return function ( req, res, next ) {
if ( process.env.environment === 'test' ) {
return next();
}
if ( !req.session || !req.session.user || !req.session.user.permissions ) {
return respond.code.unauthorized(res, 'You are not authorized to access that resource.');
}
var permissions = req.session.user.permissions;
var findPermissionInArray = function ( name ) {
return _.find(permissions, { name: name });
};
var permission = _.isArray(requiredPermissions) ? !_.find(requiredPermissions, function ( perm ) {
return !findPermissionInArray(perm);
}) : findPermissionInArray(requiredPermissions);
if ( !permission ) {
var requiredPermissionString = _.isArray(requiredPermissions) ? requiredPermissions.join(', ') : requiredPermissions;
return respond.code.unauthorized(res, 'You are not authorized to access this resource. This requires the following permissions: ' + requiredPermissionString );
}
next();
};
return function ( req, res, next ) {
var requester = req.session.user;
if ( !enforceAdmin && requester.isAdmin ) {
return next();
}
var param = getPath.call(req.params, paramPath),
client = getPath.call(requester.toObject ? requester.toObject() : requester, clientPath),
test = param && client ? _.isArray(client) ? indexOfObjectId(client, param) > -1 : param.toString() === client.toString() : false;
if ( !test ) {
return respond.code.unauthorized(res, 'You are not authorized to access resource with ' + paramPath + ' of ' + client.toString() );
}
next();
};