I have big API and I'm using blueprints as it is really convenient for most of operations. It is multi-tenant application, so every element has groupID
field.
I need to have policy which will check if element which is going to be edited/deleted belongs to user's group. I have user's groupID in request already injected by JWT policy, but how can I make policy to generic policy which will check appropriate model for id and compare it with user id ? It can't be done by groupID from request as hacker can use his JWT token and put his groupID in request but access not his element. IS it possible or I have to create separate policy per model?
I found it.
You can get modelName
from req.options.model
when you are using Blueprints.
Unfortunately you can't use this[modelName]
as option is giving you model name starting with small letter, so first you have to upper case first letter with eg var modelName = req.options.model.charAt(0).toUpperCase() + req.options.model.slice(1);
and then you are free to use this[modelName].whateverYouNeed
I used it for generic policy to let user editing only his own group elements.
var modelName = req.options.model.charAt(0).toUpperCase() + req.options.model.slice(1)
var elementID = null
if (req.params.id) { // To handle DELETE, PUT
elementID = req.params.id
}
if (req.body.id) { // To handle POST
elementID = req.body.id
}
this[modelName].findOne({
id: elementID
}).exec(function(err, contextElement) {
if(err) {
return res.serverError(err)
}
if(contextElement.group=== req.user.group.id) {
sails.log('accessing own: ' + modelName)
return next()
}
else {
return res.forbidden('Tried to access not owned object')
}
})
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.