search

Everyplay / serverbone

Backbone node.js additions to serve backbone collections/models over express
MIT License
5 stars 5 forks source link

ACL and model property permissions when fetching over a resource #8

Closed karvapallo closed 9 years ago

karvapallo commented 10 years ago

Property permissions which override the model permissions themselves, do not seem to be correctly respected when fetching data over a resource by default. Just to elaborate a bit, I would assume that in case no req.actor is provided by a middleware function, the correct assumption would be to use the ACLModel defaults.

This can be fixed by giving a default actor to the fetchOptions by making a minor change to the /lib/resrouces/resource.js on line 467 in the current version (SHA 21b76cb2b02baf162fc0c6bb8b9a02ecfff8c421):

Change this:

fetchOptions.actor = fetchOptions.actor || req.actor;

to this:

fetchOptions.actor = fetchOptions.actor || req.actor || new ACLModel();

And of course require to model at the top of the resource.js:

var ACLModel = require('../models/acl_model.js');

I don't know yet wether or not the same property permission bug plagues other parts of the resource.js.

kosmikko commented 9 years ago

Yeah it's designed so that req.actor is populated earlier in the middleware stack. This should be documented better.