fix(): Not respecting denied: true of IAccessInfo onury/accesscon…

…trol#67
anodynos · Feb 26, 2019 · c4358a7 · c4358a7
1 parent d5bf5e0
commit c4358a7
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -32,7 +32,11 @@ A facade enhancing the great javascript [Access Control](https://onury.io/access
         action: 'look:any',
       }
       
-  You can of course use any combination, even `'*'` for *permit all* :-) 
+  You can of course use any combination, even `'*'` for *permit all* :-)
+
+- Solving various smaller issues and bugs: 
+
+  - Not respecting `denied: true` of `IAccessInfo` in `AccessControl.grant` - https://github.com/onury/accesscontrol/issues/67   
 
 ## How to use
 
@@ -48,7 +52,7 @@ A facade enhancing the great javascript [Access Control](https://onury.io/access
         }, ...
     ]
 
-    addAccessInfo(accessInfos);        // also accepts a single accessInfo
+    addAccessInfo(accessInfos);        // also accepts a single IAccessInfo
     const ac: AccessControl = build(); // @note: can call only `_.once`!
 
     // you should use `ac.permission()` only from now on :-)

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "accesscontrol-re",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "main": "./build/src/index.js",
   "scripts": {
     "clean": "rimraf coverage build tmp",

diff --git a/src/__tests__/AccessControlRe.spec.ts b/src/__tests__/AccessControlRe.spec.ts
@@ -22,8 +22,6 @@ describe.only('AccessControlRe', () => {
     );
   });
 
-  it.skip(``, () => {}); // covered below :-)
-
   it(`allows custom actions, since a "user" can "like" ANY "comment"`, () => {
     expect(
       ac.permission({
@@ -46,12 +44,22 @@ describe.only('AccessControlRe', () => {
     ).toEqual(false);
   });
 
-  it(`admin can delete ANY post`, () => {
+  it(`'denied: true' in IAccessInfo is respected - user CANNOT approve ANY post`, () => {
     expect(
       ac.permission({
-        role: 'admin',
-        action: 'delete:any',
-        resource: 'comment',
+        role: 'user',
+        action: 'approve:any',
+        resource: 'post',
+      }).granted
+    ).toEqual(false);
+  });
+
+  it(`'denied: false' in IAccessInfo is respected - user CAN approve OWN post`, () => {
+    expect(
+      ac.permission({
+        role: 'user',
+        action: 'approve:own',
+        resource: 'post',
       }).granted
     ).toEqual(true);
   });

diff --git a/src/__tests__/fixtures-re.ts b/src/__tests__/fixtures-re.ts
@@ -3,43 +3,50 @@ import { IAccessInfo } from 'accesscontrol';
 export const accessInfos: IAccessInfo[] = [
   {
     role: 'user',
-    resource: 'comment',
     action: 'like:any',
+    resource: 'comment',
     attributes: ['*'],
   },
   {
     role: ['user'],
-    resource: 'post',
-    possession: 'any', // overriden by action's possession
     action: 'delete:own',
+    possession: 'any', // overriden by action's possession
+    resource: 'post',
   },
   {
-    role: 'admin',
-    resource: 'comment',
-    possession: 'any',
-    action: 'delete',
+    role: ['admin', 'user'], // user will be actually denied below
+    action: 'approve',      // possession `any` assumed
+    resource: 'post',
     attributes: ['*'],
   },
   {
-    role: ['admin'],
+    role: ['user'],
+    action: 'approve',
     resource: 'post',
-    action: 'approve', // possession `any` assumed
     attributes: ['*'],
+    denied: true // should be respected - // https://github.com/onury/accesscontrol/issues/67
+  },
+  {
+    role: ['user'],
+    action: 'approve:own',
+    resource: 'post',
+    attributes: ['*'],
+    denied: false // should be respected - // https://github.com/onury/accesscontrol/issues/67
   },
   {
     role: 'god',
-    resource: '*',
     action: '*:any',
+    resource: '*',
   },
   {
     role: 'poweruser',
+    action: '*:own', // overrides `possession: 'any'`
     resource: '*',
     possession: 'any',
-    action: '*:own', // overrides `possession: 'any'`
   },
   {
     role: '*',
-    resource: 'openToAllResource',
     action: 'look:any',
+    resource: 'openToAllResource',
   },
 ];
diff --git a/src/accesscontrol-re.ts b/src/accesscontrol-re.ts
@@ -39,8 +39,8 @@ export const build = _.once(
             resource: resourceToGrant,
             role: rolesToGrant,
           };
-
-          ac.grant(accessInfo);
+  
+          accessInfo.denied ? ac.deny(accessInfo) : ac.grant(accessInfo);
         }
       }
     }