forest_liana 5.1.3 → 5.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 403847f23770b011b6551b87228a5d1f12cff04d9fa96b2389137279517ee48c
-  data.tar.gz: 2900ede987dfbff932097a05f367e1247a37ac2a00be6e611f6ee14b730c15c2
+  metadata.gz: 64ca1f513502df98ecedaeeacddf85af31720c10aa6c60b4444ed83affd57536
+  data.tar.gz: 4f7422a68c827a5439796946b43c7d687dc59d9c98a104b6540a025ceb88d520
 SHA512:
-  metadata.gz: c5ee8dd97d27c5c78f6b9146cf98f41d1dbc6f72c4e4e70d662fae4d4b1f3b6d45f4339f6a9f43d74d84d193fb9001bce8662f5f6c2846b5f49ccbdec7cc8a22
-  data.tar.gz: 423aea81ffed1126246a21ba1205a514d45b7fd5f924cd041be01f94b003099c1e6079af83660e6fd405f9d2e8481634677d772ac53eaf7ae793a15f5a4776aa
+  metadata.gz: 5bf573c94f3f2e25403c752f9808ea9b4a6fcd02f886423bdc79b049605063edee39fbaf0ca1b4f74b7423c94936c5fcd831c1165196a3612c812e51c362a29a
+  data.tar.gz: 0ad2cfe651f34a16538c7f753eac53d1e54090ffe8b2d3b9ecf31e2638adb564df2c96150b5166403dd391d2b56fca3e4fd75ee34884e91937fefec06a33c416

data/app/controllers/forest_liana/resources_controller.rb

@@ -22,7 +22,13 @@ module ForestLiana
           checker = ForestLiana::PermissionsChecker.new(@resource, 'searchToEdit', @rendering_id)
           return head :forbidden unless checker.is_authorized?
         else
-          checker = ForestLiana::PermissionsChecker.new(@resource, 'list', @rendering_id)
+          checker = ForestLiana::PermissionsChecker.new(
+            @resource,
+            'list',
+            @rendering_id,
+            nil,
+            get_collection_list_permission_info(forest_user, request)
+          )
           return head :forbidden unless checker.is_authorized?
         end
 
@@ -51,7 +57,13 @@ module ForestLiana
 
     def count
       begin
-        checker = ForestLiana::PermissionsChecker.new(@resource, 'list', @rendering_id)
+        checker = ForestLiana::PermissionsChecker.new(
+          @resource,
+          'list',
+          @rendering_id,
+          nil,
+          get_collection_list_permission_info(forest_user, request)
+        )
         return head :forbidden unless checker.is_authorized?
 
         getter = ForestLiana::ResourcesGetter.new(@resource, params)
@@ -232,5 +244,15 @@ module ForestLiana
       collection_name = ForestLiana.name_for(@resource)
       @collection ||= ForestLiana.apimap.find { |collection| collection.name.to_s == collection_name }
     end
+
+    # NOTICE: Return a formatted object containing the request condition filters and 
+    #         the user id used by the scope validator class to validate if scope is 
+    #         in request
+    def get_collection_list_permission_info(user, collection_list_request)
+      {
+        user_id: user['id'],
+        filters: collection_list_request[:filters],
+      }
+    end
   end
 end

data/app/services/forest_liana/permissions_checker.rb

@@ -3,11 +3,12 @@ module ForestLiana
     @@permissions_per_rendering = Hash.new
     @@expiration_in_seconds = (ENV['FOREST_PERMISSIONS_EXPIRATION_IN_SECONDS'] || 3600).to_i
 
-    def initialize(resource, permission_name, rendering_id, smart_action_parameters = nil)
+    def initialize(resource, permission_name, rendering_id, smart_action_parameters = nil, collection_list_parameters = nil)
       @collection_name = ForestLiana.name_for(resource)
       @permission_name = permission_name
       @rendering_id = rendering_id
       @smart_action_parameters = smart_action_parameters
+      @collection_list_parameters = collection_list_parameters
     end
 
     def is_authorized?
@@ -46,12 +47,23 @@ module ForestLiana
       return @allowed && (@users.nil?|| @users.include?(@user_id.to_i));
     end
 
