@bedrockio/model 0.1.5 → 0.1.6

package/dist/cjs/access.js

@@ -29,19 +29,17 @@ function hasAccess(type, allowed = 'all', options = {}) {
       document,
       authUser
     } = options;
-    if (!Array.isArray(allowed)) {
-      allowed = [allowed];
-    }
     const scopes = resolveScopes(options);
+    allowed = resolveAllowed(allowed);
     return allowed.some(token => {
       if (token === 'self') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.id == authUser.id;
       } else if (token === 'user') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.user?.id == authUser.id;
       } else if (token === 'owner') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.owner?.id == authUser.id;
       } else {
         return scopes?.includes(token);
@@ -53,18 +51,34 @@ function resolveScopes(options) {
   if (!options.scope && !options.scopes) {
     (0, _warn.default)('Scopes were requested but not provided.');
   }
-  const {
-    scope,
-    scopes = []
-  } = options;
-  return scope ? [scope] : scopes;
+  let scopes;
+  if (options.scopes) {
+    scopes = options.scopes;
+  } else if (options.scope) {
+    scopes = [options.scope];
+  } else {
+    scopes = [];
+  }
+  return scopes;
 }
-function assertOptions(type, token, options) {
-  if (!options.authUser || !options.document) {
-    if (type === 'read') {
-      throw new _errors.ImplementationError(`Read access "${token}" requires .toObject({ authUser }).`);
+function resolveAllowed(arg) {
+  const allowed = Array.isArray(arg) ? arg : [arg];
+
+  // Sort allowed scopes to put "self" last allowing
+  // role based scopes to be fulfilled first.
+  allowed.sort((a, b) => {
+    if (a === b) {
+      return 0;
+    } else if (a === 'self') {
+      return 1;
     } else {
-      throw new _errors.ImplementationError(`Write access "${token}" requires passing { document, authUser } to the validator.`);
+      return -1;
     }
+  });
+  return allowed;
+}
+function assertOptions(token, options) {
+  if (!options.authUser || !options.document) {
+    throw new _errors.ImplementationError(token);
   }
 }

package/dist/cjs/errors.js

@@ -6,7 +6,12 @@ Object.defineProperty(exports, "__esModule", {
 exports.ReferenceError = exports.PermissionsError = exports.ImplementationError = void 0;
 class PermissionsError extends Error {}
 exports.PermissionsError = PermissionsError;
-class ImplementationError extends Error {}
+class ImplementationError extends Error {
+  constructor(name) {
+    super();
+    this.name = name;
+  }
+}
 exports.ImplementationError = ImplementationError;
 class ReferenceError extends Error {
   constructor(message, references) {

package/dist/cjs/validation.js

@@ -333,14 +333,31 @@ function validateAccess(type, schema, allowed, options) {
   } = options.model;
   return schema.custom((val, options) => {
     const document = options[(0, _lodash.lowerFirst)(modelName)] || options['document'];
-    const isAllowed = (0, _access.hasAccess)(type, allowed, {
-      ...options,
-      document
-    });
+    let isAllowed;
+    try {
+      isAllowed = (0, _access.hasAccess)(type, allowed, {
+        ...options,
+        document
+      });
+    } catch (error) {
+      if (error instanceof _errors.ImplementationError) {
+        if (type === 'read') {
+          // Read access validation for search means that "self" access
+          // cannot be fulfilled as there is no single document to test
+          // against, so continue on to throw a normal permissions error
+          // here instead of raising a problem with the implementation.
+          isAllowed = false;
+        } else if (type === 'write') {
+          throw new Error(`Write access "${error.name}" requires passing { document, authUser } to the validator.`);
+        }
+      } else {
+        throw error;
+      }
+    }
     if (!isAllowed) {
       const currentValue = (0, _lodash.get)(document, options.path);
       if (val !== currentValue) {
-        throw new _errors.PermissionsError('requires write permissions.');
+        throw new _errors.PermissionsError(`requires ${type} permissions.`);
       }
     }
   });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bedrockio/model",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "description": "Bedrock utilities for model creation.",
   "type": "module",
   "scripts": {
@@ -29,7 +29,7 @@
     "lodash": "^4.17.21"
   },
   "peerDependencies": {
-    "@bedrockio/yada": "^1.0.20",
+    "@bedrockio/yada": "^1.0.25",
     "mongoose": "^6.9.0"
   },
   "devDependencies": {
@@ -37,7 +37,7 @@
     "@babel/core": "^7.20.12",
     "@babel/preset-env": "^7.20.2",
     "@bedrockio/prettier-config": "^1.0.2",
-    "@bedrockio/yada": "^1.0.20",
+    "@bedrockio/yada": "^1.0.25",
     "@shelf/jest-mongodb": "^4.1.6",
     "babel-plugin-import-replacement": "^1.0.1",
     "eslint": "^8.33.0",

