From 9af30e99f8446d5ed3eb4f498d002f5119fa9d09 Mon Sep 17 00:00:00 2001 From: Julien Fontanet Date: Wed, 3 Feb 2016 11:53:54 +0100 Subject: [PATCH] Use xo-acl-resolver. --- app/node_modules/xo-api/acl.js | 123 ------------------------------- app/node_modules/xo-api/index.js | 3 +- package.json | 1 + 3 files changed, 2 insertions(+), 125 deletions(-) delete mode 100644 app/node_modules/xo-api/acl.js diff --git a/app/node_modules/xo-api/acl.js b/app/node_modules/xo-api/acl.js deleted file mode 100644 index dc4a78ac1..000000000 --- a/app/node_modules/xo-api/acl.js +++ /dev/null @@ -1,123 +0,0 @@ -// These global variables are not a problem because the algorithm is -// synchronous. -let permissionsByObject -let getObject - -// ------------------------------------------------------------------- - -const authorized = () => true // eslint-disable-line no-unused-vars -const forbiddden = () => false // eslint-disable-line no-unused-vars - -function and (...checkers) { // eslint-disable-line no-unused-vars - return function (object, permission) { - for (const checker of checkers) { - if (!checker(object, permission)) { - return false - } - } - return true - } -} - -function or (...checkers) { // eslint-disable-line no-unused-vars - return function (object, permission) { - for (const checker of checkers) { - if (checker(object, permission)) { - return true - } - } - return false - } -} - -// ------------------------------------------------------------------- - -function checkMember (memberName) { - return function (object, permission) { - const member = object[memberName] - return checkAuthorization(member, permission) - } -} - -function checkSelf ({ id }, permission) { - const permissionsForObject = permissionsByObject[id] - - return ( - permissionsForObject && - permissionsForObject[permission] - ) -} - -// =================================================================== - -const checkAuthorizationByTypes = { - host: or(checkSelf, checkMember('$poolId')), - - message: checkMember('$object'), - - network: or(checkSelf, checkMember('$poolId')), - - SR: or(checkSelf, checkMember('$poolId')), - - task: checkMember('$host'), - - VBD: checkMember('VDI'), - - // Access to a VDI is granted if the user has access to the - // containing SR or to a linked VM. - VDI (vdi, permission) { - // Check authorization for the containing SR. - if (checkAuthorization(vdi.$SR, permission)) { - return true - } - - // Check authorization for each of the connected VMs. - for (const {$VM: vm} of vdi.$VBDs) { - if (checkAuthorization(vm, permission)) { - return true - } - } - - return false - }, - - VIF: or(checkMember('$network'), checkMember('$VM')), - - VM: or(checkSelf, checkMember('$container')), - - 'VM-snapshot': checkMember('snapshot_of'), - - 'VM-template': authorized -} - -function checkAuthorization (objectId, permission) { - const object = getObject(objectId) - const checker = checkAuthorizationByTypes[object.type] || checkSelf - - return checker(object, permission) -} - -// ------------------------------------------------------------------- - -export default function ( - permissionsByObject_, - getObject_, - permissions -) { - // Assign global variables. - permissionsByObject = permissionsByObject_ - getObject = getObject_ - - try { - for (const [objectId, permission] of permissions) { - if (!checkAuthorization(objectId, permission)) { - return false - } - } - - return true - } finally { - // Free the global variables. - permissionsByObject = getObject = null - } -} diff --git a/app/node_modules/xo-api/index.js b/app/node_modules/xo-api/index.js index 94a4c855f..4a10bb130 100644 --- a/app/node_modules/xo-api/index.js +++ b/app/node_modules/xo-api/index.js @@ -1,5 +1,6 @@ import angular from 'angular' import angularCookies from 'angular-cookies' +import checkPermissions from 'xo-acl-resolver' import cloneDeep from 'lodash.clonedeep' import forEach from 'lodash.foreach' import indexOf from 'lodash.indexof' @@ -9,8 +10,6 @@ import xoLib from 'xo-lib' import XoUniqueIndex from 'xo-collection/unique-index' import XoView from 'xo-collection/view' -import checkPermissions from './acl' - const {defineProperty} = Object const {isArray, isString} = angular diff --git a/package.json b/package.json index 1a8a6302b..cc26ed7c4 100644 --- a/package.json +++ b/package.json @@ -88,6 +88,7 @@ "vinyl": "^1.1.0", "watchify": "^3.1.1", "ws": "^0.8.0", + "xo-acl-resolver": "0.0.0-0", "xo-collection": "^0.4.0", "xo-lib": "^0.7.3", "xo-remote-parser": "^0.1.0"