search

trailsjs / sails-permissions

Comprehensive user permissions and entitlements system for sails.js and Waterline. Supports user authentication with passport.js, role-based permissioning, object ownership, and row-level security.
MIT License
418 stars 113 forks source link

read permissions blacklist not working #242

Open westlakem opened 8 years ago

westlakem commented 8 years ago

I have a model with a payment ID, and when I do a GET request it returns the blacklisted item

WorkOrder.create({
          id: 1,
          requestedDate: new Date(),
          user: user[0],
          product: product[0],
          paid: true,
          paymentID: 'abcd12'
        })

When I do a simple get call to /workOrder/1

        it('should not return the paymentID to the registered user', function(){
            return request
                .get('/workOrder/1')
                .expect(200)
                .then(function(res){
                    console.log(res.body)
                    return expect(res.body.paymentID).to.equal(undefined)
                })
        })

It returns the paymentID with the payload

{ user: 322,                                                                                                                                                                       
  product: 733,                                                                                                                                                                    
  id: 1,                                                                                                                                                                           
  requestedDate: '2016-11-06T15:04:41.174Z',                                                                                       
  paid: true,                                                                                                                                                                      
  paymentID: 'abcd12',                                                                                                                                                             
  createdAt: '2016-11-06T15:04:41.179Z',                                                                                                                                           
  updatedAt: '2016-11-06T15:04:41.179Z' }

even though in bootstrap.js I have

  ok = ok.then(function(){
    return PermissionService.grant({
      role: 'registered',
      model: 'WorkOrder',
      action: 'read',
      criteria: {blacklist: ['paymentID']}
    })
  })

and in criteria

sails> Criteria.find({}).then(function(r) {console.log(r)}) 

Promise {                                                                                                                                                                          
  _bitField: 0,                                                                                                                                                                    
  _fulfillmentHandler0: undefined,                                                                                                                                                 
  _rejectionHandler0: undefined,                                                                                                                                                   
  _promise0: undefined,                                                                                                                                                            
  _receiver0: undefined }                                                                                                                                                          
sails> [                                                                                                                                                                      
  { permission: 11953,                                                                                                                                                             
    blacklist: [ 'paymentID' ],                                                                                                                                                    
    createdAt: '2016-11-06T15:11:52.648Z',                                                                                                                                         
    updatedAt: '2016-11-06T15:11:52.648Z',                                                                                                                                         
    id: 46 } ]

and in permissions

sails> Permission.find({id: 11953}).populate('model').populate('role').then(function(r){console.log(r)})
Promise {
_bitField: 0,
_fulfillmentHandler0: undefined,
_rejectionHandler0: undefined,
_promise0: undefined,
_receiver0: undefined }
sails> [ { model:
{ name: 'WorkOrder',
identity: 'workorder',
attributes:
...
id: 2029 },
role:
{ name: 'registered',
active: true,
createdAt: '2016-11-06T15:11:51.522Z',
updatedAt: '2016-11-06T15:11:51.522Z',
id: 572 },
action: 'read',
relation: 'role',
createdAt: '2016-11-06T15:11:52.640Z',
updatedAt: '2016-11-06T15:11:52.642Z',
id: 11953 } ]

saravanannnallasamy commented 7 years ago

https://github.com/trailsjs/sails-permissions/issues/45

res.ok(products)