"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.default = void 0; var _ParseRole = _interopRequireDefault(require("./ParseRole")); var _ParseUser = _interopRequireDefault(require("./ParseUser")); function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } /** * @flow */ /*:: type Entity = Entity;*/ /*:: type UsersMap = { [userId: string]: boolean | any };*/ /*:: export type PermissionsMap = { [permission: string]: UsersMap };*/ const PUBLIC_KEY = '*'; const VALID_PERMISSIONS /*: Map*/ = new Map( /*:: */ ); VALID_PERMISSIONS.set('get', {}); VALID_PERMISSIONS.set('find', {}); VALID_PERMISSIONS.set('count', {}); VALID_PERMISSIONS.set('create', {}); VALID_PERMISSIONS.set('update', {}); VALID_PERMISSIONS.set('delete', {}); VALID_PERMISSIONS.set('addField', {}); const VALID_PERMISSIONS_EXTENDED /*: Map*/ = new Map( /*:: */ ); VALID_PERMISSIONS_EXTENDED.set('protectedFields', {}); /** * Creates a new CLP. * If no argument is given, the CLP has no permissions for anyone. * If the argument is a Parse.User or Parse.Role, the CLP will have read and write * permission for only that user or role. * If the argument is any other JSON object, that object will be interpretted * as a serialized CLP created with toJSON(). * *

A CLP, or Class Level Permissions can be added to any * Parse.Schema to restrict access to only a subset of users * of your application.

* *

* For get/count/find/create/update/delete/addField using the following functions: * * Entity is type Parse.User or Parse.Role or string * Role is type Parse.Role or Name of Parse.Role * * getGetRequiresAuthentication() * setGetRequiresAuthentication(allowed: boolean) * getGetPointerFields() * setGetPointerFields(pointerFields: string[]) * getGetAccess(entity: Entity) * setGetAccess(entity: Entity, allowed: boolean) * getPublicGetAccess() * setPublicGetAccess(allowed: boolean) * getRoleGetAccess(role: Role) * setRoleGetAccess(role: Role, allowed: boolean) * getFindRequiresAuthentication() * setFindRequiresAuthentication(allowed: boolean) * getFindPointerFields() * setFindPointerFields(pointerFields: string[]) * getFindAccess(entity: Entity) * setFindAccess(entity: Entity, allowed: boolean) * getPublicFindAccess() * setPublicFindAccess(allowed: boolean) * getRoleFindAccess(role: Role) * setRoleFindAccess(role: Role, allowed: boolean) * getCountRequiresAuthentication() * setCountRequiresAuthentication(allowed: boolean) * getCountPointerFields() * setCountPointerFields(pointerFields: string[]) * getCountAccess(entity: Entity) * setCountAccess(entity: Entity, allowed: boolean) * getPublicCountAccess() * setPublicCountAccess(allowed: boolean) * getRoleCountAccess(role: Role) * setRoleCountAccess(role: Role, allowed: boolean) * getCreateRequiresAuthentication() * setCreateRequiresAuthentication(allowed: boolean) * getCreatePointerFields() * setCreatePointerFields(pointerFields: string[]) * getCreateAccess(entity: Entity) * setCreateAccess(entity: Entity, allowed: boolean) * getPublicCreateAccess() * setPublicCreateAccess(allowed: Boolean) * getRoleCreateAccess(role: Role) * setRoleCreateAccess(role: Role, allowed: boolean) * getUpdateRequiresAuthentication() * setUpdateRequiresAuthentication(allowed: boolean) * getUpdatePointerFields() * setUpdatePointerFields(pointerFields: string[]) * getUpdateAccess(entity: Entity) * setUpdateAccess(entity: Entity, allowed: boolean) * getPublicUpdateAccess() * setPublicUpdateAccess(allowed: boolean) * getRoleUpdateAccess(role: Role) * setRoleUpdateAccess(role: Role, allowed: boolean) * getDeleteRequiresAuthentication() * setDeleteRequiresAuthentication(allowed: boolean) * getDeletePointerFields() * setDeletePointerFields(pointerFields: string[]) * getDeleteAccess(entity: Entity) * setDeleteAccess(entity: Entity, allowed: boolean) * getPublicDeleteAccess() * setPublicDeleteAccess(allowed: boolean) * getRoleDeleteAccess(role: Role) * setRoleDeleteAccess(role: Role, allowed: boolean) * getAddFieldRequiresAuthentication() * setAddFieldRequiresAuthentication(allowed: boolean) * getAddFieldPointerFields() * setAddFieldPointerFields(pointerFields: string[]) * getAddFieldAccess(entity: Entity) * setAddFieldAccess(entity: Entity, allowed: boolean) * getPublicAddFieldAccess() * setPublicAddFieldAccess(allowed: boolean) * getRoleAddFieldAccess(role: Role) * setRoleAddFieldAccess(role: Role, allowed: boolean) *

