Code Review / it / otf.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
added svcapi ui and camunda code
[it/otf.git] / otf-frontend / server / src / feathers / hooks / permissions / abilities.js
diff --git a/otf-frontend/server/src/feathers/hooks/permissions/abilities.js b/otf-frontend/server/src/feathers/hooks/permissions/abilities.js
new file mode 100644 (file)
index 0000000..8d1d3e5
--- /dev/null
+++ b/otf-frontend/server/src/feathers/hooks/permissions/abilities.js
@@ -0,0 +1,110 @@
+/*  Copyright (c) 2019 AT&T Intellectual Property.                             #\r
+#                                                                              #\r
+#   Licensed under the Apache License, Version 2.0 (the "License");            #\r
+#   you may not use this file except in compliance with the License.           #\r
+#   You may obtain a copy of the License at                                    #\r
+#                                                                              #\r
+#       http://www.apache.org/licenses/LICENSE-2.0                             #\r
+#                                                                              #\r
+#   Unless required by applicable law or agreed to in writing, software        #\r
+#   distributed under the License is distributed on an "AS IS" BASIS,          #\r
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.   #\r
+#   See the License for the specific language governing permissions and        #\r
+#   limitations under the License.                                             #\r
+##############################################################################*/\r
+\r
+\r
+const { AbilityBuilder, Ability } = require('@casl/ability');\r
+const config = require('../../../../config/default.json');\r
+\r
+Ability.addAlias('read', ['get', 'find']);\r
+Ability.addAlias('write', ['create', 'update', 'patch']);\r
+Ability.addAlias('delete', ['remove']);\r
+Ability.addAlias('execute', ['create', 'remove']);\r
+module.exports.defineAbilitiesFor = function (user, groups) {\r
+    const { rules, can, cannot } = AbilityBuilder.extract();\r
+    \r
+    // If user is a site wide admin, they get all access\r
+    if(user.permissions.includes('admin')){\r
+        can('execute', 'all');\r
+        can('management', 'all');\r
+        can('crud', 'all');\r
+        can('patch', 'all');\r
+        return new Ability(rules);\r
+    }\r
+\r
+    //Permissions associated to roles within groups\r
+       groups.forEach((elem, val) => {\r
+\r
+        if(elem.permissions.includes('management')){\r
+            can('management', 'groups', {_id: elem._id});\r
+            can('write', 'groups', ['groupDescription', 'members', 'mechanizedIds', 'roles', 'updatedAt', 'updatedBy'], { _id: elem._id });\r
+            can('write', 'groups', ['ownerId'], { _id: elem._id, ownerId: user._id});\r
+\r
+            //remove management from the array of permissions\r
+            elem.permissions.splice(elem.permissions.indexOf('management'), 1);\r
+        }\r
+\r
+        //Executing Test Instances\r
+        if(elem.permissions.includes('execute')){\r
+            can('execute', 'execute');\r
+            can('execute', 'testInstances', { groupId: elem._id });\r
+            can('create', 'jobs');\r
+            can('remove', 'jobs');\r
+            \r
+            //remove execute permission from the array of permissions\r
+            elem.permissions.splice(elem.permissions.indexOf('execute'), 1);\r
+        }\r
+\r
+        //Test Heads can be accessed by members of the group\r
+        can(elem.permissions, 'testHeads', { groupId: elem._id });\r
+\r
+               //Test Definitions can be accessed by members of the group\r
+        can(elem.permissions, 'testDefinitions', { groupId: elem._id });\r
+\r
+               //Test Instances can be accessed by members of the group\r
+        can(elem.permissions, 'testInstances', { groupId: elem._id });\r
+\r
+        //Test Executions can be accessed by members of the group\r
+        can('read', 'testExecutions', { groupId: elem._id });\r
+        can('read', 'testExecutions', ["_id", "groupId", "testHeadResults.testHeadId", "testHeadResults.testHeadName", "testHeadResults.testHeadGroupId", "testHeadResults.startTime", "testHeadResults.endTime"], {"testHeadResults.testHeadGroupId": elem._id});\r
+\r
+    });\r
+\r
+    /*************************************\r
+    *   TEST HEADS access\r
+    */\r
+\r
+    //-- READ\r
+    // Users can read all public test heads\r
+    can('read', 'testHeads', { isPublic: true });\r
+\r
+    // Users should never be able to read the credential \r
+    cannot('read', 'testHeads', ['authorizationCredential']);\r
+\r
+    //-- EXECUTE\r
+    // Users can execute all public test heads\r
+    can('execute', 'testHeads', { isPublic: true });\r
+\r
+    /*************************************\r
+    *   USERS access\r
+    */\r
+\r
+    //-- READ\r
+\r
+    // Users should be able to view all users' basic information, and can read more information if it is their user object\r
+    can('read', 'users', ['_id', 'firstName', 'lastName', 'email']);\r
+    can('read', 'users', ['permissions', 'favorites', 'defaultGroup', 'defaultGroupEnabled'], { _id: user._id });\r
+\r
+    //-- WRITE\r
+\r
+    // Users should be able to only edit specific fields from their user object\r
+    can('write', 'users', ['password', 'favorites', 'defaultGroup', 'defaultGroupEnabled', 'updatedBy', 'updatedAt'], { _id: user._id })\r
+\r
+    \r
+\r
+    //Authentication\r
+    can(['create', 'remove'], 'authentication');\r
+    \r
+    return new Ability(rules);\r
+}   
\ No newline at end of file