adonis-acl icon indicating copy to clipboard operation
adonis-acl copied to clipboard

Published 20 hours ago verified publisher icon enniel

is middleware or ( || ) operator not working

Open erikkallen opened this issue 6 years ago • 11 comments

In my application I have added multiple roles such as administrator and I am trying to limit routes to specific roles as shown in the documentation

Route.post('/device/:id/upload', 'DeviceController.upload')
  .middleware(['auth:jwt', 'is:(administrator || support || productionOwner)'])

however only the first role is considered and if I have a support role (in this example) I receive a forbidden error.

Looking at the code in the middleware (src/Middlewares/Is.js)

class Is {
  async handle ({ auth }, next, ...args) {
    let expression = args[0]
    if (Array.isArray(expression)) {
      expression = expression[0]
    }
    console.log("Expression ", args, expression)
    const is = await auth.user.is(expression)
    if (!is) {
      throw new ForbiddenException()
    }

    await next()
  }
}

I looked at the values passed and it seems to me the method does not receive the expected input Expression [ [ '(administrator ' ] ] (administrator where to me it looks like the function expects something like 'administrator || support'

Looking at the documentation of adonis middleware it seems that the pipe operator is used for passing multiple middlewares Middleware uses the pipe expression to define props. this might have recently changed (I see no mention of the pipe syntax in the adonis 3.2 docs)

I would like to know if I am missing something obvious if not my guess is that the passing of operators has to be changed to text versions like 'or' and 'and'

erikkallen avatar Aug 29 '18 12:08 erikkallen

I have created a pull request with a possible fix/workaround

erikkallen avatar Aug 29 '18 13:08 erikkallen

No need on a workaround, just an update to the README.md feel free to merge https://github.com/enniel/adonis-acl/pull/24 or just use @erikkallen 's PR when he corrects the README.md too. 👍

cmelgarejo avatar Sep 05 '18 05:09 cmelgarejo

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

gideaoms avatar Feb 05 '19 16:02 gideaoms

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

It works!! Many thanks!

AndreCosta101 avatar Mar 05 '20 04:03 AndreCosta101

Hi Erik Kallen,

I have tried with || and or, for both I get Invalid Expression when I test from PostMan.

Route.resource('/permissions', 'PermissionController').apiOnly().middleware(['auth', 'is:(administrator or moderator)'])

Any suggestions with changes?

Thanks

Ajay K

ajkal5 avatar May 24 '20 19:05 ajkal5

I think you are missing which auth provider to use, auth:jwt or auth:api you only have auth.

On Sun, 24 May 2020 at 21:00, ajakl5 [email protected] wrote:

Hi Erik Kallen,

I have tried with || and or, for both I get Invalid Expression when I test from PostMan.

Route.resource('/permissions', 'PermissionController').apiOnly().middleware(['auth', 'is:(administrator or moderator)'])

Any suggestions with changes?

Thanks

Ajay K

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/enniel/adonis-acl/issues/22#issuecomment-633278165, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD57ZANCPBD47CBU77AA2LRTFVF3ANCNFSM4FSF6HOQ .

erikkallen avatar May 24 '20 19:05 erikkallen

Erik,

I have changed to :

Route.resource('/roles', 'RoleController').apiOnly().middleware(['auth:jwt', 'is:(administrator || moderator)']) , still same issue. 2020-05-25_003442

Thanks

Ajay K

ajkal5 avatar May 24 '20 19:05 ajkal5

Now try with or

On Sun, 24 May 2020 at 21:15, ajakl5 [email protected] wrote:

Erik,

I have changed to :

Route.resource('/roles', 'RoleController').apiOnly().middleware(['auth:jwt', 'is:(administrator || moderator)']) , still same issue. [image: 2020-05-25_003442] https://user-images.githubusercontent.com/48468112/82762868-0f897f00-9e21-11ea-873a-ceace2d7a722.png

Thanks

Ajay K

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/enniel/adonis-acl/issues/22#issuecomment-633280635, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD57ZA3WLCFPUJZQPJM42DRTFW6XANCNFSM4FSF6HOQ .

erikkallen avatar May 24 '20 19:05 erikkallen

Hi Erik,

Yes, it finally works.

Thanks

Ajay K

ajkal5 avatar May 24 '20 20:05 ajkal5

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

owwwwwwwwww mannn thanks thanks thanks mann ahhhhhhhh!!!

saved me a really big time 😆

Kledenai avatar Sep 06 '20 05:09 Kledenai

In case anyone is interested in knowing why |s get stripped from middleware arguments (at least up to v5): In @adonisjs/http-server, a package called @poppinss/haye supplies a parsing function called Pipe that parses named middleware. It looks for delimiters like : to get the middleware args. Here is where it matches for |s, and I'm guessing the intention is that middleware can be supplied as "auth:web|is:admin" or something like that.

ewchow avatar May 01 '24 04:05 ewchow