* * @alias Parse.CLP */ class ParseCLP { /*:: permissionsMap: PermissionsMap;*/ /** * @param {(Parse.User | Parse.Role | object)} userId The user to initialize the CLP for */ constructor(userId /*: ParseUser | ParseRole | PermissionsMap*/) { this.permissionsMap = {}; // Initialize permissions Map with default permissions for (const [operation, group] of VALID_PERMISSIONS.entries()) { this.permissionsMap[operation] = Object.assign({}, group); const action = operation.charAt(0).toUpperCase() + operation.slice(1); this[`get${action}RequiresAuthentication`] = function () { return this._getAccess(operation, 'requiresAuthentication'); }; this[`set${action}RequiresAuthentication`] = function (allowed) { this._setAccess(operation, 'requiresAuthentication', allowed); }; this[`get${action}PointerFields`] = function () { return this._getAccess(operation, 'pointerFields', false); }; this[`set${action}PointerFields`] = function (pointerFields) { this._setArrayAccess(operation, 'pointerFields', pointerFields); }; this[`get${action}Access`] = function (entity) { return this._getAccess(operation, entity); }; this[`set${action}Access`] = function (entity, allowed) { this._setAccess(operation, entity, allowed); }; this[`getPublic${action}Access`] = function () { return this[`get${action}Access`](PUBLIC_KEY); }; this[`setPublic${action}Access`] = function (allowed) { this[`set${action}Access`](PUBLIC_KEY, allowed); }; this[`getRole${action}Access`] = function (role) { return this[`get${action}Access`](this._getRoleName(role)); }; this[`setRole${action}Access`] = function (role, allowed) { this[`set${action}Access`](this._getRoleName(role), allowed); }; } // Initialize permissions Map with default extended permissions for (const [operation, group] of VALID_PERMISSIONS_EXTENDED.entries()) { this.permissionsMap[operation] = Object.assign({}, group); } if (userId && typeof userId === 'object') { if (userId instanceof _ParseUser.default) { this.setReadAccess(userId, true); this.setWriteAccess(userId, true); } else if (userId instanceof _ParseRole.default) { this.setRoleReadAccess(userId, true); this.setRoleWriteAccess(userId, true); } else { for (const permission in userId) { const users = userId[permission]; const isValidPermission = !!VALID_PERMISSIONS.get(permission); const isValidPermissionExtended = !!VALID_PERMISSIONS_EXTENDED.get(permission); const isValidGroupPermission = ['readUserFields', 'writeUserFields'].includes(permission); if (typeof permission !== 'string' || !(isValidPermission || isValidPermissionExtended || isValidGroupPermission)) { throw new TypeError('Tried to create an CLP with an invalid permission type.'); } if (isValidGroupPermission) { if (users.every(pointer => typeof pointer === 'string')) { this.permissionsMap[permission] = users; continue; } else { throw new TypeError('Tried to create an CLP with an invalid permission value.'); } } for (const user in users) { const allowed = users[user]; if (typeof allowed !== 'boolean' && !isValidPermissionExtended && user !== 'pointerFields') { throw new TypeError('Tried to create an CLP with an invalid permission value.'); } this.permissionsMap[permission][user] = allowed; } } } } else if (typeof userId === 'function') { throw new TypeError('ParseCLP constructed with a function. Did you forget ()?'); } } /** * Returns a JSON-encoded version of the CLP. * * @returns {object} */ toJSON() /*: PermissionsMap*/{ return { ...this.permissionsMap }; } /** * Returns whether this CLP is equal to another object * * @param other The other object to compare to * @returns {boolean} */ equals(other /*: ParseCLP*/) /*: boolean*/{ if (!(other instanceof ParseCLP)) { return false; } const permissions = Object.keys(this.permissionsMap); const otherPermissions = Object.keys(other.permissionsMap); if (permissions.length !== otherPermissions.length) { return false; } for (const permission in this.permissionsMap) { if (!other.permissionsMap[permission]) { return false; } const users = Object.keys(this.permissionsMap[permission]); const otherUsers = Object.keys(other.permissionsMap[permission]); if (users.length !== otherUsers.length) { return false; } for (const user in this.permissionsMap[permission]) { if (!other.permissionsMap[permission][user]) { return false; } if (this.permissionsMap[permission][user] !== other.permissionsMap[permission][user]) { return false; } } } return true; } _getRoleName(role /*: ParseRole | string*/) /*: string*/{ let name = role; if (role instanceof _ParseRole.default) { // Normalize to the String name name = role.getName(); } if (typeof name !== 'string') { throw new TypeError('role must be a Parse.Role or a String'); } return `role:${name}`; } _parseEntity(entity /*: Entity*/) { let userId = entity; if (userId instanceof _ParseUser.default) { userId = userId.id; if (!userId) { throw new Error('Cannot get access for a Parse.User without an id.'); } } else if (userId instanceof _ParseRole.default) { userId = this._getRoleName(userId); } if (typeof userId !