+    def collection_list_allowed?(scope_permissions)
+      return ForestLiana::ScopeValidator.new(
+        scope_permissions['filter'],
+        scope_permissions['dynamicScopesValues']['users']
+      ).is_scope_in_request?(@collection_list_parameters)
+    end
+
     def is_allowed?
       permissions = get_permissions
       if permissions && permissions[@collection_name] &&
         permissions[@collection_name]['collection']
         if @permission_name === 'actions'
           return smart_action_allowed?(permissions[@collection_name]['actions'])
+        # NOTICE: Permissions[@collection_name]['scope'] will either contains conditions filter and
+        #         dynamic user values definition, or null for collection that does not use scopes
+        elsif @permission_name === 'list' and permissions[@collection_name]['scope']
+          return collection_list_allowed?(permissions[@collection_name]['scope'])
         else
           return permissions[@collection_name]['collection'][@permission_name]
         end

data/app/services/forest_liana/scope_validator.rb

@@ -0,0 +1,97 @@
+module ForestLiana
+  class ScopeValidator
+    def initialize(scope_permissions, users_variable_values)
+      @scope_filters = scope_permissions
+      @users_variable_values = users_variable_values
+    end
+
+    def is_scope_in_request?(scope_request)
+      begin
+        filters = JSON.parse(scope_request[:filters])
+      rescue JSON::ParserError
+        raise ForestLiana::Errors::HTTP422Error.new('Invalid filters JSON format')
+      end
+      @computed_scope = compute_condition_filters_from_scope(scope_request[:user_id])
+
+      # NOTICE: Perfom a travel in the request condition filters tree to find the scope
+      tagged_scope_filters = get_scope_found_in_request(filters)
+
+      # NOTICE: Permission system always send an aggregator even if there is only one condition
+      #         In that case, if the condition is valid, then request was not edited
+      return !tagged_scope_filters.nil? if @scope_filters['conditions'].length == 1
+
+      # NOTICE: If there is more than one condition, do a final validation on the condition filters
+      return tagged_scope_filters != nil &&
+        tagged_scope_filters[:aggregator] == @scope_filters['aggregator'] &&
+        tagged_scope_filters[:conditions] &&
+        tagged_scope_filters[:conditions].length == @scope_filters['conditions'].length
+    end
+
+    private
+
+    def compute_condition_filters_from_scope(user_id)
+      computed_condition_filters = @scope_filters.clone
+      computed_condition_filters['conditions'].each do |condition|
+        if condition.include?('value') && 
+          !condition['value'].nil? && 
+          condition['value'].start_with?('$') && 
+          @users_variable_values.include?(user_id)
+          condition['value'] = @users_variable_values[user_id][condition['value']]
+        end
+      end
+      return computed_condition_filters
+    end
+
+    def get_scope_found_in_request(filters)
+      return nil unless filters
+      return search_scope_aggregation(filters)
+    end
+
+    def search_scope_aggregation(node)
+      ensure_valid_aggregation(node)
+
+      return is_scope_condition?(node) unless node['aggregator']
+  
+      # NOTICE: Remove conditions that are not from the scope
+      filtered_conditions = node['conditions'].map { |condition| 
+        search_scope_aggregation(condition)
+      }.select { |condition|
+        condition
+      }
+
+      # NOTICE: If there is only one condition filter left and its current aggregator is
+      #         an "and", this condition filter is the searched scope
+      if (filtered_conditions.length == 1 && 
+        filtered_conditions.first.is_a?(Hash) &&
+        filtered_conditions.first.include?(:aggregator) &&
+        node['aggregator'] == 'and')
+        return filtered_conditions.first
+      end
+
+      # NOTICE: Otherwise, validate if the current node is the scope and return nil
+      #         if it's not
+      return (filtered_conditions.length == @scope_filters['conditions'].length && 
+        node['aggregator'] == @scope_filters['aggregator']) ?
+        { aggregator: node['aggregator'], conditions: filtered_conditions } :
+        nil
+    end
+
+    def is_scope_condition?(condition)
+      ensure_valid_condition(condition)
+      return @computed_scope['conditions'].include?(condition)
+    end
+
+    def ensure_valid_aggregation(node)
+      raise ForestLiana::Errors::HTTP422Error.new('Filters cannot be a raw value') unless node.is_a?(Hash)
+      raise_empty_condition_in_filter_error if node.empty?
+    end
+
+    def ensure_valid_condition(condition)
+      raise_empty_condition_in_filter_error if condition.empty?
+      raise ForestLiana::Errors::HTTP422Error.new('Condition cannot be a raw value') unless condition.is_a?(Hash)
+      unless condition['field'].is_a?(String) and condition['operator'].is_a?(String)
+        raise ForestLiana::Errors::HTTP422Error.new('Invalid condition format')
+      end
+    end
+  end
+end

data/lib/forest_liana/version.rb

@@ -1,3 +1,3 @@
 module ForestLiana
-  VERSION = "5.1.3"
+  VERSION = "5.2.0"
 end

