fullcube / loopback-component-access-groups Goto Github PK

View Code? Open in Web Editor NEW

59.0 15.0 23.0 276 KB

Access controls for Loopback.

JavaScript 100.00%

loopback loopback-component fullcube lb2 mit acl groups

loopback-component-access-groups's People

Contributors

Stargazers

Watchers

Forkers

albertolobrano jake2000 haveninc aquid echalkpad bostondv roccolucatallarita k1ng440 hgoebl chrisfitkin cmvee dockbite portokallidis murbanowicz pbalan georaphael loryk juliancuni danielkappelle

loopback-component-access-groups's Issues

Crash with mongodb connector due to getCurrentContext()

Your component is great but I run into crashes when I use the mongodb connector.

It happens when trying to call set() on a null object returned from this.app.loopback.getCurrentContext()
https://github.com/fullcube/loopback-component-access-groups/blob/master/lib/utils.js#L298

To reproduce it you can change the datasource in your simple-app using this configuration:

{
  "db": {
    "host": "127.0.0.1",
    "port": 27017,
    "database": "group-access-test",
    "name": "db",
    "connector": "mongodb"
  }
}

There are many issues on loopback's github project about mongodb and getCurrentContext(), they are probably related, but they are all "Closed".
strongloop/loopback#885
strongloop/loopback#809
and more

Using the memory connector works fine.

I am using the latest packages:

    "loopback": "^2.29.1",
    "loopback-boot": "^2.21.0",
    "loopback-component-access-groups": "^0.2.0",
    "loopback-connector-mongodb": "^1.15.2",
    "loopback-datasource-juggler": "^2.47.0",

An in-range update of chai is breaking the build 🚨

Version 4.1.1 of chai just got published.

Branch	Build failing 🚨
Dependency	chai
Current Version	4.1.0
Type	devDependency

This version is covered by your current version range and after updating it in your project the build failed.

As chai is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Status Details

❌ ci/circleci Your tests failed on CircleCI Details

Release Notes

4.1.1 / 2017-08-05

This release includes a few bug and documentation fixes.

Bug Fixes

fix: .instanceof to allow DOM interfaces in IE11 (#1000, #1008; @meeber)
fix: .include to work with all objects (#1009, #1012; @meeber)

Docs

fix: correct hasAnyKeys comment error (#1014; @zenHeart)
docs: re-indent hasAnyKeys code (#1016; @keithamus)

Commits

The new version differs by 10 commits.

02ddebd Merge pull request #1019 from meeber/release-4.1.1
ac48db3 [email protected]
d2e9599 Merge pull request #1016 from chaijs/fix-reindent-code-1014
92d2cca docs: re-indent hasAnyKeys code
b625497 Merge pull request #1012 from meeber/fix-include-types
8fa24f2 Merge pull request #1014 from zenHeart/fix-hasAnyKeys-comment
113a5b8 fix: correct hasAnyKeys comment error
c01cf30 fix: .include to work with all objects
1847ef8 Merge pull request #1008 from meeber/fix-ie11-instanceof
c107abb fix: .instanceof to allow DOM interfaces in IE11

See the full diff

Not sure how things should work exactly?

There is a collection of frequently asked questions and of course you may always ask my humans.

Your Greenkeeper Bot 🌴

GroupAccessModel should be created automatically if it doesn't exist

Currently it's left to users to define their GroupAccessModel. It would be better if this model was initialized automatically if it doesn't already exist.

Support for LoopBack 3.x

Hello,
Do you plan to adjust this package to be usable with Loopback 3.x ? That would mainly mean refactoring the code to use options propagation rather than deprecated LoopBack current-context APIs (see documentation for details).

Different relationship between User and Group

Hi, I need to work with the following relations instead:

User -> belongsTo -> Groups
Group -> hasMany -> Users

How can I override to these relations in the component configuration options?.

Thanks in advance.

Allow for multiple group models

In my scenario I want to use the component to have two levels of access groups.

Multi-Tenant separation - models will belong to a Tenant Group Model.
Within each Tenant Group, I want to have another Post Group Model - which only some users can have access to.

Is there a way to implement such architecture with the loopback-component-access-groups ?
How should I approach this?

this.getCurrentUser returns wrong user

When we have multiple users using system at the same time the this.getCurrentUser call will often return the wrong value.

It seems that getCurrentContext has several issues listed in the loopback github issues and google groups. I'm curious if you've experienced this at all or have any suggestions on how to resolve it?

getCurrentContext

Hi,

can it be done without getCurrentContext?

An in-range update of supertest is breaking the build 🚨

Version 3.3.0 of supertest was just published.

Branch	Build failing 🚨
Dependency	supertest
Current Version	3.2.0
Type	devDependency

This version is covered by your current version range and after updating it in your project the build failed.

supertest is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

❌ ci/circleci: Your tests failed on CircleCI (Details).

Release Notes

v3.3.0

#509 - Fix #486, bug in _assertBody, switch to deepStrictEqual (thanks @mikelax)
#510 - Refactor test files to use const/let (thanks @rimiti)

Commits

The new version differs by 10 commits.

e910e85 chore: Prepare for v3.3.0 release.
bd864de Merge pull request #511 from visionmedia/bugfix-486-equal
101fbf5 Merge branch 'master' into bugfix-486-equal
04230bb Merge pull request #510 from visionmedia/refact-const-let
510a7ae bugfix: 486 Change method to use deepStrictEqual. (#509)
913150d chore(.editorconfig) [*.md] block removed
82e0828 refact(test/supertest.js) vars replaced by const and let
5443136 chore(.editorconfig) configuration file created
7233ba6 chore(.eslintrc) parserOptions option added to use es6
322ebf6 bugfix: 486 Change method to use deepStrictEqual.