== 'string') { throw new TypeError('userId must be a string.'); } return userId; } _setAccess(permission /*: string*/, userId /*: Entity*/, allowed /*: boolean*/) { userId = this._parseEntity(userId); if (typeof allowed !== 'boolean') { throw new TypeError('allowed must be either true or false.'); } const permissions = this.permissionsMap[permission][userId]; if (!permissions) { if (!allowed) { // The user already doesn't have this permission, so no action is needed return; } else { this.permissionsMap[permission][userId] = {}; } } if (allowed) { this.permissionsMap[permission][userId] = true; } else { delete this.permissionsMap[permission][userId]; } } _getAccess(permission /*: string*/, userId /*: Entity*/, returnBoolean = true) /*: boolean | string[]*/{ userId = this._parseEntity(userId); const permissions = this.permissionsMap[permission][userId]; if (returnBoolean) { if (!permissions) { return false; } return !!this.permissionsMap[permission][userId]; } return permissions; } _setArrayAccess(permission /*: string*/, userId /*: Entity*/, fields /*: string*/) { userId = this._parseEntity(userId); const permissions = this.permissionsMap[permission][userId]; if (!permissions) { this.permissionsMap[permission][userId] = []; } if (!fields || Array.isArray(fields) && fields.length === 0) { delete this.permissionsMap[permission][userId]; } else if (Array.isArray(fields) && fields.every(field => typeof field === 'string')) { this.permissionsMap[permission][userId] = fields; } else { throw new TypeError('fields must be an array of strings or undefined.'); } } _setGroupPointerPermission(operation /*: string*/, pointerFields /*: string[]*/) { const fields = this.permissionsMap[operation]; if (!fields) { this.permissionsMap[operation] = []; } if (!pointerFields || Array.isArray(pointerFields) && pointerFields.length === 0) { delete this.permissionsMap[operation]; } else if (Array.isArray(pointerFields) && pointerFields.every(field => typeof field === 'string')) { this.permissionsMap[operation] = pointerFields; } else { throw new TypeError(`${operation}.pointerFields must be an array of strings or undefined.`); } } _getGroupPointerPermissions(operation /*: string*/) /*: string[]*/{ return this.permissionsMap[operation]; } /** * Sets user pointer fields to allow permission for get/count/find operations. * * @param {string[]} pointerFields User pointer fields */ setReadUserFields(pointerFields /*: string[]*/) { this._setGroupPointerPermission('readUserFields', pointerFields); } /** * @returns {string[]} User pointer fields */ getReadUserFields() /*: string[]*/{ return this._getGroupPointerPermissions('readUserFields'); } /** * Sets user pointer fields to allow permission for create/delete/update/addField operations * * @param {string[]} pointerFields User pointer fields */ setWriteUserFields(pointerFields /*: string[]*/) { this._setGroupPointerPermission('writeUserFields', pointerFields); } /** * @returns {string[]} User pointer fields */ getWriteUserFields() /*: string[]*/{ return this._getGroupPointerPermissions('writeUserFields'); } /** * Sets whether the given user is allowed to retrieve fields from this class. * * @param userId An instance of Parse.User or its objectId. * @param {string[]} fields fields to be protected */ setProtectedFields(userId /*: Entity*/, fields /*: string[]*/) { this._setArrayAccess('protectedFields', userId, fields); } /** * Returns array of fields are accessable to this user. * * @param userId An instance of Parse.User or its objectId, or a Parse.Role. * @returns {string[]} */ getProtectedFields(userId /*: Entity*/) /*: string[]*/{ return this._getAccess('protectedFields', userId, false); } /** * Sets whether the given user is allowed to read from this class. * * @param userId An instance of Parse.User or its objectId. * @param {boolean} allowed whether that user should have read access. */ setReadAccess(userId /*: Entity*/, allowed /*: boolean*/) { this._setAccess('find', userId, allowed); this._setAccess('get', userId, allowed); this._setAccess('count', userId, allowed); } /** * Get whether the given user id is *explicitly* allowed to read from this class. * Even if this returns false, the user may still be able to access it if * getPublicReadAccess returns true or a role that the user belongs to has * write access. * * @param userId An instance of Parse.User or its objectId, or a Parse.Role. * @returns {boolean} */ getReadAccess(userId /*: Entity*/) /*: boolean*/{ return this._getAccess('find', userId) && this._getAccess('get', userId) && this._getAccess('count', userId); } /** * Sets whether the given user id is allowed to write to this class. * * @param userId An instance of Parse.User or its objectId, or a Parse.Role.. * @param {boolean} allowed Whether that user should have write access. */ setWriteAccess(userId /*: