Logo: Relish

  1. Sign in

Project: Edison

Access Control

The backend provides Public/Private/Role-based/ACL access control

Background
Given
client accepts JSON
Scenarios
Bob can access his data only
Given
the system only knows those Buildings:
_id label level _owner
541816f042e7d8204d000001 Town Hall 3 [email protected]
541816f042e7d8204d000002 Army Camp 3 [email protected]
541816f042e7d8204d000003 Gold Mine 3 [email protected]
And
client is authenticated as Bob
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000001", "label" : "Town Hall", "level" : 3, "_owner" : "[email protected]" },
{ "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]" } ]
John can not list private objects from Bob
Given
the system only knows those Buildings:
_id label level _owner
541816f042e7d8204d000001 Town Hall 3 [email protected]
541816f042e7d8204d000002 Army Camp 3 [email protected]
541816f042e7d8204d000003 Gold Mine 3 [email protected]
And
client is authenticated as John
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ ] 
John can not get a private object from Bob
Given
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "Town Hall",
  "level": 3,
  "_owner": "[email protected]" }
And
client is authenticated as John
When
client requests GET /api/buildings/541816f042e7d8204d000001
Then
response status should be 422
And
response body should be JSON:
{ "status": "Unprocessable Entity",
  "message": "Object with _id 541816f042e7d8204d000001 not found." }
John can not insert and override a private object from Bob
Given
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "Town Hall",
  "level": 3,
  "_owner": "[email protected]" }
And
client is authenticated as John
When
client requests POST /api/buildings with JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 422
When
client requests POST /api/buildings with JSON:
{ "label": "John's Town Hall",
  "level": 999,
  "_owner": "[email protected]" }
Then
response status should be 422
John can not modify and override a private object from Bob
Given
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "Town Hall",
  "level": 3,
  "_owner": "[email protected]" }
And
client is authenticated as John
When
client requests PUT /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 422
When
client requests PUT /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall",
  "level": 999,
  "_owner": "[email protected]" }
Then
response status should be 422
When
client requests PUT /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 422
John can not mutate and override a private object from Bob
Given
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "Town Hall",
  "level": 3,
  "_owner": "[email protected]" }
And
client is authenticated as John
When
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 422
When
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall",
  "level": 999,
  "_owner": "[email protected]" }
Then
response status should be 422
When
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 422
John can not delete a private object from Bob
Given
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001",
  "label": "Town Hall",
  "level": 3,
  "_owner": "[email protected]" }
And
client is authenticated as John
When
client requests DELETE /api/buildings/541816f042e7d8204d000001
Then
response status should be 422
John can not find private objects from Bob
Given
the system only knows those Buildings:
_id label level _owner
541816f042e7d8204d000001 Town Hall 3 [email protected]
541816f042e7d8204d000002 Army Camp 3 [email protected]
541816f042e7d8204d000003 Gold Mine 3 [email protected]
And
client is authenticated as John
When
client requests POST /api/buildings/search with JSON:
{ }
Then
response status should be 200
And
response body should be JSON:
[ ] 
When
client requests POST /api/buildings/search with JSON:
{ "level": 3 }
Then
response status should be 200
And
response body should be JSON:
[ ] 
When
client requests POST /api/buildings/search with JSON:
{ "_id": "541816f042e7d8204d000001" }
Then
response status should be 422
When
client requests POST /api/buildings/search with JSON:
{ "_owner": "[email protected]" }
Then
response status should be 422
John can read objects from Bob only if he has read permission
Given
the system only knows those Buildings:
_id label level _owner _tags
541816f042e7d8204d000001 Town Hall 3 [email protected] [ ]
541816f042e7d8204d000002 Army Camp 3 [email protected] [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ]
541816f042e7d8204d000003 Gold Mine 3 [email protected] [ { "_targets" : [ "foo", "[email protected]", "bar" ], "_permissions" : [ { "_read" : true } ] } ]
And
client is authenticated as John
When
client requests GET /api/buildings
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000002", "label" : "Army Camp", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ] },
{ "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]" ], "_permissions" : [ { "_read" : true } ] } ] } ]
When
client requests GET /api/buildings/541816f042e7d8204d000003
Then
response status should be 200
And
response body should be JSON:
{ "_id" : "541816f042e7d8204d000003", 
  "label" : "Gold Mine",
  "level" : 3,
  "_owner" : "[email protected]",
  "_tags" : [ { "_targets" : [ "[email protected]" ], "_permissions" : [ { "_read" : true } ] } ] }
When
client requests POST /api/buildings/search with JSON: { "level": 3 }
Then
response status should be 200
And
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000002", "label" : "Army Camp", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ] },
{ "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]" ], "_permissions" : [ { "_read" : true } ] } ] } ]
John can update objects from Bob only if he has read/write permission
Given
the system only knows those Buildings:
_id label level _owner _tags
541816f042e7d8204d000001 Town Hall 3 [email protected] [ { "_targets" : [ "foo", "[email protected]" ], "_permissions" : [ { "_read" : true}, {"_write": false} ] } ]
541816f042e7d8204d000002 Army Camp 3 [email protected] [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ]
541816f042e7d8204d000003 Gold Mine 3 [email protected] [ { "_targets" : [ "[email protected]", "bar" ], "_permissions" : [ { "_read" : true}, {"_write": true} ] } ]
And
client is authenticated as John
When
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 422
When
client requests PATCH /api/buildings/541816f042e7d8204d000003 with JSON:
{ "label": "John's Town Hall",
  "level": 999 }
Then
response status should be 200
And
response body should be JSON:
{ "status": "ok" }
Even if he has read/write permision, John must not be able to modify permissions of objects from Bob
Given
the system only knows those Buildings:
_id label level _owner _tags
541816f042e7d8204d000001 Town Hall 3 [email protected] [ { "_targets" : [ "foo", "[email protected]" ], "_permissions" : [ {"_read" : true}, {"_write": false} ] } ]
541816f042e7d8204d000002 Army Camp 3 [email protected] [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ {"_read": true} ] } ]
541816f042e7d8204d000003 Gold Mine 3 [email protected] [ { "_targets" : [ "[email protected]", "bar" ], "_permissions" : [ {"_read" : true}, {"_write": true} ] } ]
And
client is authenticated as John
When
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_owner": "[email protected]" }
Then
response status should be 422
When
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_tags": [{ "_targets": ["[email protected]"], "_permissions": [ {"_read": true}, {"_write": true} ] }] }
Then
response status should be 422
When
client requests PATCH /api/buildings/541816f042e7d8204d000003 with JSON:
{ "_owner": "[email protected]" }
Then
response status should be 422
When
client requests PATCH /api/buildings/541816f042e7d8204d000003 with JSON:
{ "_tags": [{ "_targets": ["[email protected]", "[email protected]"], "_permissions": [ {"_read": true}, {"_write": true} ] }] }
Then
response status should be 422

Last published almost 5 years ago by Bruno Le Hyaric.