return function ( req, res, next ) { if ( process.env.environment === 'test' ) { return next(); } if ( !req.session || !req.session.user || !req.session.user.permissions ) { return respond.code.unauthorized(res, 'You are not authorized to access that resource.'); } var permissions = req.session.user.permissions; var findPermissionInArray = function ( name ) { return _.find(permissions, { name: name }); }; var permission = _.isArray(requiredPermissions) ? !_.find(requiredPermissions, function ( perm ) { return !findPermissionInArray(perm); }) : findPermissionInArray(requiredPermissions); if ( !permission ) { var requiredPermissionString = _.isArray(requiredPermissions) ? requiredPermissions.join(', ') : requiredPermissions; return respond.code.unauthorized(res, 'You are not authorized to access this resource. This requires the following permissions: ' + requiredPermissionString ); } next(); };
return function ( req, res, next ) { var requester = req.session.user; if ( !enforceAdmin && requester.isAdmin ) { return next(); } var param = getPath.call(req.params, paramPath), client = getPath.call(requester.toObject ? requester.toObject() : requester, clientPath), test = param && client ? _.isArray(client) ? indexOfObjectId(client, param) > -1 : param.toString() === client.toString() : false; if ( !test ) { return respond.code.unauthorized(res, 'You are not authorized to access resource with ' + paramPath + ' of ' + client.toString() ); } next(); };