-
Notifications
You must be signed in to change notification settings - Fork 538
/
Copy pathauthz.js
104 lines (88 loc) · 2.86 KB
/
authz.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
/*package annotator.authz */
"use strict";
var AclAuthzPolicy;
/**
* function:: acl()
*
* A module that configures and registers an instance of
* :class:`annotator.authz.AclAuthzPolicy`.
*
*/
exports.acl = function acl() {
var authorization = new AclAuthzPolicy();
return {
configure: function (registry) {
registry.registerUtility(authorization, 'authorizationPolicy');
}
};
};
/**
* class:: AclAuthzPolicy()
*
* An authorization policy that permits actions based on access control lists.
*
*/
AclAuthzPolicy = exports.AclAuthzPolicy = function AclAuthzPolicy() {
};
/**
* function:: AclAuthzPolicy.prototype.permits(action, context, identity)
*
* Determines whether the user identified by `identity` is permitted to
* perform the specified action in the given context.
*
* If the context has a "permissions" object property, then actions will
* be permitted if either of the following are true:
*
* a) permissions[action] is undefined or null,
* b) permissions[action] is an Array containing the authorized userid
* for the given identity.
*
* If the context has no permissions associated with it then all actions
* will be permitted.
*
* If the annotation has a "user" property, then actions will be permitted
* only if `identity` matches this "user" property.
*
* If the annotation has neither a "permissions" property nor a "user"
* property, then all actions will be permitted.
*
* :param String action: The action to perform.
* :param context: The permissions context for the authorization check.
* :param identity: The identity whose authorization is being checked.
*
* :returns Boolean: Whether the action is permitted in this context for this
* identity.
*/
AclAuthzPolicy.prototype.permits = function (action, context, identity) {
var userid = this.authorizedUserId(identity);
var permissions = context.permissions;
if (permissions) {
// Fine-grained authorization on permissions field
var tokens = permissions[action];
if (typeof tokens === 'undefined' || tokens === null) {
// Missing tokens array for this action: anyone can perform
// action.
return true;
}
for (var i = 0, len = tokens.length; i < len; i++) {
if (userid === tokens[i]) {
return true;
}
}
// No tokens matched: action should not be performed.
return false;
} else if (context.user) {
// Coarse-grained authorization
return userid === context.user;
}
// No authorization info on context: free-for-all!
return true;
};
/**
* function:: AclAuthzPolicy.prototype.authorizedUserId(identity)
*
* Returns the authorized userid for the user identified by `identity`.
*/
AclAuthzPolicy.prototype.authorizedUserId = function (identity) {
return identity;
};