@live-change/access-control-service 0.2.40 → 0.2.43

package/access.js

@@ -1,4 +1,4 @@
-const { parents, parentsSourcesMap } = require('./accessControlParents.js')
+const { parents, parentsSources } = require('./accessControlParents.js')
 const App = require('@live-change/framework')
 const app = App.app()
 
@@ -16,6 +16,16 @@ module.exports = (definition) => {
     canRequest = (roles, client, { objectType, object }) => false
   } = config
 
+  function testRoles(requiredRoles, clientRoles) {
+    for(const requiredRolesOption of requiredRoles) {
+      if(
+        (Array.isArray(requiredRolesOption) ? requiredRolesOption : [requiredRolesOption])
+          .every(role => clientRoles.includes(role))
+      ) return true
+    }
+    return false
+  }
+
   async function clientHasAnyAccess(client, { objectType, object, objects }) {
     return checkRoles(client, { objectType, object, objects }, hasAny)
   }
@@ -38,7 +48,7 @@ module.exports = (definition) => {
 
   function clientHasAccessRoles(client, { objectType, object, objects }, roles) {
     return checkRoles(client, { objectType, object, objects },
-      (clientRoles) => roles.every(role => clientRoles.includes(role))
+      (clientRoles) => testRoles(requiredRoles, roles)
     )
   }
 
@@ -98,7 +108,10 @@ module.exports = (definition) => {
 
   /// QUERIES:
 
-  function dbAccessFunctions({ input, publicAccessTable, accessTable, updateRoles, isLoaded }) {
+  function dbAccessFunctions({
+      input, publicAccessTable, accessTable, updateRoles, isLoaded,
+      client, parentsSourcesMap, output
+    }) {
     async function treeNode(objectType, object) {
       const node = {
         objectType, object,
@@ -119,7 +132,7 @@ module.exports = (definition) => {
       })
 
       const sessionAccessObject = accessTable.object(
-        `session_Session:${JSON.stringify(client.session)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
+        `"session_Session":${JSON.stringify(client.session)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
       )
       sessionAccessObserver = sessionAccessObject && sessionAccessObject.onChange((accessData, oldAccessData) => {
         node.sessionRoles = accessData?.roles ?? []
@@ -127,10 +140,10 @@ module.exports = (definition) => {
       })
 
       const userAccessObject = client.user && accessTable.object(
-        `user_User:${JSON.stringify(client.user)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
+        `"user_User":${JSON.stringify(client.user)}:${JSON.stringify(objectType)}:${JSON.stringify(object)}`
       )
       userAccessObserver = userAccessObject && userAccessObject.onChange((accessData, oldAccessData) => {
-        node.sessionRoles = accessData?.roles ?? []
+        node.userRoles = accessData?.roles ?? []
         if(isLoaded()) updateRoles()
       })
 
@@ -187,9 +200,12 @@ module.exports = (definition) => {
         let loaded = false
 
         const { treeNode, computeNodeRoles } =
-          eval(dbAccessFunctions)({ input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded })
+          eval(dbAccessFunctions)({
+            input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded,
+            client, parentsSourcesMap, output
+          })
 
-        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object))
+        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object, client))
 
         const outputObjectId = `${JSON.stringify(client.session)}:${JSON.stringify(client.user)}:` +
                                objects.map( obj => `${JSON.stringify(objectType)}:${JSON.stringify(object)}`)
@@ -216,7 +232,7 @@ module.exports = (definition) => {
         await updateRoles()
       }
     })`, {
-      objectType, object, parentsSourcesMap, client,
+      objectType, object, parentsSourcesMap: parentsSources, client,
       accessTableName: Access.tableName, publicAccessTableName: PublicAccess.tableName,
       dbAccessFunctions: `(${dbAccessFunctions})`
     }]
@@ -233,9 +249,12 @@ module.exports = (definition) => {
         let loaded = false
 
         const { treeNode, computeNodeRoles } =
-          eval(dbAccessFunctions)({ input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded })
+          eval(dbAccessFunctions)({
+            input, publicAccessTable, accessTable, updateRoles, isLoaded: () => loaded,
+            client, parentsSourcesMap, output,
+          })
 
