search

nqminds / nqm-api-tdx

nquiringminds Trusted Data Exchange command and query API interface for nodejs clients
https://nqminds.github.io/nqm-api-tdx/
6 stars 5 forks source link

Issues with adding and removing access to resources #26

Open AshleySetter opened 3 years ago

AshleySetter commented 3 years ago

I've found a couple of issues with adding/removing resource access.

1) If I have read and write access I can't add read access.

> api.getResourceAccess("rkec__XVww")
< [
  {
    "aid": "ash@nquiringminds.com/tdx.nqm-2.com",
    "by": "ivan@nquiringminds.com/tdx.nqm-2.com,KzXrnrEhHR",
    "rid": "rkec__XVww",
    "__v": 0,
    "grp": "a",
    "own": "ivan@nquiringminds.com/tdx.nqm-2.com",
    "par": [
      "xje4s"
    ],
    "r": [
      "xje4s"
    ],
    "w": [
      "xje4s"
    ],
    "typ": "resourceGroup"
  }
]
> api.addResourceAccess("rkec__XVww", "anthony@nquiringminds.com/tdx.nqm-2.com", "rkec__XVww", ['r'])
< permission denied

2) If I additionally have a separate read access to a resource I can add access to others, but I can't revoke that access.

> api.getResourceAccess("B1eP_5Q4vw")
< [
  {
    "aid": "ash@nquiringminds.com/tdx.nqm-2.com",
    "by": "ivan@nquiringminds.com/tdx.nqm-2.com,KzXrnrEhHR",
    "rid": "B1eP_5Q4vw",
    "__v": 0,
    "grp": "a",
    "own": "ivan@nquiringminds.com/tdx.nqm-2.com",
    "par": [
      "xje4s"
    ],
    "r": [
      "xje4s"
    ],
    "w": [
      "xje4s"
    ],
    "typ": "resourceGroup"
  },
  {
    "aid": "ash@nquiringminds.com/tdx.nqm-2.com",
    "by": "ivan@nquiringminds.com/tdx.nqm-2.com,r1eFXRroHw",
    "rid": "B1eP_5Q4vw",
    "__v": 0,
    "r": [
      "B1eP_5Q4vw"
    ],
    "grp": null,
    "own": "ivan@nquiringminds.com/tdx.nqm-2.com",
    "par": [
      "xje4s"
    ],
    "typ": "resourceGroup"
  }
]
>api.addResourceAccess("B1eP_5Q4vw", "anthony@nquiringminds.com/tdx.nqm-2.com", "B1eP_5Q4vw", ['r'])
<{
  "commandId": "rJWIpQVDv",
  "response": {},
  "result": {
    "ok": [
      {
        "key": {},
        "events": [
          "5f86ad480d96ae3db9cc05a1"
        ],
        "__version": 1
      }
    ]
  }
}
>api.getResourceAccess("B1eP_5Q4vw")
<[
  {
    "aid": "ash@nquiringminds.com/tdx.nqm-2.com",
    "by": "ivan@nquiringminds.com/tdx.nqm-2.com,KzXrnrEhHR",
    "rid": "B1eP_5Q4vw",
    "__v": 0,
    "grp": "a",
    "own": "ivan@nquiringminds.com/tdx.nqm-2.com",
    "par": [
      "xje4s"
    ],
    "r": [
      "xje4s"
    ],
    "w": [
      "xje4s"
    ],
    "typ": "resourceGroup"
  },
  {
    "aid": "ash@nquiringminds.com/tdx.nqm-2.com",
    "by": "ivan@nquiringminds.com/tdx.nqm-2.com,r1eFXRroHw",
    "rid": "B1eP_5Q4vw",
    "__v": 0,
    "r": [
      "B1eP_5Q4vw"
    ],
    "grp": null,
    "own": "ivan@nquiringminds.com/tdx.nqm-2.com",
    "par": [
      "xje4s"
    ],
    "typ": "resourceGroup"
  },
  {
    "aid": "anthony@nquiringminds.com/tdx.nqm-2.com",
    "by": "ivan@nquiringminds.com/tdx.nqm-2.com,r1eFXRroHw,ash@nquiringminds.com/tdx.nqm-2.com",
    "rid": "B1eP_5Q4vw",
    "__v": 0,
    "r": [
      "B1eP_5Q4vw"
    ],
    "grp": null,
    "own": "ivan@nquiringminds.com/tdx.nqm-2.com",
    "par": [
      "xje4s"
    ],
    "typ": "resourceGroup"
  }
]
> api.removeResourceAccess("B1eP_5Q4vw", "anthony@nquiringminds.com/tdx.nqm-2.com", "ash@nquiringminds.com/tdx.nqm-2.com", "B1eP_5Q4vw", ['r'])
< permission denied
TobyEalden commented 3 years ago

Hi

  1. If I have read and write access I can't add read access.

This is probably because the access you have is via a group membership ("grp": "a",). I can't recall the reason off the top of my head (if there is one) but permissions as a result of group membership aren't transitive, as it were. I'll look into why this might be and update the documentation.

You should however be able to add other people to the group and subsequently remove them.

  1. If I additionally have a separate read access to a resource I can add access to others, but I can't revoke that access.

I think this will work if you specify the full addedBy path, e.g. "ivan@nquiringminds.com/tdx.nqm-2.com,r1eFXRroHw,ash@nquiringminds.com/tdx.nqm-2.com"

AshleySetter commented 3 years ago

Ok, thanks for the explanation.

Your right, I can remove access if I specify the full addedBy path like so: api.removeResourceAccess("B1eP_5Q4vw", "anthony@nquiringminds.com/tdx.nqm-2.com", "ivan@nquiringminds.com/tdx.nqm-2.com,r1eFXRroHw,ash@nquiringminds.com/tdx.nqm-2.com", "B1eP_5Q4vw", ['r']).

Should it not require just one of the identities in the added by path to remove access?