package/src/access.js

@@ -19,19 +19,18 @@ export function hasAccess(type, allowed = 'all', options = {}) {
     return false;
   } else {
     const { document, authUser } = options;
-    if (!Array.isArray(allowed)) {
-      allowed = [allowed];
-    }
     const scopes = resolveScopes(options);
+
+    allowed = resolveAllowed(allowed);
     return allowed.some((token) => {
       if (token === 'self') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.id == authUser.id;
       } else if (token === 'user') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.user?.id == authUser.id;
       } else if (token === 'owner') {
-        assertOptions(type, token, options);
+        assertOptions(token, options);
         return document.owner?.id == authUser.id;
       } else {
         return scopes?.includes(token);
@@ -44,20 +43,39 @@ function resolveScopes(options) {
   if (!options.scope && !options.scopes) {
     warn('Scopes were requested but not provided.');
   }
-  const { scope, scopes = [] } = options;
-  return scope ? [scope] : scopes;
+
+  let scopes;
+  if (options.scopes) {
+    scopes = options.scopes;
+  } else if (options.scope) {
+    scopes = [options.scope];
+  } else {
+    scopes = [];
+  }
+
+  return scopes;
 }
 
-function assertOptions(type, token, options) {
-  if (!options.authUser || !options.document) {
-    if (type === 'read') {
-      throw new ImplementationError(
-        `Read access "${token}" requires .toObject({ authUser }).`
-      );
+function resolveAllowed(arg) {
+  const allowed = Array.isArray(arg) ? arg : [arg];
+
+  // Sort allowed scopes to put "self" last allowing
+  // role based scopes to be fulfilled first.
+  allowed.sort((a, b) => {
+    if (a === b) {
+      return 0;
+    } else if (a === 'self') {
+      return 1;
     } else {
-      throw new ImplementationError(
-        `Write access "${token}" requires passing { document, authUser } to the validator.`
-      );
+      return -1;
     }
+  });
+
+  return allowed;
+}
+
+function assertOptions(token, options) {
+  if (!options.authUser || !options.document) {
+    throw new ImplementationError(token);
   }
 }

package/src/errors.js

@@ -1,5 +1,11 @@
 export class PermissionsError extends Error {}
-export class ImplementationError extends Error {}
+
+export class ImplementationError extends Error {
+  constructor(name) {
+    super();
+    this.name = name;
+  }
+}
 
 export class ReferenceError extends Error {
   constructor(message, references) {

package/src/validation.js

@@ -5,7 +5,7 @@ import { get, omit, lowerFirst } from 'lodash';
 
