search

enniel / adonis-acl

demo app: https://github.com/enniel/adonis-acl-blog-demo
MIT License
203 stars 50 forks source link

is middleware or ( || ) operator not working #22

Open erikkallen opened 6 years ago

erikkallen commented 6 years ago

In my application I have added multiple roles such as administrator and I am trying to limit routes to specific roles as shown in the documentation

Route.post('/device/:id/upload', 'DeviceController.upload')
  .middleware(['auth:jwt', 'is:(administrator || support || productionOwner)'])

however only the first role is considered and if I have a support role (in this example) I receive a forbidden error.

Looking at the code in the middleware (src/Middlewares/Is.js)

class Is {
  async handle ({ auth }, next, ...args) {
    let expression = args[0]
    if (Array.isArray(expression)) {
      expression = expression[0]
    }
    console.log("Expression ", args, expression)
    const is = await auth.user.is(expression)
    if (!is) {
      throw new ForbiddenException()
    }

    await next()
  }
}

I looked at the values passed and it seems to me the method does not receive the expected input Expression [ [ '(administrator ' ] ] (administrator where to me it looks like the function expects something like 'administrator || support'

Looking at the documentation of adonis middleware it seems that the pipe operator is used for passing multiple middlewares Middleware uses the pipe expression to define props. this might have recently changed (I see no mention of the pipe syntax in the adonis 3.2 docs)

I would like to know if I am missing something obvious if not my guess is that the passing of operators has to be changed to text versions like 'or' and 'and'

erikkallen commented 6 years ago

I have created a pull request with a possible fix/workaround

cmelgarejo commented 6 years ago

No need on a workaround, just an update to the README.md feel free to merge https://github.com/enniel/adonis-acl/pull/24 or just use @erikkallen 's PR when he corrects the README.md too. 👍

gideaoms commented 5 years ago

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])
AndreCosta101 commented 4 years ago

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

It works!! Many thanks!

ajkal5 commented 4 years ago

Hi Erik Kallen,

I have tried with || and or, for both I get Invalid Expression when I test from PostMan.

Route.resource('/permissions', 'PermissionController').apiOnly().middleware(['auth', 'is:(administrator or moderator)'])

Any suggestions with changes?

Thanks

Ajay K

erikkallen commented 4 years ago

I think you are missing which auth provider to use, auth:jwt or auth:api you only have auth.

On Sun, 24 May 2020 at 21:00, ajakl5 notifications@github.com wrote:

Hi Erik Kallen,

I have tried with || and or, for both I get Invalid Expression when I test from PostMan.

Route.resource('/permissions', 'PermissionController').apiOnly().middleware(['auth', 'is:(administrator or moderator)'])

Any suggestions with changes?

Thanks

Ajay K

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/enniel/adonis-acl/issues/22#issuecomment-633278165, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD57ZANCPBD47CBU77AA2LRTFVF3ANCNFSM4FSF6HOQ .

ajkal5 commented 4 years ago

Erik,

I have changed to :

Route.resource('/roles', 'RoleController').apiOnly().middleware(['auth:jwt', 'is:(administrator || moderator)']) , still same issue. 2020-05-25_003442

Thanks

Ajay K

erikkallen commented 4 years ago

Now try with or

On Sun, 24 May 2020 at 21:15, ajakl5 notifications@github.com wrote:

Erik,

I have changed to :

Route.resource('/roles', 'RoleController').apiOnly().middleware(['auth:jwt', 'is:(administrator || moderator)']) , still same issue. [image: 2020-05-25_003442] https://user-images.githubusercontent.com/48468112/82762868-0f897f00-9e21-11ea-873a-ceace2d7a722.png

Thanks

Ajay K

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/enniel/adonis-acl/issues/22#issuecomment-633280635, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD57ZA3WLCFPUJZQPJM42DRTFW6XANCNFSM4FSF6HOQ .

ajkal5 commented 4 years ago

Hi Erik,

Yes, it finally works.

Thanks

Ajay K

Kledenai commented 4 years ago

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

owwwwwwwwww mannn thanks thanks thanks mann ahhhhhhhh!!!

saved me a really big time 😆

ewchow commented 4 months ago

In case anyone is interested in knowing why |s get stripped from middleware arguments (at least up to v5): In @adonisjs/http-server, a package called @poppinss/haye supplies a parsing function called Pipe that parses named middleware. It looks for delimiters like : to get the middleware args. Here is where it matches for |s, and I'm guessing the intention is that middleware can be supplied as "auth:web|is:admin" or something like that.