update backend with the can() method

This commit is contained in:
riley
2017-05-16 10:50:09 -06:00
parent 62e8e4c5c5
commit c7e9fe3f5f
10 changed files with 34 additions and 122 deletions
+3 -3
View File
@@ -226,7 +226,7 @@ const getCommentsByQuery = async ({user}, {ids, statuses, asset_id, parent_id, a
// Only administrators can search for comments with statuses that are not
// `null`, or `'ACCEPTED'`.
if (user != null && user.canViewNonNullOrAcceptedComments() && statuses) {
if (user != null && user.can('SEARCH_NON_NULL_OR_ACCEPTED_COMMENTS') && statuses) {
comments = comments.where({
status: {
$in: statuses
@@ -249,7 +249,7 @@ const getCommentsByQuery = async ({user}, {ids, statuses, asset_id, parent_id, a
}
// Only let an admin request any user or the current user request themself.
if (user && (user.canViewOthersComments() || user.id === author_id) && author_id != null) {
if (user && (user.can('SEARCH_OTHERS_COMMENTS') || user.id === author_id) && author_id != null) {
comments = comments.where({author_id});
}
@@ -403,7 +403,7 @@ const genRecentComments = (_, ids) => {
*/
const genComments = ({user}, ids) => {
let comments;
if (user && user.canViewOthersComments()) {
if (user && user.can('SEARCH_OTHERS_COMMENTS')) {
comments = CommentModel.find({
id: {
$in: ids
+1 -1
View File
@@ -45,7 +45,7 @@ const deleteAction = ({user}, {id}) => {
};
module.exports = (context) => {
if (context.user && context.user.can('mutation:createAction', 'mutation:deleteAction')) {
if (context.user && context.user.can('CREATE_ACTION', 'DELETE_ACTION')) {
return {
Action: {
create: (action) => createAction(context, action),
+4 -4
View File
@@ -236,19 +236,19 @@ module.exports = (context) => {
}
};
if (context.user && context.user.can('mutation:createComment')) {
if (context.user && context.user.can('CREATE_COMMENT')) {
mutators.Comment.create = (comment) => createPublicComment(context, comment);
}
if (context.user && context.user.can('mutation:setCommentStatus')) {
if (context.user && context.user.can('SET_COMMENT_STATUS')) {
mutators.Comment.setCommentStatus = (action) => setCommentStatus(context, action);
}
if (context.user && context.user.can('mutation:addCommentTag')) {
if (context.user && context.user.can('ADD_COMMENT_TAG')) {
mutators.Comment.addCommentTag = (action) => addCommentTag(context, action);
}
if (context.user && context.user.can('mutation:removeCommentTag')) {
if (context.user && context.user.can('REMOVE_COMMENT_TAG')) {
mutators.Comment.removeCommentTag = (action) => removeCommentTag(context, action);
}
+2 -2
View File
@@ -31,11 +31,11 @@ module.exports = (context) => {
}
};
if (context.user && context.user.can('mutation:setUserStatus')) {
if (context.user && context.user.can('SET_USER_STATUS')) {
mutators.User.setUserStatus = (action) => setUserStatus(context, action);
}
if (context.user && context.user.can('mutation:suspendUser')) {
if (context.user && context.user.can('SUSPEND_USER')) {
mutators.User.suspendUser = (action) => suspendUser(context, action);
}
+1 -1
View File
@@ -11,7 +11,7 @@ const Action = {
// This will load the user for the specific action. We'll limit this to the
// admin users only or the current logged in user.
user({user_id}, _, {loaders: {Users}, user}) {
if (user && (user.canViewOtherUsers() || user_id === user.id)) {
if (user && (user.can('SEARCH_OTHER_USERS') || user_id === user.id)) {
return Users.getByID.load(user_id);
}
}
+1 -1
View File
@@ -29,7 +29,7 @@ const Comment = {
},
actions({id}, _, {user, loaders: {Actions}}) {
if (user && user.canViewActions()) {
if (user && user.can('SEARCH_ACTIONS')) {
return Actions.getByID.load(id);
}
+6 -6
View File
@@ -1,6 +1,6 @@
const RootQuery = {
assets(_, args, {loaders: {Assets}, user}) {
if (user == null || !user.canQueryAssets()) {
if (user == null || !user.can('SEARCH_ASSETS')) {
return null;
}
@@ -22,7 +22,7 @@ const RootQuery = {
comments(_, {query: {action_type, statuses, asset_id, parent_id, limit, cursor, sort, excludeIgnored}}, {user, loaders: {Comments, Actions}}) {
let query = {statuses, asset_id, parent_id, limit, cursor, sort, excludeIgnored};
if (user != null && user.canViewOthersComments() && action_type) {
if (user != null && user.can('SEARCH_OTHERS_COMMENTS') && action_type) {
return Actions.getByTypes({action_type, item_type: 'COMMENTS'})
.then((ids) => {
@@ -37,7 +37,7 @@ const RootQuery = {
return Comments.get.load(id);
},
commentCount(_, {query: {action_type, statuses, asset_id, parent_id}}, {user, loaders: {Actions, Comments}}) {
if (user == null || !user.canViewOthersComments()) {
if (user == null || !user.can('SEARCH_OTHERS_COMMENTS')) {
return null;
}
@@ -54,7 +54,7 @@ const RootQuery = {
},
assetMetrics(_, {from, to, sort, limit = 10}, {user, loaders: {Metrics: {Assets}}}) {
if (user == null || !user.canQueryAssets()) {
if (user == null || !user.can('SEARCH_ASSETS')) {
return null;
}
@@ -66,7 +66,7 @@ const RootQuery = {
},
commentMetrics(_, {from, to, sort, limit = 10}, {user, loaders: {Metrics: {Comments}}}) {
if (user == null || !user.canViewCommentMetrics()) {
if (user == null || !user.can('SEARCH_COMMENT_METRICS')) {
return null;
}
@@ -100,7 +100,7 @@ const RootQuery = {
// so hide it in the event that we aren't an admin.