 import { hasAccess } from './access';
 import { searchValidation } from './search';
-import { PermissionsError } from './errors';
+import { PermissionsError, ImplementationError } from './errors';
 import { hasUniqueConstraints, assertUnique } from './soft-delete';
 import { isMongooseSchema, isSchemaTypedef } from './utils';
 import { RESERVED_FIELDS } from './schema';
@@ -368,14 +368,35 @@ function validateAccess(type, schema, allowed, options) {
   const { modelName } = options.model;
   return schema.custom((val, options) => {
     const document = options[lowerFirst(modelName)] || options['document'];
-    const isAllowed = hasAccess(type, allowed, {
-      ...options,
-      document,
-    });
+
+    let isAllowed;
+    try {
+      isAllowed = hasAccess(type, allowed, {
+        ...options,
+        document,
+      });
+    } catch (error) {
+      if (error instanceof ImplementationError) {
+        if (type === 'read') {
+          // Read access validation for search means that "self" access
+          // cannot be fulfilled as there is no single document to test
+          // against, so continue on to throw a normal permissions error
+          // here instead of raising a problem with the implementation.
+          isAllowed = false;
+        } else if (type === 'write') {
+          throw new Error(
+            `Write access "${error.name}" requires passing { document, authUser } to the validator.`
+          );
+        }
+      } else {
+        throw error;
+      }
+    }
+
     if (!isAllowed) {
       const currentValue = get(document, options.path);
       if (val !== currentValue) {
-        throw new PermissionsError('requires write permissions.');
+        throw new PermissionsError(`requires ${type} permissions.`);
       }
     }
   });

package/types/access.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.js"],"names":[],"mappings":"AAGA,mEAEC;AAED,oEAEC;AAED;;GAEG;AACH,+CAFW,MAAM,GAAC,MAAM,EAAE,yBA4BzB"}
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../src/access.js"],"names":[],"mappings":"AAGA,mEAEC;AAED,oEAEC;AAED;;GAEG;AACH,+CAFW,MAAM,GAAC,MAAM,EAAE,yBA2BzB"}

package/types/errors.d.ts

@@ -1,6 +1,8 @@
 export class PermissionsError extends Error {
 }
 export class ImplementationError extends Error {
+    constructor(name: any);
+    name: any;
 }
 export class ReferenceError extends Error {
     constructor(message: any, references: any);

package/types/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAC9C;CAAiD;AAEjD;IACE,2CAGC;IADC,gBAA4B;CAE/B"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.js"],"names":[],"mappings":"AAAA;CAA8C;AAE9C;IACE,uBAGC;IADC,UAAgB;CAEnB;AAED;IACE,2CAGC;IADC,gBAA4B;CAE/B"}

package/types/search.d.ts

@@ -3,6 +3,8 @@ export function searchValidation(definition: any, options?: {}): {
     setup: any;
     getFields: any;
     append(arg: import("@bedrockio/yada/types/Schema").default | import("@bedrockio/yada/types/object").SchemaMap): any;
+    pick(...names?: string[]): any;
+    omit(...names?: string[]): any;
     format(name: any, fn: any): import("@bedrockio/yada/types/TypeSchema").default;
     toString(): any;
     assertions: any[];
@@ -20,6 +22,7 @@ export function searchValidation(definition: any, options?: {}): {
     validate(value: any, options?: {}): Promise<any>;
     clone(meta: any): any;
     toOpenApi(extra: any): any;
+    expandExtra(extra?: {}): {};
     assertEnum(set: any, allow: any): any;
     assert(type: any, fn: any): any;
     pushAssertion(assertion: any): void;

package/types/search.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"search.d.ts","sourceRoot":"","sources":["../src/search.js"],"names":[],"mappings":"AAmBA,gEAyDC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwBC"}
+{"version":3,"file":"search.d.ts","sourceRoot":"","sources":["../src/search.js"],"names":[],"mappings":"AAmBA,gEAyDC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAwBC"}

package/types/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.js"],"names":[],"mappings":"AAiEA,kDAEC;AAED,oEA2DC;AAaD,wEAeC;AAqOD;;;EAEC;AAED;;;EAOC;AArXD,8EAUK"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../src/validation.js"],"names":[],"mappings":"AAiEA,kDAEC;AAED,oEA2DC;AAaD,wEAeC;AA0PD;;;EAEC;AAED;;;EAOC;AA1YD,8EAUK"}