Broken rights while using profiles with same role and distinc restrictions

[ballinette]

Given we have 2 profiles using the same role, with different restrictions:

roles = {
  'admin': {
    'controllers': {
        '*': {
           actions: {'*': true}
        }
     }
  }
}

profiles = {
  superadmin: {
    policies: [
      {
        roleId: 'admin'
      }
    ]
  },
  restrictedadmin: {
    policies: [
      {
        roleId: 'admin',
        restrictedTo: [
          {index: 'foo', collections: '*'},
          {index: 'bar': collections: ['baz']}
        ]
      }
    ]
  }
}

Expected Behavior

users with profile superadmin should be allowed to do any actions without any restriction users with profile restrictedadmin should be allowed to do any actions, but only on foo and bar indexes

Current Behavior

We have an inconsistent behaviour, restrictions for one profile override those for the other one, depending in which order they are loaded.

Possible Solution

Improve the way profiles load roles and their restrictions: https://github.com/kuzzleio/kuzzle/blob/master/lib/api/core/models/security/role.js

Steps to Reproduce

• create 2 profiles superadmin and restrictedadmin as described above

• create one user for each profile

• login with the superadmin user and call auth/getMyRights action => we will get expected result:

  [{controller: '*', action: '*', index: '*', collection: '*', value: 'allowed'}]

• login with the restrictedadmin user and call auth/getMyRights again => we will still have expected result for this user:

  [
  {controller: '*', action: '*', index: 'foo', collection: '*', value: 'allowed'},
  {controller: '*', action: '*', index: 'bar', collection: 'baz', value: 'allowed'}
  ]

• login again with the superadmin user and call `auth/getMyRights => we should have the first result, bug we get the second one.

[scottinet]

Fixed and released in Kuzzle 1.3.1: https://github.com/kuzzleio/kuzzle/releases/tag/1.3.1