We want to disable authorization checks for any arbitrary list of resolvers, i.e. "actions" on "resources" in the ACL terminology.
To do so, the following steps need to be carried:
Step 1
Delete the following from the server.js:
// Force users to sign in to get access to anything else than '/login'
console.log("REQUIRE: ", globals.REQUIRE_SIGN_IN);
if (globals.REQUIRE_SIGN_IN) {
app.use(jwt({ secret: globals.JWT_SECRET }).unless({ path: ['/login'] }));
}
But make sure, after deletion the authorization checks still work and there are no security holes.
Step 2
Add an optional argument to the environment variables, e.g. in globals:
// globals.js
# Declare any role(s) found in acl_rules.js that have free permissions (without login or a user assigned)
# to the respective resources:
# WHITELIST_ROLES = ["reader"];
Step 3
Adjust utils/checkAuthorization.js module:
try{
if (isNonEmptyArray(globals.WHITELIST_ROLES)) {
// check if the whitelist roles give permission to the argument resource
// if permission is given return as below with "green light"
// otherwise continue checking permission as below
}
//Identify user from context
let decoded = jwt.verify(token, JWT_SECRET);
//check for permissions from specific roles
return context.acl.areAnyRolesAllowed(decoded.roles, resource, permission);
}catch(err){
//invalid token
console.log("invalid token...");
console.log(err);
throw new Error(err);
//return false;
}
We want to disable authorization checks for any arbitrary list of resolvers, i.e. "actions" on "resources" in the ACL terminology.
To do so, the following steps need to be carried:
Step 1
Delete the following from the server.js:
But make sure, after deletion the authorization checks still work and there are no security holes.
Step 2
Add an optional argument to the environment variables, e.g. in
globals:Step 3
Adjust
utils/checkAuthorization.jsmodule: