updated api listing role

2025-10-10 05:47:00 +08:00 · 2018-10-12 15:38:00 +03:00 · 2018-10-12 15:38:00 +03:00 · c9c441c01b
commit c9c441c01b
parent b217568fe6
3 changed files with 52 additions and 3 deletions
--- a/config/roles.json
+++ b/config/roles.json
@ -1,5 +1,9 @@
 {
    "root": {
+        "addresslisting": {
+            "read:any": ["*"]
+        },
+
        "addresses": {
            "create:any": ["*"],
            "read:any": ["*"],
@ -12,6 +16,10 @@
            "read:any": ["*"]
        },

+        "userlisting": {
+            "read:any": ["*", "!audit"]
+        },
+
        "users": {
            "create:any": ["*", "!audit"],
            "read:any": ["*", "!audit"],
@ -69,6 +77,10 @@
    },

    "manager": {
+        "addresslisting": {
+            "read:any": ["*"]
+        },
+
        "addresses": {
            "create:any": ["*"],
            "read:any": ["*"],
@ -81,6 +93,10 @@
            "read:any": ["*"]
        },

+        "userlisting": {
+            "read:any": ["*", "!audit"]
+        },
+
        "users": {
            "create:any": ["*", "!audit"],
            "read:any": ["*", "!audit"],
@ -177,6 +193,10 @@
    },

    "user": {
+        "addresslisting": {
+            "read:own": ["*"]
+        },
+
        "addresses": {
            "create:own": ["*"],
            "read:own": ["*"],
@ -188,6 +208,10 @@
            "read:own": ["*"]
        },

+        "userlisting": {
+            "read:own": ["*", "!audit"]
+        },
+
        "users": {
            "read:own": ["*", "!audit"],
            "update:own": ["*", "!audit"]
--- a/lib/api/addresses.js
+++ b/lib/api/addresses.js
@ -126,7 +126,17 @@ module.exports = (db, server) => {
            }

            // permissions check
-            req.validate(roles.can(req.role).readAny('addresses'));
+            let permission;
+            let ownOnly = false;
+            permission = roles.can(req.role).readAny('addresslisting');
+            if (!permission.granted && req.user && ObjectID.isValid(req.user)) {
+                permission = roles.can(req.role).readOwn('addresslisting');
+                if (permission.granted) {
+                    ownOnly = true;
+                }
+            }
+            // permissions check
+            req.validate(permission);

            let query = result.value.query;
            let limit = result.value.limit;
@ -180,6 +190,10 @@ module.exports = (db, server) => {
                filter.tagsview = tagsview;
            }

+            if (ownOnly) {
+                filter.user = new ObjectID(req.user);
+            }
+
            let total = await db.users.collection('addresses').countDocuments(filter);

            let opts = {
--- a/lib/api/users.js
+++ b/lib/api/users.js
@ -153,8 +153,15 @@ module.exports = (db, server, userHandler) => {
                return next();
            }

-            let permission = roles.can(req.role).readAny('users');
-
+            let permission;
+            let ownOnly = false;
+            permission = roles.can(req.role).readAny('userlisting');
+            if (!permission.granted && req.user && ObjectID.isValid(req.user)) {
+                permission = roles.can(req.role).readOwn('userlisting');
+                if (permission.granted) {
+                    ownOnly = true;
+                }
+            }
            // permissions check
            req.validate(permission);

@ -220,6 +227,10 @@ module.exports = (db, server, userHandler) => {
                filter.tagsview = tagsview;
            }

+            if (ownOnly) {
+                filter._id = new ObjectID(req.user);
+            }
+
            let total = await db.users.collection('users').countDocuments(filter);

            let opts = {