Entity*/, allowed /*: boolean*/) { this._setAccess('create', userId, allowed); this._setAccess('update', userId, allowed); this._setAccess('delete', userId, allowed); this._setAccess('addField', userId, allowed); } /** * Gets whether the given user id is *explicitly* allowed to write to this class. * Even if this returns false, the user may still be able to write it if * getPublicWriteAccess returns true or a role that the user belongs to has * write access. * * @param userId An instance of Parse.User or its objectId, or a Parse.Role. * @returns {boolean} */ getWriteAccess(userId /*: Entity*/) /*: boolean*/{ return this._getAccess('create', userId) && this._getAccess('update', userId) && this._getAccess('delete', userId) && this._getAccess('addField', userId); } /** * Sets whether the public is allowed to read from this class. * * @param {boolean} allowed */ setPublicReadAccess(allowed /*: boolean*/) { this.setReadAccess(PUBLIC_KEY, allowed); } /** * Gets whether the public is allowed to read from this class. * * @returns {boolean} */ getPublicReadAccess() /*: boolean*/{ return this.getReadAccess(PUBLIC_KEY); } /** * Sets whether the public is allowed to write to this class. * * @param {boolean} allowed */ setPublicWriteAccess(allowed /*: boolean*/) { this.setWriteAccess(PUBLIC_KEY, allowed); } /** * Gets whether the public is allowed to write to this class. * * @returns {boolean} */ getPublicWriteAccess() /*: boolean*/{ return this.getWriteAccess(PUBLIC_KEY); } /** * Sets whether the public is allowed to protect fields in this class. * * @param {string[]} fields */ setPublicProtectedFields(fields /*: string[]*/) { this.setProtectedFields(PUBLIC_KEY, fields); } /** * Gets whether the public is allowed to read fields from this class. * * @returns {string[]} */ getPublicProtectedFields() /*: string[]*/{ return this.getProtectedFields(PUBLIC_KEY); } /** * Gets whether users belonging to the given role are allowed * to read from this class. Even if this returns false, the role may * still be able to write it if a parent role has read access. * * @param role The name of the role, or a Parse.Role object. * @returns {boolean} true if the role has read access. false otherwise. * @throws {TypeError} If role is neither a Parse.Role nor a String. */ getRoleReadAccess(role /*: ParseRole | string*/) /*: boolean*/{ return this.getReadAccess(this._getRoleName(role)); } /** * Gets whether users belonging to the given role are allowed * to write to this user. Even if this returns false, the role may * still be able to write it if a parent role has write access. * * @param role The name of the role, or a Parse.Role object. * @returns {boolean} true if the role has write access. false otherwise. * @throws {TypeError} If role is neither a Parse.Role nor a String. */ getRoleWriteAccess(role /*: ParseRole | string*/) /*: boolean*/{ return this.getWriteAccess(this._getRoleName(role)); } /** * Sets whether users belonging to the given role are allowed * to read from this class. * * @param role The name of the role, or a Parse.Role object. * @param {boolean} allowed Whether the given role can read this object. * @throws {TypeError} If role is neither a Parse.Role nor a String. */ setRoleReadAccess(role /*: ParseRole | string*/, allowed /*: boolean*/) { this.setReadAccess(this._getRoleName(role), allowed); } /** * Sets whether users belonging to the given role are allowed * to write to this class. * * @param role The name of the role, or a Parse.Role object. * @param {boolean} allowed Whether the given role can write this object. * @throws {TypeError} If role is neither a Parse.Role nor a String. */ setRoleWriteAccess(role /*: ParseRole | string*/, allowed /*: boolean*/) { this.setWriteAccess(this._getRoleName(role), allowed); } /** * Gets whether users belonging to the given role are allowed * to count to this user. Even if this returns false, the role may * still be able to count it if a parent role has count access. * * @param role The name of the role, or a Parse.Role object. * @returns {string[]} * @throws {TypeError} If role is neither a Parse.Role nor a String. */ getRoleProtectedFields(role /*: ParseRole | string*/) /*: string[]*/{ return this.getProtectedFields(this._getRoleName(role)); } /** * Sets whether users belonging to the given role are allowed * to set access field in this class. * * @param role The name of the role, or a Parse.Role object. * @param {string[]} fields Fields to be protected by Role. * @throws {TypeError} If role is neither a Parse.Role nor a String. */ setRoleProtectedFields(role /*: ParseRole | string*/, fields /*: string[]*/) { this.setProtectedFields(this._getRoleName(role), fields); } } var _default = ParseCLP; exports.default = _default;