expressa icon indicating copy to clipboard operation
expressa copied to clipboard
verified publisher icon thomas4019

integrating custom express endpoints into permissions-screen of expressa-admin

Open coderofsalvation opened this issue 9 years ago • 7 comments

Any idea how could append them into the permission-mechanism and append them to the 'Permission'-table in expressa-admin?

// this will output all custom express endpoints
app._router.stack.map(>(endpoint){
  console.log( endpoint.regexp.toString() )
})

It would make expressa the first express middleware (I've seen) to apply role/permissions on programmatically added endpoints.

Background

The problem with all express applications is a lack of centrally securing all endpoints. So cases like this:

app.use('/foo/bar',function(req,res,next){   .... })
app.get('/flop',function(req,res,next){ ..  })

Totally bypasses authentication/roles. Ofcourse this can be solved like this:

app.get('/flop',myAuthMiddleware, function(req,res,next){ ..  })

However, then it still bypasses all finer grained permissions. Since expressa already has finegrained controlled of permissions, it would be neato to add the non-expressa endpoints in there as well.

WDYT?

coderofsalvation avatar Feb 22 '17 12:02 coderofsalvation

This is a great idea! As you've said this should only be for custom endpoints since the expressa ones have their own permissions.

I'm thinking about whether we should only handle the top level or whether we should go into each middleware and analyze each of their routes. What's your thoughts?

thomas4019 avatar Feb 22 '17 16:02 thomas4019

Well, I would propose a bit of both: bruteforce fine-grained control. Tthe snippet I showed earlier shows outputs all the url-regexes which get registered by other middleware already:

What we could do is putting something like this in node_modules/expressa/index.js e.g.:

app.use( function(req,res,next){
    var isMiddleware = false
    app._router.stack.map(>(endpoint){
       if( req.url.match( endpoint.regexp ) == null ) isMiddleware = true
       if( !isMiddleware ) return next() // probably a file from a public folder 
       var permitted = createOrFindPermissionName( endpoint.regexp.toString(), req.user )
       if( permitted ) next()
       else return res.status(400).send({error:'No permission.'})
    })
})

Explanation:

  • for any express request iterate over the url-regexes in the express-router
  • determine whether the url hits an app.use() or app.get/post/put/delete-call from middleware (=regex)
  • create or find the permission (if created, set all permissions to true)
  • allow or dissallow the call

This would pre-filter all express middleware (I think)

WDYT?

DISCLAIMER: I don't know yet how to determine the user of each request, and how to create or find permissions which belong to that user

coderofsalvation avatar Feb 22 '17 17:02 coderofsalvation

Early on I attach a hasPermission function to the request object so you can just call that and pass the string name of the permission.

if (req.hasPermission('view errors')) {

If you need to know the current user use req.uid. If you want the full user object you can use the standard db method to load it. But all this shouldn't be necessary because the hasPermission method should work.

thomas4019 avatar Feb 22 '17 17:02 thomas4019

Oh great, I think I can start preparing a PR. Btw. any idea how to create a Permission?

coderofsalvation avatar Feb 22 '17 17:02 coderofsalvation

You just give the permission to the Admin role. Here's an example: https://github.com/thomas4019/expressa/blob/master/collection_permissions.js#L49

thomas4019 avatar Feb 22 '17 17:02 thomas4019

thx!

coderofsalvation avatar Feb 22 '17 17:02 coderofsalvation

just a heads up here, im still working on it, next to some other expressa stuff.

coderofsalvation avatar Mar 13 '17 18:03 coderofsalvation