Giters

reactioncommerce / meteor-security

A Meteor package: Logical MongoDB security

Home Page:https://atmospherejs.com/ongoworks/security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Multiple CollectionFS`s support

mshekera opened this issue · comments

commented

I'm using cfs:filesystem@0.1.2 (installed it version via meteor add cfs:filesystem, also didn't test with 0.1.1 or ealrier) and having some problems:

(1) Images.files.permit(['download']).apply() returns next error:

W20150330-20:25:57.663(3)? (STDERR) Error: allow: Invalid key: download
W20150330-20:25:57.665(3)? (STDERR)     at packages/mongo/collection.js:723:1
W20150330-20:25:57.666(3)? (STDERR)     at Array.forEach (native)
W20150330-20:25:57.667(3)? (STDERR)     at Function._.each._.forEach (packages/underscore/underscore.js:105:1)
W20150330-20:25:57.668(3)? (STDERR)     at [object Object].addValidator (packages/mongo/collection.js:721:1)
W20150330-20:25:57.668(3)? (STDERR)     at [object Object].Mongo.Collection.allow (packages/mongo/collection.js:769:1)
W20150330-20:25:57.669(3)? (STDERR)     at packages/ongoworks:security/security-util.js:39:1
W20150330-20:25:57.671(3)? (STDERR)     at Array.forEach (native)
W20150330-20:25:57.672(3)? (STDERR)     at Function._.each._.forEach (packages/underscore/underscore.js:105:1)
W20150330-20:25:57.673(3)? (STDERR)     at addFuncForAll (packages/ongoworks:security/security-util.js:38:1)
W20150330-20:25:57.673(3)? (STDERR)     at packages/ongoworks:security/security-util.js:56:1

(2) Images.permit(['download']).apply() not working either

(3) Security.permit(['download']).collections([Images.files, Audios.files]).apply() fails with same error as (1)

(4) Security.permit(['download']).collections([Images, Audios]).apply() works, but actually set rules only for first collection in array (Images in example)

My temporary (cause I doubt I fixed it properly, but at least it works) solution to (4):

FSCollection object seems have no _name property, but have name. I mean, here c._name is undefined, and c.name is actual FSCollection (not mongo collection, which looks like cfs.filesystem.images and stored in Images.files._name property) name (i.e. 'images' or 'audio'). This leads to wrong assignment on 59th line (it creates object {undefined: true} cause c._name is undefined) and therefor in future not processing any collections except first one or whatever.

So, to fix it one can change c._name to c._name || c.name on lines 54 and 59 in security-util.js file.

Also I did suppose something like c.files && c.files._name || c._name || c.name should work too, but it changes nothing (haven't investigated why). it works when permitting 'download' like wrote in upd. section

upd.:
To make my "hack" work seems like .collections method should be called separately for each collection, i.e.:

Security.permit(['download']).collections([Images]).apply();
Security.permit(['download']).collections([Audios]).apply();

Again, have no idea why

commented

Should be fixed by 4a4c0ba in 1.3.0

commented

I can confirm that doing:

Security.permit( ['download'] )
        .collections( [CardImagesCollection, CardFilesCollection] )
        .ifCanReadOwnerCard()
        .apply();

only allows download on the first collection. ifCanReadOwnerCard will be executed for the second, but it will deny it no matter what is returned.