function output(res, err, response, dn, username, pass) {
if (res) {
logger.info('ldap_login successful');
var role = dn.match(/ou=(.*?),/i)[1];
//add role to acl global object
acl.addUserRoles(username, role);
acl.isAllowed(username, 'engineerstuff', 'edit', function(err, res) {
if (res) {
response.status(200);
response.json({ userName: username,
success: true,
canEdit: true,
role: role });
count = 0;
}
});
acl.isAllowed(username, 'operatorstuff', 'edit', function(err, res) {
if (res) {
response.status(200);
response.json({ userName: username,
success: true,
canEdit: true,
role: role });
count = 0;
}
});
acl.isAllowed(username, 'operatorstuff', 'view', function(err, res) {
if (res) {
acl.isAllowed(username, 'engineerstuff', 'view', function(err, res1) {
if (res1) {
response.status(200);
response.json({ userName: username,
success: true,
canEdit: false,
role: role });
count = 0;
}
});
}
});
} else {
logger.error('ldap_login failed');
count += 1;
if (count === ouArray.length) {
response.status(200);
response.json({ userName: username,
success: false,
function: "None" });
} else {
dn = 'uid=' + username + ',ou=' + ouArray[count] + "," + domainComponent; //try another ou group
authDN(dn, pass, output, username, response);
}
}
}
self.fulldecodetoken(req, res, function(err, result){
if(result){
console.log("fulldecodetoken result");
console.log(result);
username = result.username;
acl.isAllowed(username, reqParts[1], operation, function(err, res){
if(res){
console.log("User member ["+ username +"] is allowed to ["+ operation +"] on ["+ reqParts[1]+"]");
console.log(res);
next();
} else {
console.log("Error. User member ["+ username +"] does not have permission to ["+ operation +"] on ["+ reqParts[1]+"]");
var error = new Error("Authorisation denied. Insufficient access privelages");
//res.status(403).send(error);
next(error);
}
});
} else {
console.log("fulldecodetoken error");
var error = typeof err !== undefined ? err : new Error("Authorisation denied. Invalid token");
res.status(403).send(error);
}
});
acl.whatResources(roles, function(err, resources) {
if (err) {
res.status(500).json({error: 'Unexpected authorization error'});
return;
}
var keys, regexp, isMatch, result, username, resource, reqResource = '',
originalUrl = req.originalUrl,
apiPath = originalUrl.replace(/\/?api\/?/, '').split('?')[0];
for (resource in resources) {
keys = [];
regexp = pathToRegexp(resource, keys);
isMatch = regexp.test(apiPath);
if (isMatch) {
if (hasCurrentUserKey(keys)) {
// Get the requested user
result = regexp.exec(apiPath);
keys.map(function(key, i) {
if (key.name === 'currentUser') {
username = result[i + 1];
}
});
if (username !== req.user.username ) {
continue;
}
}
reqResource = resource;
break;
}
}
if (!reqResource) {
debug(req.user.username + ' with role ' + req.user.role + ' has no permissions for ' + apiPath);
res.status(403).json({error: 'Forbidden'});
return;
}
acl.isAllowed(req.user.username, reqResource, req.method, function(err, result) {
if (err) {
res.status(500).json({error: 'Unexpected authorization error'});
return;
}
if (result) {
next();
} else {
debug(req.user.username + ' with role ' + req.user.role + ' is not allowed to access resource ' + reqResource + ' via ' + req.method );
res.status(403).json({error: 'Forbidden'});
return;
}
});
});
var async_function = function (resource, action, uid, callback) {
acl.isAllowed(uid, resource, action, function (err, res) {
if (res) {
console.log(res)
callback(true);
}
else
callback(false);
});
};
acl.isAllowed(username, 'operatorstuff', 'view', function(err, res) {
