From abb0f97aec51bedeb82fabb7203ce9dade244427 Mon Sep 17 00:00:00 2001 From: Konstantinos Kopanidis Date: Fri, 8 Sep 2023 17:46:02 +0300 Subject: [PATCH] feat(authorization): first implementation to fix broken authz graph --- .../src/controllers/index.controller.ts | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/modules/authorization/src/controllers/index.controller.ts b/modules/authorization/src/controllers/index.controller.ts index 24028c0fc..e5fb51a3f 100644 --- a/modules/authorization/src/controllers/index.controller.ts +++ b/modules/authorization/src/controllers/index.controller.ts @@ -59,14 +59,9 @@ export class IndexController { for (const permission of permissions) { const roles = objectDefinition.permissions[permission]; for (const role of roles) { - // no index needed for "allowAll" permissions - // or for self modification - if (role === '*' || role.indexOf('->') === -1) { - await this.createOrUpdateObject( - object + '#' + permission, - role === '*' ? `*` : `${object}#${role}`, - ); - } else { + if (role.indexOf('->') === -1) { + await this.createOrUpdateObject(object + '#' + permission, `${object}#${role}`); + } else if (role !== '*') { const [relatedSubject, action] = role.split('->'); if (relation !== relatedSubject) continue; const possibleConnections = await ObjectIndex.getInstance().findMany({ @@ -78,6 +73,17 @@ export class IndexController { } } } + const actors = await ActorIndex.getInstance().findMany({ + subject: object, + }); + if (actors.length === 0) return; + for (const actor of actors) { + await this.constructRelationIndex( + actor.subject, + actor.relation, + actor.entity.split('#')[0], + ); + } } async removeRelation(subject: string, relation: string, object: string) {