Check permissions for find operation

jxmono / crud

:fork_and_knife: CRUD for mono

MIT License

0 stars 1 forks source link

Check permissions for find operation #4

Closed IonicaBizau closed 11 years ago

IonicaBizau commented 11 years ago

It's great that getTemplates was fixed and it will get the templates, checking the permissions of the user (cc #2 ).

But, what about find with the following crud object?

{
    "t": "_template",
    "q": {}
}

After this request in the response will come all templates (even the basic ones: templates, lists, roles).

gabipetrovay commented 11 years ago

With the new model the roles are still given to the client. They should be filtered in some way (or completely removed) before returning template results to the client.

Probably the super-admin (the one that can edit roles and templates) should see them. The others should not.

ottiker commented 11 years ago

The solution to this problem is to configure a query in a role which is dynamically build with user data on each request.

    myTemplate.roles["roleId"] = {
        access: 1, // 2 | 3
        query: {
            // field to query: field from user
            _id: "_id"
        }
    }

ottiker commented 11 years ago

fixed in d785dca9c080878f7fe85d18d10c695fa00a08d3

New changes are (soon) documented in the readme.