Fix Role.isOwner() when multiple user models

[ebarault]

Description

When merging #2971 which i authored, @bajtos noted a missing test on the built-in role resolver $owner which internally calls the Role.isOwner() method (see here)
The added test actually failed, allowing users from different models but with the same id), because the Role.isOwner() method was not checking the user's principalType.
(good catch @bajtos 👍 )

This PR fixes this issue (and adds the corresponding test)
see the inlined comment for detailed code review

Related PR

#2971 (merged)
#3140 (in progress, will be impacted)
++ any PR/issue where someone would try to iterate recursively along belongTo relations up to the owning user (need to find those)

Checklist

• New tests added or existing tests modified to cover all changes
• Code conforms with the style
  guide

[slnode]

Can one of the admins verify this patch?

[slnode]

Can one of the admins verify this patch?

[slnode]

Can one of the admins verify this patch?

[slnode]

Can one of the admins verify this patch?

[ebarault]

@bajtos : please review additional test + fix on built-in role-resolver $owner, when using multiple user models

[ebarault]

see below, fetching the userId from accessContext is no longer enough, consequently I had to introduce a getUser() method that also returns the user's principalType, and change the signature of Role.isOwner() to include the principalType as an optional parameter

[ebarault]

while principalType is an optional parameter, it defaults internally to USER if undefined for backward compatibility

[ebarault]

we need now to check if the principalType is either USER (standard, single user model) or equal to user's model name (multiple user models)

[ebarault]

this whole part is not valid anymore as it relies only on comparing userIds and cannot be modified to handle principalType, we now need to directly follow belongsTo relations if any

[bajtos]

I think this part is valid when principalType === Principal.USER, I am concerned that we will break backwards compatibility if we remove it. In 865e1c1, I added two tests to your feature branch - they are passing on master, but failing with your new implementation.

[ebarault]

I assume that you already looked at my comment here and you prefer to keep this behavior in loopback 3 despite the comments.

So unless further comments i'll put back this behavior in place when principalType === 'USER'

[bajtos]

I am open to discuss how to handle multiple belongsTo relations, but for the purpose of this pull request, I prefer to stay focused on fixing the issue created by the previous patch, i.e. "allowing users from different models but with the same id), because the Role.isOwner() method was not checking the user's principalType."

[ebarault]

again, principalType must either be equal to USER, or to related user model name

[ebarault]

turned the getUserId method in getUser, now returning an object of the like {id: p.id, principalType: p.type}
of course the getUserId is kept for backward compatibility just a few lines above, in a shortened form, reusing the getUser method

[bajtos]

I think we should return null when there is no user associated with this AccessContext, to make it easy for the consumers of this API to detect this situation.

[ebarault]

if we do this, then this will break the getUserId() method for which is seems normal to return null according to the tests. Should we then modify the getUserId method to return null when getUser() returns null?
If so, then there's not much need to not return {} in the first place

[ebarault]

adapted new tests to check getUser instead of getUserId

[ebarault]

same here

[ebarault]

same here

[ebarault]

adjusted the test on built-in $owner role resolver to verify a user with similar id than an authorized user userOne but from another user model is denied access to album instance owned by userOne

[ebarault]

collecting related users rather than checking them right away : there might be several belongsTo relations linking the model instance to users, rejecting the role resolver at the first returned falsy is not right

[bajtos]

I have two concerns about this change, I have expressed them in #3140:

• backwards compatibility - with the change in place, our ACL system will start accepting request that are rejected in existing LB versions
• what if a model has a belongsTo relation to a User-like model, but this relation does not create ownership?

Can we leave this change out of scope of this pull request please?

[ebarault]

several things to note :

• i chose asyncSeries so not to spam the db but it's clearly a tradeoff to make between performance and load here
• i chose to handle errors in processRelatedUser as rejecting the overall async.someSeries: we could just callback them falsy, thoughts ?

[bajtos]

i chose asyncSeries so not to spam the db but it's clearly a tradeoff to make between performance and load here

Yeah, it's a tradeoff and I don't have a strong opinion on which side is better. I am fine to use asyncSeries here.

i chose to handle errors in processRelatedUser as rejecting the overall async.someSeries: we could just callback them falsy, thoughts ?

I think the question is what to do when we run let's say 4 queries, one of them fails, two returns information that the user is not owner, and one says that the user is owner. Should we fail the whole request because of the error? Should we ignore the error and process the request, because we know that the user is authorized,
despite the error?

I think I like the current version better:

• When there is an error, it's better to let the user and app administrators know about the problem
• We can relax this behaviour later in the future if needed. Going the other way, throwing an error in situation that used to work, would be a semver-major change IMO.

[ebarault]

Please confirm: I understand that in the following case :

4 queries, one of them fails, two returns information that the user is not owner, and one says that the user is owner

1. you propose we resolve isOwner truthy
2. let the app admins know about the error -> log an error msg in the console ?
3. let the app users know about the error -> how ?

[bajtos]

Sorry for the confusion. What I meant is that your current implementation is good.

