mirror of
https://github.com/HeyPuter/puter
synced 2024-11-15 06:15:47 +00:00
dev: improve permission scan reading
This commit is contained in:
parent
4a6055d239
commit
a0f0151446
@ -132,6 +132,7 @@ class FilesystemService extends BaseService {
|
|||||||
},
|
},
|
||||||
}));
|
}));
|
||||||
svc_permission.register_implicator(PermissionImplicator.create({
|
svc_permission.register_implicator(PermissionImplicator.create({
|
||||||
|
id: 'is-owner',
|
||||||
matcher: permission => {
|
matcher: permission => {
|
||||||
return permission.startsWith('fs:');
|
return permission.startsWith('fs:');
|
||||||
},
|
},
|
||||||
@ -164,6 +165,7 @@ class FilesystemService extends BaseService {
|
|||||||
},
|
},
|
||||||
}));
|
}));
|
||||||
svc_permission.register_exploder(PermissionExploder.create({
|
svc_permission.register_exploder(PermissionExploder.create({
|
||||||
|
id: 'fs-access-levels',
|
||||||
matcher: permission => {
|
matcher: permission => {
|
||||||
return permission.startsWith('fs:') &&
|
return permission.startsWith('fs:') &&
|
||||||
PermissionUtil.split(permission).length >= 3;
|
PermissionUtil.split(permission).length >= 3;
|
||||||
|
@ -50,6 +50,7 @@ class PuterSiteService extends BaseService {
|
|||||||
|
|
||||||
// Imply that sites can read their own files
|
// Imply that sites can read their own files
|
||||||
svc_permission.register_implicator(PermissionImplicator.create({
|
svc_permission.register_implicator(PermissionImplicator.create({
|
||||||
|
id: 'in-site',
|
||||||
matcher: permission => {
|
matcher: permission => {
|
||||||
return permission.startsWith('fs:');
|
return permission.startsWith('fs:');
|
||||||
},
|
},
|
||||||
|
@ -185,26 +185,17 @@ class PermissionService extends BaseService {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
async scan (actor, permission) {
|
async scan (actor, permission_options) {
|
||||||
const reading = [];
|
const reading = [];
|
||||||
|
|
||||||
{
|
if ( ! Array.isArray(permission_options) ) {
|
||||||
const old_perm = permission;
|
permission_options = [permission_options];
|
||||||
permission = await this._rewrite_permission(permission);
|
|
||||||
if ( permission !== old_perm ) {
|
|
||||||
reading.push({
|
|
||||||
$: 'rewrite',
|
|
||||||
from: old_perm,
|
|
||||||
to: permission,
|
|
||||||
});
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
await require('../../structured/sequence/scan-permission')
|
||||||
await require('../../structured/sequence/scan-user-permission')
|
|
||||||
.call(this, {
|
.call(this, {
|
||||||
actor,
|
actor,
|
||||||
permission,
|
permission_options,
|
||||||
reading,
|
reading,
|
||||||
});
|
});
|
||||||
|
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
* You should have received a copy of the GNU Affero General Public License
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
const { permission } = require("process");
|
||||||
const { Sequence } = require("../../codex/Sequence");
|
const { Sequence } = require("../../codex/Sequence");
|
||||||
const { get_user } = require("../../helpers");
|
const { get_user } = require("../../helpers");
|
||||||
const { Actor, UserActorType } = require("../../services/auth/Actor");
|
const { Actor, UserActorType } = require("../../services/auth/Actor");
|
||||||
@ -31,22 +32,43 @@ module.exports = new Sequence([
|
|||||||
if ( actor.type.user.username === 'system' ) {
|
if ( actor.type.user.username === 'system' ) {
|
||||||
reading.push({
|
reading.push({
|
||||||
$: 'option',
|
$: 'option',
|
||||||
|
permission: '*',
|
||||||
source: 'implied',
|
source: 'implied',
|
||||||
|
by: 'system',
|
||||||
data: {}
|
data: {}
|
||||||
})
|
})
|
||||||
return a.stop({});
|
return a.stop({});
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
async function rewrite_permission (a) {
|
async function rewrite_permission (a) {
|
||||||
let { permission } = a.values();
|
let { reading, permission_options } = a.values();
|
||||||
permission = await a.icall('_rewrite_permission', permission);
|
for ( let i=0 ; i < permission_options.length ; i++ ) {
|
||||||
a.values({ permission });
|
const old_perm = permission_options[i];
|
||||||
|
const permission = await a.icall('_rewrite_permission', old_perm);
|
||||||
|