if (res) {
acl.isAllowed(username, 'engineerstuff', 'view', function(err, res1) {
if (res1) {
response.status(200);
response.json({ userName: username,
success: true,
canEdit: false,
role: role });
count = 0;
}
});
}
});
var _mw = function (req, res, next) {
if (!req.user) {
req.user = {userId: USER_ANONYMOUS};
}
var url = req.url.split('?')[0];
var resource = url.split('/').slice(0, 2).join('/');
acl.isAllowed(req.user.userId, resource, req.method.toLowerCase(), function (error, result) {
if (result) {
next();
}
else {
if (req.user.userId === USER_ANONYMOUS) {
res.status(401).send('Not authorised');
}
else {
res.status(403).send('Forbidden');
}
}
});
};
module.exports.isAllowed = function(
userId,
response,
resource,
permissions,
callback,
notAllowedCallback,
preventNotAllowedInResponse
) {
// acl.allowedPermissions(userId, resource, function(err, permissions){
// _logger.info('permissions for', userId, resource, permissions);
// });
// module.exports.allAllowedPermissions(userId, function(err, permissions){
// _logger.debug('all permissions for:', userId, permissions);
// });
acl.isAllowed(userId, resource, permissions, function(err, allowed){
if (err) {
response.status(500).json(err);
} else if (!allowed) {
if(notAllowedCallback) {
notAllowedCallback();
} else {
callback(false);
if (!preventNotAllowedInResponse){
response.status(403).json('Content ' + resource + ' is not allowed');
}
}
} else {
callback(true);
}
});
};
{resources: 'public', permissions: 'get'}
]
}
]);
log.trace({mod: 'acl'}, 'Initializing ACL Role Parents');
acl.addUserRoles('joe', 'admin');
acl.addUserRoles('john', 'guest');
acl.addUserRoles('jane', 'user');
acl.addRoleParents('user', 'guest');
acl.addRoleParents('admin', 'user');
acl.isAllowed('joe', 'topsecret', 'get', function(err, res) {
log.debug({mod: 'acl'}, `topsecret get Is Allowed for Joe is ${res} ${err}`);
});
acl.isAllowed('joe', 'secret', 'get', function(err, res) {
log.debug({mod: 'acl'}, `secret get Is Allowed for joe is ${res} ${err}`);
});
acl.isAllowed('joe', 'secret', 'post', function(err, res) {
log.debug({mod: 'acl'}, `secret post Is Allowed for joe is ${res} ${err}`);
});
acl.isAllowed('joe', 'public', 'get', function(err, res) {
log.debug({mod: 'acl'}, `public get Is Allowed for joe is ${res} ${err}`);
});
acl.isAllowed('jane', 'topsecret', 'get', function(err, res) {
log.debug({mod: 'acl'}, `topsecret get Is Allowed for Jane is ${res} ${err}`);
});
acl.isAllowed('jane', 'secret', 'post', function(err, res) {
}).then(function () {
return acl.isAllowed('jsmith', 'blogs', ['edit', 'view', 'delete']);
}).then(function (result) {
allows: [
{ resources: 'blogs', permissions: 'get' },
{ resources: ['forums', 'news'], permissions: ['get', 'put', 'delete'] }
]
},
{
roles: ['gold', 'silver'],
allows: [
{ resources: 'cash', permissions: ['sell', 'exchange'] },
{ resources: ['account', 'deposit'], permissions: ['put', 'delete'] }
]
}
]);
acl.isAllowed('joed', 'blogs', 'view', function (err, res) {
if (res) {
console.log("User joed is allowed to view blogs");
}
});
acl.isAllowed('jsmith', 'blogs', ['edit', 'view', 'delete'])
.then(function (result) {
console.dir('jsmith is allowed blogs ' + result);
acl.addUserRoles('jsmith', 'member');
}).then(function () {
return acl.isAllowed('jsmith', 'blogs', ['edit', 'view', 'delete']);
}).then(function (result) {
return console.dir('jsmith is allowed blogs ' + result);
}).then(function () {
acl.allowedPermissions('james', ['blogs', 'forums'], report);
acl.allowedPermissions('jsmith', ['blogs', 'forums'], report);
});