• isOwner fails with an error
• error-handling middleware reports this error e.g. to console.error
• the app user sees that their request failed

Unless I am misunderstanding the code? Can you add a unit test executing this scenario and ensuring LoopBack behaves as we expect it to?

Having said that, this discussion is out of scope of this patch if we agree to keep current handling of "belongsTo" relations.

[bajtos]

@slnode ok to test

[bajtos]

Great, thank you @ebarault for this follow-up pull request!

You are on the right path, I left few comments to address or discuss:

[bajtos]

Is there any particular reason for changing the result from false to undefined? I think it may be better to preserve callback(null, false).

[ebarault]

my bad, there's no reason why to change this

[bajtos]

I think this part is valid when principalType === Principal.USER, I am concerned that we will break backwards compatibility if we remove it. In 865e1c1, I added two tests to your feature branch - they are passing on master, but failing with your new implementation.

[bajtos]

Ditto, I think it's better to keep the second argument as false? This can happen when err is falsy and the second condition !inst was triggered.

[ebarault]

hmm, too quickly assumed err wasn't ever falsy in that case (overlooked the !inst)

[bajtos]

Could you please rewrite this loop using Array.prototype.filter?

var relWithUsers = modelClass.relations.filter(r => {
  const rel = modelClass.relations[r];
  // ...
});
``

[ebarault]

👍

[bajtos]

Based on our recent discussions, I prefer to leave this change out of scope of this pull request, so that we don't mix several changes into one patch.

[bajtos]

Nitpic:

inst[r](function processRelatedUser(err, user) {
  // ...
});

[bajtos]

i chose asyncSeries so not to spam the db but it's clearly a tradeoff to make between performance and load here

Yeah, it's a tradeoff and I don't have a strong opinion on which side is better. I am fine to use asyncSeries here.

i chose to handle errors in processRelatedUser as rejecting the overall async.someSeries: we could just callback them falsy, thoughts ?

I think the question is what to do when we run let's say 4 queries, one of them fails, two returns information that the user is not owner, and one says that the user is owner. Should we fail the whole request because of the error? Should we ignore the error and process the request, because we know that the user is authorized,
despite the error?

I think I like the current version better:

• When there is an error, it's better to let the user and app administrators know about the problem
• We can relax this behaviour later in the future if needed. Going the other way, throwing an error in situation that used to work, would be a semver-major change IMO.

[bajtos]

I think we should return null when there is no user associated with this AccessContext, to make it easy for the consumers of this API to detect this situation.

[bajtos]

This assertion produces an error message that's difficult to understand without reading the source code of the test. Can you please split the test into two, where each tests asserts a single scenario (valid context, invalid context)?

[ebarault]

👍

[ebarault]

@bajtos : some comments/answers needed back before i move on. Thanks

[ebarault]

my bad, there's no reason why to change this

[ebarault]

hmm, too quickly assumed err wasn't ever falsy in that case (overlooked the !inst)

[ebarault]

I assume that you already looked at my comment here and you prefer to keep this behavior in loopback 3 despite the comments.

So unless further comments i'll put back this behavior in place when principalType === 'USER'

[ebarault]

👍

[ebarault]

Please confirm: I understand that in the following case :

4 queries, one of them fails, two returns information that the user is not owner, and one says that the user is owner

1. you propose we resolve isOwner truthy
2. let the app admins know about the error -> log an error msg in the console ?
3. let the app users know about the error -> how ?

[ebarault]

👍

[ebarault]

@bajtos : please review my comments so i can finalize the PR

[bajtos]

@ebarault sorry for the delay, I read your comments only now. I'll try to review and come back to you by the end of this week.

[ebarault]

we now need this additional check
if (principalType === Principal.USER || principalType === userModelName) {...
to make sure we don't follow a belongTo relation towards an incorrect user model.

ps. in order to keep the level of indent controlled, i chose to first continue if rel.type !== 'belongsTo' && !isUserClass(rel.modelTo)

[bajtos]

The negation of rel.type === 'belongsTo' && isUserClass(rel.modelTo) is rel.type !== 'belongsTo' || !isUserClass(rel.modelTo), I'll fix this myself.

[ebarault]

now that context.getUser() can return null, we need to test user before getting user.id and user.principalType

[ebarault]

context.getUser() now returns null instead of {} to enable developers to more easily detect issues when accessContext misses the user

[ebarault]

shrinked version of getUserId(), leveraging getUser()

[ebarault]

split the OWNER test in 2 to check apart if resolver returns false when principalType is incorrect

[ebarault]

@bajtos : i reverted the PR to only cover the required fix as discussed, and did the required modifications following your code review. You'll still have to squash the 2 commits to merge the tests you previously added. Thanks for carrying this over.

[bajtos]

The negation of rel.type === 'belongsTo' && isUserClass(rel.modelTo) is rel.type !== 'belongsTo' || !isUserClass(rel.modelTo), I'll fix this myself.

[bajtos]

I made few last formatting improvements and landed the patch. Most importantly, I added more details to the commit message to explain the changes, I would appreciate if you could do that yourself in the future, @ebarault.

Thank you for the contribution! 🙇

[ebarault]

@bajtos : thanks. Yes i will take care of detailed commit messages myself in the future. See you soon.