-        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object))
+        let rolesTreesRoots = objects.map(({ object, objectType }) => treeNode(objectType, object, client))
         const accesses = []
         async function updateRoles() {
           const roots = await Promise.all(rolesTreesRoots)
@@ -264,8 +283,9 @@ module.exports = (definition) => {
         await updateRoles()
       }
     })`, {
-      objects, parentsSourcesMap, client,
+      objects, parentsSourcesMap: parentsSources, client,
       accessTableName: Access.tableName, publicAccessTableName: PublicAccess.tableName,
+      dbAccessFunctions: `(${dbAccessFunctions})`
     }]
   }
 
@@ -282,6 +302,7 @@ module.exports = (definition) => {
   }
 
   return {
+    testRoles,
     clientHasAnyAccess, clientHasAdminAccess,
     clientCanInvite,
     clientCanRequest,

package/accessControl.js

@@ -0,0 +1,110 @@
+const definition = require('./definition.js')
+const App = require("@live-change/framework")
+const { ObservableValue, ObservableList, ObservableProxy } = require("@live-change/dao")
+const app = App.app()
+const access = require('./access.js')(definition)
+
+definition.processor({
+  priority: -1,
+  process(service, app) {
+
+    for(const actionName in service.actions) {
+      const action = service.actions[actionName]
+      if(!action.accessControl) continue
+      const config = action.accessControl
+
+      console.log("ACCESS CONTROL", service.name, "ACTION", action.name)
+
+      const oldExec = action.execute
+      action.execute = async (...args) => {
+        const [ properties, context, emit ] = args
+        const { client } = context
+
+        const objects = [].concat(
+          config.objects ? config.objects(properties) : [],
+          (objectType && object) ? [{ objectType, object }] : []
+        )
+        if(objects.length == 0) {
+          throw new Error('no objects for access control to work')
+        }
+        const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
+        if(!accessible) throw 'notAuthorized'
+
+        return oldExec.apply(action, args)
+      }
+    }
+
+    for(const viewName in service.views) {
+      const view = service.views[viewName]
+      if(!view.accessControl) continue
+      const config = view.accessControl
+
+      console.log("ACCESS CONTROL", service.name, "VIEW", view.name)
+
+      const oldGet = view.get
+      const oldObservable = view.observable
+      view.get = async (...args) => {
+        const [ properties, context ] = args
+        const { client } = context
+        const { objectType, object } = properties
+        const objects = [].concat(
+          config.objects ? config.objects(properties) : [],
+          (objectType && object) ? [{ objectType, object }] : []
+        )
+        if(objects.length == 0) {
+          throw new Error('no objects for access control to work')
+        }
+        const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
+        if(!accessible) throw 'notAuthorized'
+        return oldGet.apply(view, args)
+      }
+      view.observable = (...args) => {
+        const [ properties, context ] = args
+        const { client } = context
+        const { objectType, object } = properties
+        const objects = [].concat(
+          config.objects ? config.objects(properties) : [],
+          (objectType && object) ? [{ objectType, object }] : []
+        )
+        if(objects.length == 0) {
+          throw new Error('no objects for access control to work')
+        }
+
+        const rolesPath = access.accessPath(client, objects)
+
+        const errorObservable = new ObservableValue()
+        errorObservable.handleError('notAuthorized')
+
+        const observableProxy = new ObservableProxy(null)
+
+        let valueObservable
+
+        let accessible
+        const rolesObservable = app.dao.observable(rolesPath)
+        const rolesObserver = (signal, value) => {
+          const accessObject = rolesObservable.getValue()
+          const newAccessible = access.testRoles(config.roles, accessObject.roles)
+          if(newAccessible !== accessible) {
+            if(newAccessible === true /*&& !valueObservable*/) {
+              valueObservable = oldObservable.apply(view, args)
+            }
+            observableProxy.setTarget(accessible ? valueObservable : errorObservable)
+          }
+        }
+        rolesObservable.observe(rolesObserver)
+
+        const oldDispose = observableProxy.dispose
+        const oldRespawn = observableProxy.respawn
+        observableProxy.dispose = () => {
+          rolesObservable.unobserve(rolesObserver)
+          oldDispose.apply(observableProxy)
+        }
+        observableProxy.respawn = () => {
+          rolesObservable.observe(rolesObserver)
+          oldRespawn.apply(observableProxy)
+        }
+      }
+    }
+
+  }
+})