data/test/services/forest_liana/scope_validator_test.rb

@@ -0,0 +1,185 @@
+module ForestLiana
+  class ScopeValidatorTest < ActiveSupport::TestCase
+    test 'Request with aggregated condition filters should be allowed if it matches the scope exactly' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'john', 'operator' => 'equal' },
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' }
+          ]
+        }, [])
+
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'john', operator: 'equal' },
+            { field: 'price', value: '2500', operator: 'equal' }              
+          ]
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with simple condition filter should be allowed if it matches the scope exactly' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'field', 'value' => 'value', 'operator' => 'equal' }
+          ]
+        }, [])
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          field: 'field', value: 'value', operator: 'equal'
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with multiples condition filters should be allowed if it contains the scope ' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'doe', 'operator' => 'equal' }
+          ]
+        }, []
+        )
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'doe', operator: 'equal' },
+            { field: 'field2', value: 'value2', operator: 'equal' }              
+          ]
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with dynamic user values should be allowed if it matches the scope exactly' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => '$currentUser.lastname', 'operator' => 'equal' }
+          ],
+        }, {
+          '1' => { '$currentUser.lastname' => 'john' }
+        })
+
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          'field' => 'name', 'value' => 'john', 'operator' => 'equal'
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request with multiples aggregation and dynamic values should be allowed if it contains the scope' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+        'aggregator' => 'or',
+        'conditions' => [
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' },
+            { 'field' => 'name', 'value' => '$currentUser.lastname', 'operator' => 'equal' }
+          ]
+        }, {
+          '1' => { '$currentUser.lastname' => 'john' }
+        })
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'field', value: 'value', operator: 'equal' },
+            { 
+              aggregator: 'or',
+              conditions: [
+                { field: 'price', value: '2500', operator: 'equal' },
+                { field: 'name', value: 'john', operator: 'equal' }   
+              ]
+            }
+          ]
+        })
+      })
+      assert allowed == true
+    end
+
+    test 'Request that does not match the expect scope should not be allowed' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'john', 'operator' => 'equal' },
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' }
+          ]
+        }, [])
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'definitely_not_john', operator: 'equal' },
+            { field: 'price', value: '0', operator: 'equal' }              
+          ]
+        })
+      })
+      assert allowed == false
+    end
+
+    test 'Request that are missing part of the scope should not be allowed' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+          'aggregator' => 'and',
+          'conditions' => [
+            { 'field' => 'name', 'value' => 'john', 'operator' => 'equal' },
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' }
+          ]
+        }, [])
+        
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'and',
+          conditions: [
+            { field: 'name', value: 'john', operator: 'equal' },
+          ]
+        })
+      })
+      assert allowed == false
+    end
+
+    test 'Request that does not have a top aggregator being "and" should not be allowed' do
+      scope_validator = ForestLiana::ScopeValidator.new({
+        'aggregator' => 'and',
+        'conditions' => [
+            { 'field' => 'price', 'value' => '2500', 'operator' => 'equal' },
+            { 'field' => 'name', 'value' => '$currentUser.lastname', 'operator' => 'equal' }
+          ]
+        }, {
+          '1' => { '$currentUser.lastname' => 'john' }
+        })
+
+      allowed = scope_validator.is_scope_in_request?({
+        user_id: '1',
+        filters: JSON.generate({
+          aggregator: 'or',
+          conditions: [
+            { field: 'field', value: 'value', operator: 'equal' },
+            { 
+              aggregator: 'and',
+              conditions: [
+                { field: 'price', value: '2500', operator: 'equal' },
+                { field: 'name', value: 'john', operator: 'equal' }   
+              ]
+            }
+          ]
+        })
+      })
+      assert allowed == false
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: forest_liana
 version: !ruby/object:Gem::Version
-  version: 5.1.3
+  version: 5.2.0
 platform: ruby
 authors:
 - Sandro Munda
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-19 00:00:00.000000000 Z
+date: 2020-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -262,6 +262,7 @@ files:
 - app/services/forest_liana/resources_getter.rb
 - app/services/forest_liana/schema_adapter.rb
 - app/services/forest_liana/schema_utils.rb
+- app/services/forest_liana/scope_validator.rb
 - app/services/forest_liana/search_query_builder.rb
 - app/services/forest_liana/stat_getter.rb
 - app/services/forest_liana/stripe_base_getter.rb
@@ -432,6 +433,7 @@ files:
 - test/services/forest_liana/resource_updater_test.rb
 - test/services/forest_liana/resources_getter_test.rb
 - test/services/forest_liana/schema_adapter_test.rb
+- test/services/forest_liana/scope_validator_test.rb
 - test/services/forest_liana/value_stat_getter_test.rb
 - test/test_helper.rb
 homepage: https://github.com/ForestAdmin/forest-rails
@@ -469,6 +471,7 @@ test_files:
 - test/fixtures/has_many_field.yml
 - test/fixtures/string_field.yml
 - test/services/forest_liana/resources_getter_test.rb
+- test/services/forest_liana/scope_validator_test.rb
 - test/services/forest_liana/schema_adapter_test.rb
 - test/services/forest_liana/has_many_getter_test.rb
 - test/services/forest_liana/value_stat_getter_test.rb