Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Update acl authorizer to make write rights imply append rights

Browse Source
This commit is contained in:
Joachim Van Herwegen 2021-01-07 15:00:53 +01:00
parent 998296a4bb
commit 61aa2e12bd
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/authorization/WebAclAuthorizer.ts
View File

@ -64,7 +64,13 @@ export class WebAclAuthorizer extends Authorizer {
*/ */
private checkPermission(agent: Credentials, store: Store, mode: string): void { private checkPermission(agent: Credentials, store: Store, mode: string): void {
const modeString = ACL[this.capitalize(mode) as 'Write' | 'Read' | 'Append' | 'Control']; const modeString = ACL[this.capitalize(mode) as 'Write' | 'Read' | 'Append' | 'Control'];
const auths = store.getQuads(null, ACL.mode, modeString, null).map((quad: Quad): Term => quad.subject); const auths = this.getModePermissions(store, modeString);
// Having write permissions implies having append permissions
if (modeString === ACL.Append) {
auths.push(...this.getModePermissions(store, ACL.Write));
}
if (!auths.some((term): boolean => this.hasAccess(agent, term, store))) { if (!auths.some((term): boolean => this.hasAccess(agent, term, store))) {
const isLoggedIn = typeof agent.webId === 'string'; const isLoggedIn = typeof agent.webId === 'string';
if (isLoggedIn) { if (isLoggedIn) {
@ -87,6 +93,15 @@ export class WebAclAuthorizer extends Authorizer {
return `${mode[0].toUpperCase()}${mode.slice(1).toLowerCase()}`; return `${mode[0].toUpperCase()}${mode.slice(1).toLowerCase()}`;
} }
/**
* Returns the identifiers of all authorizations that grant the given mode access for a resource.
* @param store - The store containing the quads of the acl resource.
* @param aclMode - A valid acl mode (ACL.Write/Read/...)
*/
private getModePermissions(store: Store, aclMode: string): Term[] {
return store.getQuads(null, ACL.mode, aclMode, null).map((quad: Quad): Term => quad.subject);
}
/** /**
* Checks if the given agent has access to the modes specified by the given authorization. * Checks if the given agent has access to the modes specified by the given authorization.
* @param agent - Credentials of agent that needs access. * @param agent - Credentials of agent that needs access.

16
test/unit/authorization/WebAclAuthorizer.test.ts
View File

@ -155,4 +155,20 @@ describe('A WebAclAuthorizer', (): void => {
await expect(promise).rejects.toThrow('No ACL document found for root container'); await expect(promise).rejects.toThrow('No ACL document found for root container');
await expect(promise).rejects.toThrow(InternalServerError); await expect(promise).rejects.toThrow(InternalServerError);
}); });
it('allows an agent to append if they have write access.', async(): Promise<void> => {
credentials.webId = 'http://test.com/user';
identifier.path = 'http://test.com/foo';
permissions = {
read: false,
write: false,
append: true,
};
store.getRepresentation = async(): Promise<Representation> => ({ data: streamifyArray([
quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
]) } as Representation);
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined();
});
}); });