package/index.js

@@ -6,5 +6,6 @@ require('./model.js')
 require('./invite.js')
 require('./request.js')
 require('./view.js')
+require('./accessControl.js')
 
 module.exports = definition

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@live-change/access-control-service",
-  "version": "0.2.40",
+  "version": "0.2.43",
   "description": "",
   "main": "index.js",
   "scripts": {
@@ -21,7 +21,7 @@
     "url": "https://www.viamage.com/"
   },
   "dependencies": {
-    "@live-change/framework": "0.6.6"
+    "@live-change/framework": "0.6.10"
   },
-  "gitHead": "4a920b328b0a7f3f25c67cdba3e574687971ee22"
+  "gitHead": "8db9a604d14d85f750056ce9c3b7bb859aface27"
 }

package/limitedAccess.js

@@ -1,107 +0,0 @@
-const definition = require('./definition.js')
-const App = require("@live-change/framework")
-const { ObservableValue, ObservableList, ObservableProxy } = require("@live-change/dao")
-const app = App.app()
-const access = require('./access.js')(definition)
-
-definition.processor(function(service, app) {
-
-  for(const actionName in service.actions) {
-    const action = service.actions[actionName]
-    if(!action.limitedAccess) continue
-    const config = action.limitedAccess
-
-    console.log("LIMITED ACCESS", service.name, "ACTION", action.name)
-
-    const oldExec = action.execute
-    action.execute = async (...args) => {
-      const [ properties, context, emit ] = args
-      const { client } = context
-
-      const objects = [].concat(
-        config.objects ? config.objects(properties) : [],
-        (objectType && object) ? [{ objectType, object }] : []
-      )
-      if(objects.length == 0) {
-        throw new Error('no objects for access control to work')
-      }
-      const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
-      if(!accessible) throw 'notAuthorized'
-
-      return oldExec.apply(action, args)
-    }
-  }
-
-  for(const viewName in service.views) {
-    const view = service.view[viewName]
-    if(!view.limitedAccess) continue
-    const config = view.limitedAccess
-
-    console.log("LIMITED ACCESS", service.name, "VIEW", view.name)
-
-    const oldGet = view.get
-    const oldObservable = view.observable
-    view.get = async (...args) => {
-      const [ properties, context ] = args
-      const { client } = context
-      const { objectType, object } = properties
-      const objects = [].concat(
-        config.objects ? config.objects(properties) : [],
-        (objectType && object) ? [{ objectType, object }] : []
-      )
-      if(objects.length == 0) {
-        throw new Error('no objects for access control to work')
-      }
-      const accessible = access.clientHasAccessRoles(client, { objects }, config.roles)
-      if(!accessible) throw 'notAuthorized'
-      return oldGet.apply(view, args)
-    }
-    view.observable = (...args) => {
-      const [ properties, context ] = args
-      const { client } = context
-      const { objectType, object } = properties
-      const objects = [].concat(
-        config.objects ? config.objects(properties) : [],
-        (objectType && object) ? [{ objectType, object }] : []
-      )
-      if(objects.length == 0) {
-        throw new Error('no objects for access control to work')
-      }
-
-      const rolesPath = access.accessPath(client, objects)
-
-      const errorObservable = new ObservableValue()
-      errorObservable.handleError('notAuthorized')
-
-      const observableProxy = new ObservableProxy(null)
-
-      let valueObservable
-
-      let accessible
-      const rolesObservable = app.dao.observable(rolesPath)
-      const rolesObserver = (signal, value) => {
-        const accessObject = rolesObservable.getValue()
-        const newAccessible = config.roles.every(role => accessObject.roles.includes(role))
-        if(newAccessible !== accessible) {
-          if(newAccessible === true /*&& !valueObservable*/) {
-            valueObservable = oldObservable.apply(view, args)
-          }
-          observableProxy.setTarget(accessible ? valueObservable : errorObservable)
-        }
-      }
-      rolesObservable.observe(rolesObserver)
-
-      const oldDispose = observableProxy.dispose
-      const oldRespawn = observableProxy.respawn
-      observableProxy.dispose = () => {
-        rolesObservable.unobserve(rolesObserver)
-        oldDispose.apply(observableProxy)
-      }
-      observableProxy.respawn = () => {
-        rolesObservable.observe(rolesObserver)
-        oldRespawn.apply(observableProxy)
-      }
-    }
-  }
-
-})