diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2014-03-18 00:52:30 +0200 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2014-03-25 09:02:58 +0200 |
| commit | 751f019580e210ff22fc1ac0eea72cece854534a (patch) | |
| tree | 074f3226c7702ff8196207de84ab0e4ec88b5024 /aconf/model/model.lua | |
| parent | 499351fd1c1e7c1462df9a962e927fb4dba6b594 (diff) | |
| download | aconf-751f019580e210ff22fc1ac0eea72cece854534a.tar.bz2 aconf-751f019580e210ff22fc1ac0eea72cece854534a.tar.xz | |
move permission checking from server to model
hide all model data and functions inaccessible to the user
Diffstat (limited to 'aconf/model/model.lua')
| -rw-r--r-- | aconf/model/model.lua | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/aconf/model/model.lua b/aconf/model/model.lua index 3f90450..5d4145f 100644 --- a/aconf/model/model.lua +++ b/aconf/model/model.lua @@ -153,6 +153,8 @@ function M.Model:init(context) assert(mt.txn) if isinstance(v, M.Action) then + mt.check_permission(k) + local f = v.field and BoundMember(self, k, v.field) if options.create then return f and f:load(options) end @@ -164,7 +166,7 @@ function M.Model:init(context) 'Action does not accept an input argument' ) end - local res = v.func(self, f and f:load()) + local res = v.func(mt.escalate, f and f:load()) if f then f:_save() end return res end @@ -174,9 +176,13 @@ function M.Model:init(context) end if self.is_removable then - function mt.removable() return self:is_removable() end + function mt.removable() + return mt.has_permission('delete') and self:is_removable() + end end + function mt.removing_permitted() return mt.has_permission('modify') end + local value_removable = mt.value_removable function mt.value_removable(v) return type(v) == 'table' and value_removable(v) @@ -190,7 +196,11 @@ function M.Model:init(context) function mt.save(k, v) k = normalize_name(k) local field = mt.member(k, false, Field) - if isinstance(field, fld.TreeNode) then mt.check_removable(k, v) end + + if v == nil and isinstance(field, fld.TreeNode) then + mt.check_removable(k) + else mt.check_permission('modify') end + return field:save(v) end @@ -199,7 +209,15 @@ function M.Model:init(context) end function mt.init_meta(meta) - util.update(meta, {fields=tmeta(Field), actions=tmeta(M.Action)}) + util.update( + meta, + { + fields=tmeta(Field), + actions=util.filter( + function(a) mt.has_permission(a.name) end, tmeta(M.Action) + ) + } + ) end function mt.members() @@ -215,12 +233,13 @@ function M.Model:init(context) end if self.has_permission then - function mt.has_permission(user, permission) - return self:has_permission(user, permission) + function mt.has_permission(permission) + return mt.privileged or self:has_permission(mt.txn.user, permission) end end - for _, f in ipairs(_members(Model)) do mt.load(f.name) end + local tload = getmetatable(mt.escalate).load + for _, f in ipairs(_members(Model)) do tload(f.name) end end function M.Model:fetch(path, create) @@ -228,8 +247,9 @@ function M.Model:fetch(path, create) end function M.Model:match(filter) + local tload = getmetatable(getmetatable(self).escalate).load for k, v in pairs(filter) do - if not util.contains(v, getmetatable(self).load(k)) then return false end + if not util.contains(v, tload(k)) then return false end end return true end |