Various updates.

src/api/acl.js

@@ -18,7 +18,7 @@ getCurrent.description = 'get existing ACLs concerning current user'
 
 // -------------------------------------------------------------------
 
-export async function add ({subject, object, action = 'view'}) {
+export async function add ({subject, object, action}) {
   await this.addAcl(subject, object, action)
 }
 
@@ -27,7 +27,7 @@ add.permission = 'admin'
 add.params = {
   subject: { type: 'string' },
   object: { type: 'string' },
-  // action: { type: 'string' }
+  action: { type: 'string' }
 }
 
 add.description = 'add a new ACL entry'

src/api/test.js

@@ -2,6 +2,26 @@ import {delay} from 'bluebird'
 
 // ===================================================================
 
+export function hasPermission ({userId, objectId, permission}) {
+  return this.hasPermission(userId, objectId, permission)
+}
+
+hasPermission.permission = 'admin'
+
+hasPermission.params = {
+  userId: {
+    type: 'string'
+  },
+  objectId: {
+    type: 'string'
+  },
+  permission: {
+    type: 'string'
+  }
+}
+
+// -------------------------------------------------------------------
+
 export function wait ({duration, returnValue}) {
   return delay(returnValue, +duration)
 }

src/models/acl.js

@@ -41,6 +41,10 @@ export class Acls extends Collection {
     return Acl.hash(subject, object, action).then(hash => this.remove(hash))
   }
 
+  aclExists (subject, object, action) {
+    return Acl.hash(subject, object, action).then(hash => this.exists(hash))
+  }
+
   async get (properties) {
     const acls = await super.get(properties)
 

src/xo.js

@@ -190,7 +190,7 @@ export default class Xo extends EventEmitter {
   }
 
   async hasPermission (userId, objectId, permission) {
-    const user = await this.getUser()
+    const user = await this.getUser(userId)
 
     // Special case for super XO administrators.
     //
@@ -201,7 +201,7 @@ export default class Xo extends EventEmitter {
     // }
 
     const subjects = user.groups.concat(userId)
-    const actions = (await this.getRolesForPermission(permission)).concat(permission)
+    let actions = (await this.getRolesForPermission(permission)).concat(permission)
 
     const promises = []
     {
@@ -216,7 +216,7 @@ export default class Xo extends EventEmitter {
       forEach(subjects, subject => {
         forEach(actions, action => {
           promises.push(
-            acls.exists({subject, object: objectId, action}).then(throwIfFail)
+            acls.aclExists(subject, objectId, action).then(throwIfFail)
           )
         })
       })
@@ -415,14 +415,17 @@ export default class Xo extends EventEmitter {
     ]
   }
 
-  // Returns an array of permission for a role.
+  // Returns an array of roles which have a given permission.
-  //
+  async getRolesForPermission (permission) {
-  // If not a role, it will return undefined.
+    const roles = []
-  async resolveRolePermissions (id) {
+
-    const role = (await this.getRoles())[id]
+    forEach(await this.getRoles(), role => {
-    if (role) {
+      if (includes(role.permissions, permission)) {
-      return role.permissions
+        roles.push(role.id)
-    }
+      }
+    })
+
+    return roles
   }
 
   // -----------------------------------------------------------------