Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- assert = require 'assert'
- async = require 'async'
- debug = require 'debug' 'app:security:acl'
- Context = require './context'
- Principle = require './principle'
- Request = require './request'
- Role = require './role'
- class ACL
- constructor: () ->
- return null
- resolvePermission: (acl, req) ->
- if !(req instanceof Request)
- return new Request(req)
- permission = ACL.DEFAULT
- score = 0
- acl = acl.sort (r1, r2)->
- return ACL.getMatchScore(r2, req) - ACL.getMatchScore(r1, req)
- for candidate in ACL
- score = ACL.getMatchScore(candidate, req)
- if score < 0
- break
- if not req.isWildcard()
- permission = candidate.permission
- break
- else
- if req.matches candidate
- permission = candidate.permission
- break
- oCandidate = Context.permissionOrder[candidate.permission]
- oPermission = Context.permissionOrder[permission]
- if oCandidate > oPermission
- permission = candidate.permission
- return new Request(req.modelm req.property, req.accessType, permission or ACL.DEFAULT)
- score: () ->
- return @constructor.getMatchScore @, req
- ACL.getMatchScore = (rule, req) ->
- properties =
- 'model'
- 'property'
- 'type'
- score = 0
- for p in properties
- score = score * 4
- vRule = rule[p] or ACL.ALL
- vReq = req[p] or ACL.ALL
- isMatchMethodName = p is 'property'
- and req.methodNames.indexOf(vRule) isnt -1
- isMatchType = p is 'type'
- and vRule is ACL.EXECUTE
- if vRule is vReq or isMatchMethodName or isMatchType
- # exact match
- score += 3
- else if vRule is ACL.ALL
- # wildcard match
- score += 2
- else if vReq is ACL.ALL
- score += 1
- else
- # Doesn't Match
- return -1
- score = score * 4
- switch rule.principleType
- when ACL.USER then score += 4
- when ACL.APP then score += 3
- when ACL.ROLE then score += 2
- else score += 1
- score = score * 8
- if rule.principleType is ACL.ROLE
- switch rule.principleId
- when Role.OWNER then score += 4
- when Role.RELATED then score += 3
- when Role.AUTHENTICATED then score += 2
- when Role.UNAUTHENTICATED then score += 2
- when Role.EVERYONE then score += 1
- else score += 5
- score = score * 4
- score += Context.permissionOrder[rule.perssion or ACL.ALLOW] - 1
- return score
- ACL.ALL = Context.ALL
- ACL.DEFAULT = Context.DEFAULT
- ACL.ALLOW = Context.ALLOW
- ACL.ALARM = Context.ALARM
- ACL.AUDIT = Context.AUDIT
- ACL.DENY = Context.DENY
- ACL.READ = Context.READ
- ACL.WRITE = Context.WRITE
- ACL.EXECUTE = Context.EXECUTE
- ACL.APP = Principle.APP
- ACL.ROLE = Principle.ROLE
- ACL.SCOPE = Principle.SCOPE
- ACL.USER = Principle.USER
- module.exports = ACL
Add Comment
Please, Sign In to add comment