mirror of
https://github.com/Unleash/unleash.git
synced 2024-10-18 20:09:08 +02:00
59 lines
1.8 KiB
TypeScript
59 lines
1.8 KiB
TypeScript
|
/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
|
||
|
import {
|
||
|
CREATE_FEATURE,
|
||
|
UPDATE_FEATURE,
|
||
|
DELETE_FEATURE,
|
||
|
ADMIN,
|
||
|
} from '../permissions';
|
||
|
|
||
|
import { isRbacEnabled } from '../util/feature-enabled';
|
||
|
|
||
|
const rbacMiddleware = (config: any, { accessService }: any): any => {
|
||
|
if (!isRbacEnabled(config)) {
|
||
|
return (req, res, next) => next();
|
||
|
}
|
||
|
|
||
|
const logger = config.getLogger('/middleware/rbac-middleware.js');
|
||
|
logger.info('Enabling RBAC');
|
||
|
|
||
|
const { featureToggleStore } = config.stores;
|
||
|
|
||
|
return (req, res, next) => {
|
||
|
req.checkRbac = async (permission: string) => {
|
||
|
const { user, params } = req;
|
||
|
|
||
|
if (!user) {
|
||
|
logger.error('RBAC requires a user to exist on the request.');
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// Support ADMIN API tokens for enterpriseAuthentication.
|
||
|
if (user.isAPI) {
|
||
|
return user.permissions.includes(ADMIN);
|
||
|
}
|
||
|
|
||
|
if (!user.id) {
|
||
|
logger.error('RBAC requires the user to have a unique id.');
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
// For /api/admin/projects/:projectId we will find it as part of params
|
||
|
let { projectId } = params;
|
||
|
|
||
|
// Temporary workaround to figure our projectId for feature toggle updates.
|
||
|
if ([UPDATE_FEATURE, DELETE_FEATURE].includes(permission)) {
|
||
|
const { featureName } = params;
|
||
|
projectId = await featureToggleStore.getProjectId(featureName);
|
||
|
} else if (permission === CREATE_FEATURE) {
|
||
|
projectId = req.body.project;
|
||
|
}
|
||
|
|
||
|
return accessService.hasPermission(user, permission, projectId);
|
||
|
};
|
||
|
return next();
|
||
|
};
|
||
|
};
|
||
|
|
||
|
module.exports = rbacMiddleware;
|
||
|
export default rbacMiddleware;
|