yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-08-09 09:14:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
strapi/packages/strapi-admin/services/permission/engine.js

100 lines
3.4 KiB
JavaScript
Raw Blame History

'use strict';
const _ = require('lodash');
const { map, filter, forEach } = require('lodash/fp');
const { defineAbility } = require('@casl/ability');
module.exports = conditionProvider => ({
/**
* Generate an ability based on the given user (using associated roles & permissions)
* @param user
* @param options
* @returns {Promise<Ability>}
*/
async generateUserAbility(user, options) {
const permissions = await this.findPermissionsForUser(user);
const abilityCreator = this.generateAbilityCreatorFor(user);
return abilityCreator(permissions, options);
},
/**
* Create an ability factory for a specific user
* @param user
* @returns {function(*, *): Promise<Ability>}
*/
generateAbilityCreatorFor(user) {
return async (permissions, options) =>
defineAbility(async can => {
const registerFn = this.createRegisterFunction(can);
for (const permission of permissions) {
await this.evaluatePermission({ permission, user, options, registerFn });
}
});
},
/**
* Register new rules using `registerFn` based on valid permission's conditions
* @param permission
* @param user
* @param options
* @param registerFn
* @returns {Promise<void>}
*/
async evaluatePermission({ permission, user, options, registerFn }) {
const { action, subject, fields, conditions } = permission;
// Transform a conditionName into its associated value in the conditionProvider
const resolve = conditionProvider.get;
// A valid condition is either a function or an object
const isValidCondition = condition => _.isFunction(condition) || _.isObject(condition);
// If the resolved condition is a function, we need to call it and return its result
const evaluate = async cond =>
_.isFunction(cond) ? await cond(user, options) : Promise.resolve(cond);
// A final valid result (for a condition) is either a 'true' boolean or an object
const isValidResult = result => result === true || _.isObject(result);
// Transform a final valid result into a registerFn options's object
const toRegisterOptions = result => ({ action, subject, fields, condition: result });
// Directly registers the permission if there is no condition to check/evaluate
if (_.isUndefined(conditions) || _.isEmpty(conditions)) {
return registerFn(toRegisterOptions(true));
}
await Promise.resolve(conditions)
.then(map(resolve))
.then(filter(isValidCondition))
.then(conditions => Promise.all(conditions.map(evaluate)))
.then(filter(isValidResult))
.then(map(toRegisterOptions))
.then(forEach(registerFn));
},
/**
* Use the user's roles to find and flatten associated permissions.
* @param user
* @returns {Promise<Array>}
*/
async findPermissionsForUser(user) {
const rolesId = user.roles.map(_.property('id'));
const roles = await strapi.query('role', 'admin').find({ id_in: rolesId }, ['permissions']);
return _.flatMap(roles, _.property('permissions'));
},
/**
* Encapsulate a register function with custom params to fit `evaluatePermission`'s syntax
* @param can
* @returns {function({action?: *, subject?: *, fields?: *, condition?: *}): *}
*/
createRegisterFunction(can) {
return ({ action, subject, fields, condition }) =>
can(action, subject, fields, _.isObject(condition) ? condition : undefined);
},
});
Reference in New Issue View Git Blame Copy Permalink