router-authz.js revision b3ec0fd47cdcf8f64148a88ac62a7a68411c5c89
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2011-2012 ForgeRock AS. All rights reserved.
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*/
/*
* This script is called from the router "onRequest" trigger, to enforce a central
* set of authorization rules.
*
* This default implemention simply restricts requests via HTTP to users that are assigned
* an "openidm-admin" role, and optionally to those that authenticate with TLS mutual
* authentication (assigned an "openidm-cert" role).
*/
function isMyTask() {
}
function canUpdateTask() {
}
function isUserCandidateForTask(taskInstanceId) {
var userCandidateTasksQueryParams = {
"_queryId": "filtered-query",
};
var userCandidateTasks = openidm.query("workflow/taskinstance", userCandidateTasksQueryParams).result;
return true;
}
}
var roles = "";
if (i === 0) {
} else {
}
}
"_queryId": "filtered-query",
"taskCandidateGroup": roles
};
var userGroupCandidateTasks = openidm.query("workflow/taskinstance", userGroupCandidateTasksQueryParams).result;
return true;
}
}
return false;
}
function isAllowedToStartProcess() {
return isProcessOnUsersList(processDefinitionId);
}
function isOneOfMyWorkflows() {
return isProcessOnUsersList(processDefinitionId);
}
function isProcessOnUsersList(processDefinitionId) {
var processesForUserQueryParams = {
"_queryId": "query-processes-for-user",
};
var isProcessOneOfUserProcesses = false;
var processForUser = processesForUser[i];
isProcessOneOfUserProcesses = true;
}
}
return isProcessOneOfUserProcesses;
}
function isQueryOneOf(allowedQueries) {
if (
)
{
return true
}
return false;
}
function checkIfUIIsEnabled(param) {
var returnVal = false;
}
function ownDataOnly() {
var userId = "";
{
}
{
// something funny going on if we have two different values for userId
return false;
}
}
{
// something funny going on if we have two different values for userId
return false;
}
}
}
return true;
}
}
else { // this would be strange, but worth checking
return true; // true because they don't appear to be setting anything
}
// we could accept a csv list or an array of properties for the allowedPropertiesList arg.
if (typeof allowedPropertiesList === "string") {
}
if (request.method === "patch" || (request.method === "action" && request.params["_action"] === "patch")) {
// check each of the fields they are attempting to patch and make sure they are approved
for (i in params) {
if ((params[i].test && !containsIgnoreCase(allowedPropertiesList, params[i].test.replace(/^\//, ''))) ||
(params[i].replace && !containsIgnoreCase(allowedPropertiesList, params[i].replace.replace(/^\//, '')))) {
return false;
}
}
if (!currentUser || currentUser._id !== request.parent.security.userid.id) { // this would be odd, but just in case
return false;
}
for (i in params) {
// if the new value does not match the current value, then they must be updating it
// if the field they are attempting to update isn't allowed for them, then reject request.
return false;
}
}
for (i in params) {
// they should only be providing parameters that they are allowed to define
if (!containsIgnoreCase(allowedPropertiesList,i)) {
return false;
}
}
}
return true;
}
function disallowQueryExpression() {
return false;
}
return true;
}
//////// Do not alter functions below here as part of your authz configuration
// Check resource ID
// Check excludePatterns
var ex = false;
ex = true;
break;
}
}
if (ex) {
continue;
}
}
// Check roles
// Check method
// Check action
return true;
}
} else {
return true;
}
}
}
}
}
}
return false;
}
if (pattern == "*") {
// Accept all patterns
return true;
// pattern matches exactly
return true;
// Ends with "/*" or "/"
// See if parent pattern matches
if (id.length >= parentResource.length && id.substring(0, parentResource.length) == parentResource) {
return true
}
}
return false;
}
if (configItems == "*") {
return true;
}
return true;
}
}
return false
}
if (configItems == "*") {
return true;
}
}
function containsIgnoreCase(a, o) {
if (typeof(a) != 'undefined' && a != null) {
for (var i = 0; i <= a.length; i++) {
if (typeof(o) != 'undefined' && o != null) {
str1 = o.toLowerCase();
}
if (typeof(a[i]) != 'undefined' && a[i] != null) {
str2 = a[i].toLowerCase();
}
return true;
}
}
}
return false;
}
function contains(a, o) {
if (typeof(a) != 'undefined' && a != null) {
for (var i = 0; i <= a.length; i++) {
if (a[i] === o) {
return true;
}
}
}
return false;
}
function allow() {
return true;
}
var action = "";
}
// Check REST requests against the access configuration
return true;
}
}
}
// Load the access configuration script
if (!allow()) {
// java.lang.System.out.println(request);
throw {
"openidmCode" : 403,
"message" : "Access denied"
}
}