if ( permission === old_perm ) continue;
|
||||||
|
permission_options[i] = permission;
|
||||||
|
reading.push({
|
||||||
|
$: 'rewrite',
|
||||||
|
from: old_perm,
|
||||||
|
to: permission,
|
||||||
|
});
|
||||||
|
}
|
||||||
},
|
},
|
||||||
async function explode_permission (a) {
|
async function explode_permission (a) {
|
||||||
const { permission } = a.values();
|
const { reading, permission_options } = a.values();
|
||||||
const permission_options =
|
for ( let i=0 ; i < permission_options.length ; i++ ) {
|
||||||
|
const permission = permission_options[i];
|
||||||
|
permission_options[i] =
|
||||||
await a.icall('get_higher_permissions', permission);
|
await a.icall('get_higher_permissions', permission);
|
||||||
a.values({ permission_options });
|
if ( permission_options[i].length > 1 ) {
|
||||||
|
reading.push({
|
||||||
|
$: 'explode',
|
||||||
|
from: permission,
|
||||||
|
to: permission_options[i],
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
|
a.set('permission_options', permission_options.flat());
|
||||||
},
|
},
|
||||||
async function run_scanners (a) {
|
async function run_scanners (a) {
|
||||||
const scanners = PERMISSION_SCANNERS;
|
const scanners = PERMISSION_SCANNERS;
|
@ -10,9 +10,11 @@ const PERMISSION_SCANNERS = [
|
|||||||
name: 'implied',
|
name: 'implied',
|
||||||
async scan (a) {
|
async scan (a) {
|
||||||
const reading = a.get('reading');
|
const reading = a.get('reading');
|
||||||
const { actor, permission } = a.values();
|
const { actor, permission_options } = a.values();
|
||||||
|
|
||||||
const _permission_implicators = a.iget('_permission_implicators');
|
const _permission_implicators = a.iget('_permission_implicators');
|
||||||
|
|
||||||
|
for ( const permission of permission_options )
|
||||||
for ( const implicator of _permission_implicators ) {
|
for ( const implicator of _permission_implicators ) {
|
||||||
if ( ! implicator.matches(permission) ) {
|
if ( ! implicator.matches(permission) ) {
|
||||||
continue;
|
continue;
|
||||||
@ -24,8 +26,9 @@ const PERMISSION_SCANNERS = [
|
|||||||
if ( implied ) {
|
if ( implied ) {
|
||||||
reading.push({
|
reading.push({
|
||||||
$: 'option',
|
$: 'option',
|
||||||
|
permission,
|
||||||
source: 'implied',
|
source: 'implied',
|
||||||
by: `implicator:${implicator.id}`,
|
by: implicator.id,
|
||||||
data: implied,
|
data: implied,
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
@ -74,6 +77,7 @@ const PERMISSION_SCANNERS = [
|
|||||||
reading.push({
|
reading.push({
|
||||||
$: 'path',
|
$: 'path',
|
||||||
via: 'user',
|
via: 'user',
|
||||||
|
permission: row.permission,
|
||||||
// issuer: issuer_actor,
|
// issuer: issuer_actor,
|
||||||
issuer_username: issuer_actor.type.user.username,
|
issuer_username: issuer_actor.type.user.username,
|
||||||
reading: issuer_reading,
|
reading: issuer_reading,
|
||||||
@ -119,6 +123,7 @@ const PERMISSION_SCANNERS = [
|
|||||||
$: 'path',
|
$: 'path',
|
||||||
via: 'user-group',
|
via: 'user-group',
|
||||||
// issuer: issuer_actor,
|
// issuer: issuer_actor,
|
||||||
|
permission: row.permission,
|
||||||
issuer_username: issuer_actor.type.user.username,
|
issuer_username: issuer_actor.type.user.username,
|
||||||
reading: issuer_reading,
|
reading: issuer_reading,
|
||||||
group_id: row.group_id,
|
group_id: row.group_id,
|
||||||
@ -158,6 +163,7 @@ const PERMISSION_SCANNERS = [
|
|||||||
if ( implicit_permissions[permission] ) {
|
if ( implicit_permissions[permission] ) {
|
||||||
reading.push({
|
reading.push({
|
||||||
$: 'option',
|
$: 'option',
|
||||||
|
permission,
|
||||||
source: 'implied',
|
source: 'implied',
|
||||||
by: 'user-app-hc-2',
|
by: 'user-app-hc-2',
|
||||||
data: implicit_permissions[permission],
|
data: implicit_permissions[permission],
|
||||||
@ -189,6 +195,7 @@ const PERMISSION_SCANNERS = [
|
|||||||
reading.push({
|
reading.push({
|
||||||
$: 'path',
|
$: 'path',
|
||||||
via: 'user-app',
|
via: 'user-app',
|
||||||
|
permission: row.permission,
|
||||||
issuer_username: actor.type.user.username,
|
issuer_username: actor.type.user.username,
|
||||||
reading: issuer_reading,
|
reading: issuer_reading,
|
||||||
});
|
});
|
||||||
|
Loading…
Reference in New Issue
Block a user