Update permission check to match WildCardPermission logic.

OHDSI · Feb 5, 2024 · 8204d19 · 8204d19
1 parent b3210e2
commit 8204d19
Showing 1 changed file with 25 additions and 12 deletions.
diff --git a/js/services/AuthAPI.js b/js/services/AuthAPI.js
@@ -176,32 +176,44 @@ define(function(require, exports) {
         }
     }
 
+    // adapted from https://github.com/apache/shiro/blob/fa518ec985fd192497cd04e2569041b2f469aead/core/src/main/java/org/apache/shiro/authz/permission/WildcardPermission.java#L201
+
     var checkPermission = function(permission, etalon) {
-        // etalon may be like '*:read,write:etc'
-        if (!etalon || !permission) {
+        // etalon may be like '*:read,write:etc', and is a permission assigned to the user.
+        // permission is the permission to check
+        if (!etalon || !permission) { // both must be non-null to perform a check
             return false;
         }
 
-        if (permission == etalon) {
+        if (permission == etalon) { // quick check: if equal on both sides, then permission is granted.
             return true;
         }
 
         var etalonLevels = etalon.split(':');
         var permissionLevels = permission.split(':');
 
-        if (etalonLevels.length != permissionLevels.length) {
-            return false;
+        var i = 0;
+        for (let permissionLevel of permissionLevels) {
+            // If this etalon has less parts than the permission, everything after the number of parts contained
+            // in this etalon is automatically implied, so return true
+            if (etalonLevels.length - 1 < i) {
+                return true;
+            } else {
+                var etalonPart = etalonLevels[i].split(',');
+                var permissionPart = permissionLevel.split(',');
+                if (!etalonPart.includes("*") && !permissionPart.every(pp => etalonPart.includes(pp))) {
+                    return false;
+                }
+            }
+            i++;
         }
-
-        for (var i = 0; i < permissionLevels.length; i++) {
-            var pLevel = permissionLevels[i];
-            var eLevels = etalonLevels[i].split(',');
-
-            if (eLevels.indexOf('*') < 0 && eLevels.indexOf(pLevel) < 0) {
+        // If etalon has more parts than the permission, return true if rest of eLevels contains wildcard
+        for (; i < etalonLevels.length; i++) { // loop through remaining etalonLevels
+            var etalonPart = etalonLevels[i].split(',');
+            if (!etalonPart.includes("*")) {
                 return false;
             }
         }
-
         return true;
     };
 
@@ -626,6 +638,7 @@ define(function(require, exports) {
         TOKEN_HEADER,
         runAs,
         executeWithRefresh,
+
     };
 
     return api;