SailsJS。 检查请求中元素的groupID是否与用户组相同的通用策略

Question

I have big API and I'm using blueprints as it is really convenient for most of operations. It is multi-tenant application, so every element has groupID field.

I need to have policy which will check if element which is going to be edited/deleted belongs to user's group. I have user's groupID in request already injected by JWT policy, but how can I make policy to generic policy which will check appropriate model for id and compare it with user id ? It can't be done by groupID from request as hacker can use his JWT token and put his groupID in request but access not his element. IS it possible or I have to create separate policy per model?

Answer 1

I found it.

You can get modelName from req.options.model when you are using Blueprints.

Unfortunately you can't use this[modelName] as option is giving you model name starting with small letter, so first you have to upper case first letter with eg var modelName = req.options.model.charAt(0).toUpperCase() + req.options.model.slice(1);

and then you are free to use this[modelName].whateverYouNeed

I used it for generic policy to let user editing only his own group elements.

var modelName = req.options.model.charAt(0).toUpperCase() + req.options.model.slice(1)
  var elementID = null

  if (req.params.id) { // To handle DELETE, PUT
    elementID = req.params.id
  }
  if (req.body.id) { // To handle POST
    elementID = req.body.id
  }

  this[modelName].findOne({
    id: elementID
  }).exec(function(err, contextElement) {
    if(err) {
      return res.serverError(err)
    }
    if(contextElement.group=== req.user.group.id) {
      sails.log('accessing own: ' + modelName)
      return next()
    }
    else {
      return res.forbidden('Tried to access not owned object')
    }
  })