes(permission)){
\r
191 if(member.roles.includes(e.roleName)){
\r
203 module.exports.afterGroups = function(){
\r
204 return async context => {
\r
209 module.exports.userFilter = function (){
\r
210 return async context => {
\r
212 if(context.params.query){
\r
213 context.params.query._id = context.params.user._id;
\r
215 if(context.id && context.id != context.params.user._id){
\r
216 throw new errors.Forbidden();
\r
219 if(context.data._id && context.data._id != context.params.user._id){
\r
220 throw new errors.Forbidden();
\r
222 //should not be able to edit their groups
\r
223 delete context.data.groups;
\r
224 //should not be able to edit their permissions
\r
225 delete context.data.permissions;
\r
227 delete context.data.createdAt;
\r
228 delete context.data.updatedAt;
\r
229 delete context.data.enabled;
\r
234 module.exports.getGroupFilter = function (options = { key: 'groupId' }) {
\r
235 return async hook => {
\r
236 if(!hook.params.query){
\r
237 hook.params.query = {};
\r
240 hook.params.query._id = hook.id;
\r
243 return hook.service.find(hook.params)
\r
246 hook.result = result.data[0];
\r
248 hook.result = result;
\r
Code Review / it / otf.git / blob