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

Team model name hardcoded

Hello and thanks for your module.

if we customize the name of the team model the code will die due to the following line

  app.models.Team.find({  in the user-context.js file.

user-context is missing bluebird require.

You are using bluebird but you are not requiring it in the user context. Fot that reason is failing witht he message : TypeError: Promise.join is not a function

Adding var Promise = require("bluebird");

solves the issue.

Undocumented access control bypass mechanisms

if (ctx.options.skipAccess) {
  debug('skipAccess: true - skipping access filters');
  return next();
}
// Do not filter if the request is being made against a single model instance.
if (_get(ctx.query, 'where.id')) {
  debug('looking up by Id - skipping access filters');
  return next();
}

These two access bypass mechanisms are undocumented and could expose data to unauthorised users.

Document these bypass mechanisms
Allow users to disable these through configuration options.

Bypass all access control for certain users

Hi there, is there a way to bypass group access control for specific user(s) so they could access all content?

I've considered several ideas such as filtering all requests for particular users but haven't been able to get a working solution.

Any help would be appreciated!

Use GroupRoles to restrict access to GroupModel

Is it possible to use the group roles to restrict access to the Group model itself? I.e. if I want to store data in my GroupModel and restrict access to GroupRoles, e.g. member only read, admin read/write, I need to be able to use the GroupRoles in the ACL of my GroupModel. Is that possible?
If I understood correctly, I can only use the GroupRoles in ACL of models which have a belongTo relation to the GroupModel, but not the GroupModel itself?
So then I would have to create an addition model with a one-to-one relation to the GroupModel and store my group data there?

GroupAccessModels is undocumented and has no effect

In the simple-app component-config.js file a "groupAccessModels" property is defined. It does not appear to serve any purpose.

It should be removed to avoid confusion.

Middleware can't allow multiple User models

I'm working in a project where we have two User models. When I logged in with a user that isn't specified as userModel in component-config.json, the /lib/middleware/user-context.js throws an Error in line 33 that, I think, shouldn't being throw.

using custom user persisted model, insted of `User` Built-in model not working

how should i implement this using custom user model [Persisted Model].
while using third party[Auth0] for login/signup.
we after storing user details, without password in our user [persisted model] .

User can create Invoices for different groups

Love the idea of this library, thanks for making it available.

I hope I'm missing something but it looks like you can PUT and POST invoices within your own team using the storeMemberA user if you send the id and invoiceId properties?

it('should not create a teams invoice with id props', function() {
      return logInAs(user.username)
          .then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
          .send({ storeId: 'A', name: 'A invoice', invoiceNumber: 123, id: 123 })
          .expect(401))
})

returns 200

Even worse it looks like you can do the same across teams if you include the same properties.

it('should not create another teams invoice with id props', function() {
   return logInAs(user.username)
        .then(res => json('post', `/api/invoices?access_token=${res.body.id}`)
        .send({ storeId: 'B', name: 'A invoice', invoiceNumber: 223, id: 223 })
        .expect(401))
})

it('should not create another teams invoice with id prop', function() {
     return logInAs(user.username)
        .then(res => json('put', `/api/invoices?access_token=${res.body.id}`)
        .send({
            id: 21234,
            storeId: 'B',
            invoiceNumber: 21234,
        })
        .expect(401))
})

both return 200

I've updated the rest-test.js file in this branch which highlight the issue here https://github.com/hbbh/loopback-component-access-groups/tree/test-create-upsert-permissions

It's probably my phat-hands, but it would be good to get another pair of eyes on it.

Initialize required middleware automatically

Currently users are required to setup the middleware components manually. This could be done automatically.

Dependency issues on installation...

The following is the error I receive while trying to install loopback-component-access-groups just after installing StrongLoop Loopback and creating a brand new LoopBack API project.

Jamess-MacBook-Pro:loopback-access-groups jameseisenlohr$ npm install --save loopback-component-access-groups
npm WARN peerDependencies The peer dependency loopback@>=2.25.0 included from loopback-component-access-groups will no
npm WARN peerDependencies longer be automatically installed to fulfill the peerDependency
npm WARN peerDependencies in npm 3+. Your application will need to depend on it explicitly.
npm ERR! Darwin 14.5.0
npm ERR! argv "/usr/local/bin/node" "/usr/local/bin/npm" "install" "--save" "loopback-component-access-groups"
npm ERR! node v4.4.7
npm ERR! npm v2.15.8
npm ERR! code EPEERINVALID

npm ERR! peerinvalid The package [email protected] does not satisfy its siblings' peerDependencies requirements!
npm ERR! peerinvalid Peer [email protected] wants loopback@>=2.25.0

npm ERR! Please include the following file with any support request:
npm ERR! /Users/jameseisenlohr/Tests/loopback-access-groups/npm-debug.log
Jamess-MacBook-Pro:loopback-access-groups jameseisenlohr$

Any suggestions and help would be appreciated.