users(_, {query: {action_type, limit, cursor, sort}}, {user, loaders: {Users, Actions}}) {
if (user == null || !user.canViewOtherUsers()) {
if (user == null || !user.can('SEARCH_OTHER_USERS')) {
return null;
}
+3 -3
View File
@@ -5,7 +5,7 @@ const User = {
actions({id}, _, {user, loaders: {Actions}}) {
// Only return the actions if the user is not an admin.
if (user && user.canViewActions()) {
if (user && user.can('SEARCH_ACTIONS')) {
return Actions.getByID.load(id);
}
@@ -14,7 +14,7 @@ const User = {
// If the user is not an admin, only return comment list for the owner of
// the comments.
if (user && (user.canViewOthersComments() || user.id === id)) {
if (user && (user.can('SEARCH_OTHERS_COMMENTS') || user.id === id)) {
return Comments.getByQuery({author_id: id, sort: 'REVERSE_CHRONOLOGICAL'});
}
@@ -23,7 +23,7 @@ const User = {
roles({id, roles}, _, {user}) {
// If the user is not an admin, only return the current user's roles.
if (user && (user.canChangeRoles() || user.id === id)) {
if (user && (user.can('UPDATE_USER_ROLES') || user.id === id)) {
return roles;
}
-91
View File
@@ -159,41 +159,6 @@ UserSchema.index({
background: false
});
/**
* returns true if the user can look up assets through the api
*/
UserSchema.method('canQueryAssets', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* returns true if the user can view actions
*/
UserSchema.method('canViewActions', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* returns true if the user can view non-null or non-ACCEPTED comments
*/
UserSchema.method('canViewNonNullOrAcceptedComments', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* returns true when a user can view comments that are not their own
*/
UserSchema.method('canViewOthersComments', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* returns true when a user can view comment metrics
*/
UserSchema.method('canViewCommentMetrics', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* returns true if a commenter is staff
*/
@@ -201,35 +166,6 @@ UserSchema.method('isStaff', function () {
return !!intersection(['ADMIN', 'MODERATOR', 'STAFF'], this.roles).length;
});
/**
* returns true when a user can see other user info
*/
UserSchema.method('canViewOtherUsers', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* when a user can modify tags
*/
UserSchema.method('canModifyTags', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* when a user can change roles
*/
UserSchema.method('canChangeUserRoles', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
UserSchema.method('canSetCommentStatus', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
UserSchema.method('canSetUserStatus', function () {
return !!intersection(['ADMIN', 'MODERATOR'], this.roles).length;
});
/**
* This verifies that a password is valid.
*/
@@ -249,39 +185,12 @@ UserSchema.method('verifyPassword', function(password) {
});
});
/**
* All the graph operations that are available for a user.
* @type {Array}
*/
const USER_GRAPH_OPERATIONS = [
'mutation:createComment',
'mutation:createAction',
'mutation:deleteAction',
'mutation:editName',
'mutation:setUserStatus',
'mutation:suspendUser',
'mutation:setCommentStatus',
'mutation:addCommentTag',
'mutation:removeCommentTag'
];
/**
* Can returns true if the user is allowed to perform a specific graph
* operation.
*/
UserSchema.method('can', function(...actions) {
return can(this, null, actions);
if (actions.some((action) => action === 'mutation:setUserStatus' || action === 'mutation:suspendUser' || action === 'mutation:setCommentStatus') && !this.canSetUserStatus()) {
return false;
}
// {add,remove}CommentTag - requires admin and/or moderator role
if (actions.some(a => ['mutation:removeCommentTag', 'mutation:addCommentTag'].includes(a)) && ! this.canModifyTags()) {
return false;
}
return true;
});
// Create the User model.
+13 -10
View File
@@ -13,28 +13,31 @@ module.exports = {
SET_COMMENT_STATUS: 'SET_COMMENT_STATUS',
ADD_COMMENT_TAG: 'ADD_COMMENT_TAG',
REMOVE_COMMENT_TAG: 'REMOVE_COMMENT_TAG',
UPDATE_USER_ROLES: 'UPDATE_USER_ROLES',
UPDATE_CONFIG: 'UPDATE_CONFIG',
reducer: function (user, perm, context, initialState) {
switch (perm) {
case 'muation:createComment':
case this.CREATE_COMMENT:
return true;
case 'mutation:createAction':
case this.CREATE_ACTION:
return true;
case 'mutation:deleteAction':
case this.DELETE_ACTION:
return true;
case 'mutation:editName':
case this.EDIT_NAME:
return true;
case 'mutation:setUserStatus':
case this.UPDATE_USER_ROLES:
return check(user, ['ADMIN']);
case this.SET_USER_STATUS:
return check(user, ['ADMIN', 'MODERATOR']);
case 'mutation:suspendUser':
case this.SUSPEND_USER:
return check(user, ['ADMIN', 'MODERATOR']);
case 'mutation:setCommentStatus':
case this.SET_COMMENT_STATUS:
return check(user, ['ADMIN', 'MODERATOR']);
case 'mutation:addCommentTag':
case this.ADD_COMMENT_TAG:
return check(user, ['ADMIN', 'MODERATOR']);
case 'mutation:removeCommentTag':
case this.REMOVE_COMMENT_TAG:
return check(user, ['ADMIN', 'MODERATOR']);
case 'mutation:updateConfig':
case this.UPDATE_CONFIG:
return check(user, ['ADMIN', 'MODERATOR']);
default:
return initialState;