change: allow read to related data from allowed modules

2025-01-31 11:07:58 +01:00 · 2025-01-31 11:07:58 +01:00 · e17eb30aed
commit e17eb30aed
parent 668d8448da
2 changed files with 158 additions and 23 deletions
--- a/src/helpers/permissionHelper.ts
+++ b/src/helpers/permissionHelper.ts
@ -32,6 +32,19 @@ export default class PermissionHelper {
    return false;
  }

+  static canSome(
+    permissions: PermissionObject,
+    checks: Array<{
+      requiredPermissions: PermissionType | "admin";
+      section: PermissionSection;
+      module?: PermissionModule;
+    }>
+  ) {
+    checks.reduce<boolean>((prev, curr) => {
+      return prev || this.can(permissions, curr.requiredPermissions, curr.section, curr.module);
+    }, false);
+  }
+
  static canSection(
    permissions: PermissionObject,
    type: PermissionType | "admin",
@ -48,6 +61,18 @@ export default class PermissionHelper {
    return false;
  }

+  static canSomeSection(
+    permissions: PermissionObject,
+    checks: Array<{
+      requiredPermissions: PermissionType | "admin";
+      section: PermissionSection;
+    }>
+  ): boolean {
+    return checks.reduce<boolean>((prev, curr) => {
+      return prev || this.can(permissions, curr.requiredPermissions, curr.section);
+    }, false);
+  }
+
  static passCheckMiddleware(
    requiredPermissions: PermissionType | "admin",
    section: PermissionSection,
@ -60,11 +85,29 @@ export default class PermissionHelper {
      if (isOwner || this.can(permissions, requiredPermissions, section, module)) {
        next();
      } else {
-        throw new ForbiddenRequestException(
-          `missing permission for ${section}.${module}.${
-            Array.isArray(requiredPermissions) ? requiredPermissions.join("|") : requiredPermissions
-          }`
-        );
+        throw new ForbiddenRequestException(`missing permission for ${section}.${module}.${requiredPermissions}`);
+      }
+    };
+  }
+
+  static passCheckSomeMiddleware(
+    checks: Array<{
+      requiredPermissions: PermissionType | "admin";
+      section: PermissionSection;
+      module?: PermissionModule;
+    }>
+  ): (req: Request, res: Response, next: Function) => void {
+    return (req: Request, res: Response, next: Function) => {
+      const permissions = req.permissions;
+      const isOwner = req.isOwner;
+
+      if (isOwner || this.canSome(permissions, checks)) {
+        next();
+      } else {
+        let permissionsToPass = checks.reduce<string>((prev, curr) => {
+          return prev + (prev != " or " ? "" : "") + `${curr.section}.${curr.module}.${curr.requiredPermissions}`;
+        }, "");
+        throw new ForbiddenRequestException(`missing permission for ${permissionsToPass}`);
      }
    };
  }
@ -80,11 +123,25 @@ export default class PermissionHelper {
      if (isOwner || this.canSection(permissions, requiredPermissions, section)) {
        next();
      } else {
-        throw new ForbiddenRequestException(
-          `missing permission for ${section}.${module}.${
-            Array.isArray(requiredPermissions) ? requiredPermissions.join("|") : requiredPermissions
-          }`
-        );
+        throw new ForbiddenRequestException(`missing permission for ${section}.${module}.${requiredPermissions}`);
+      }
+    };
+  }
+
+  static sectionPassCheckSomeMiddleware(
+    checks: Array<{ requiredPermissions: PermissionType | "admin"; section: PermissionSection }>
+  ): (req: Request, res: Response, next: Function) => void {
+    return (req: Request, res: Response, next: Function) => {
+      const permissions = req.permissions;
+      const isOwner = req.isOwner;
+
+      if (isOwner || this.canSomeSection(permissions, checks)) {
+        next();
+      } else {
+        let permissionsToPass = checks.reduce<string>((prev, curr) => {
+          return prev + (prev != " or " ? "" : "") + `${curr.section}.${curr.requiredPermissions}`;
+        }, "");
+        throw new ForbiddenRequestException(`missing permission for ${permissionsToPass}`);
      }
    };
  }