diff --git a/pkg/permission/permission.go b/pkg/permission/permission.go index 7a90e5079da08648cbdefe565d39f4d8b801a275..e08579e9c074470a80b8e2ecce3c1e62634b02f1 100644 --- a/pkg/permission/permission.go +++ b/pkg/permission/permission.go @@ -53,12 +53,6 @@ func (p Permission) RemoveFields(in map[string]interface{}) map[string]interface if in == nil { return nil } - out := make(map[string]interface{}) - for k, v := range in { - if data.Contains(k, p.UnallowedFields) { - continue - } - out[k] = v - } - return out + data.DeleteMany(p.UnallowedFields, in) + return in } diff --git a/pkg/permission/permission_test.go b/pkg/permission/permission_test.go new file mode 100644 index 0000000000000000000000000000000000000000..96f05ef5516a3028722d151a4de69280fc2e2dc1 --- /dev/null +++ b/pkg/permission/permission_test.go @@ -0,0 +1,60 @@ +package permission + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestPermission_RemoveFields(t *testing.T) { + + tests := []struct { + name string + unallowedFields []string + in map[string]interface{} + want map[string]interface{} + }{ + { + name: "nil", + in: nil, + want: nil, + }, + { + name: "empty", + in: map[string]interface{}{}, + want: map[string]interface{}{}, + }, + { + name: "empty unallowedFields", + in: map[string]interface{}{"f": "v"}, + want: map[string]interface{}{"f": "v"}, + unallowedFields: nil, + }, + { + name: "remove fields", + in: map[string]interface{}{"f": "v", "f1": "v"}, + want: map[string]interface{}{"f": "v"}, + unallowedFields: []string{"f1"}, + }, + { + name: "no fields", + in: map[string]interface{}{"f": "v", "f1": "v"}, + want: map[string]interface{}{"f": "v", "f1": "v"}, + unallowedFields: []string{"f2"}, + }, + { + name: "obj fields", + in: map[string]interface{}{"obj": map[string]interface{}{"f": "v", "f1": "v"}}, + want: map[string]interface{}{"obj": map[string]interface{}{"f": "v"}}, + unallowedFields: []string{"obj.f1"}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := Permission{ + UnallowedFields: tt.unallowedFields, + } + assert.Equal(t, tt.want, p.RemoveFields(tt.in)) + }) + } +} diff --git a/pkg/permission/ruleset.go b/pkg/permission/ruleset.go index b9a84f3747223cf4139c905e3d65ebb9f4dea336..a915a055759b3185825820233b623eb0d4b21762 100644 --- a/pkg/permission/ruleset.go +++ b/pkg/permission/ruleset.go @@ -127,12 +127,14 @@ func (r Rule) GetPermission(action Action) *Permission { case ActionRead: p.Filter = r.ReadFilter p.UnallowedFields = append(p.UnallowedFields, r.HiddenFields...) - p.UnallowedFields = append(p.UnallowedFields, r.WriteonlyFields...) + p.UnallowedFields = append(p.UnallowedFields, data.Difference(r.WriteonlyFields, r.ReadonlyFields)...) case ActionCreate, ActionUpdate, ActionDelete: p.Filter = r.WriteFilter - p.UnallowedFields = append(p.UnallowedFields, r.ReadonlyFields...) + p.UnallowedFields = append(p.UnallowedFields, data.Difference(r.ReadonlyFields, r.WriteonlyFields)...) } + p.UnallowedFields = data.SetFromSlice(p.UnallowedFields) + return p } } diff --git a/pkg/permission/ruleset_test.go b/pkg/permission/ruleset_test.go index 47c1f07614b1d2edef196db6238adaf40b33e073..a05753844b25dcc3e0484b27384e89a39c7e26f5 100644 --- a/pkg/permission/ruleset_test.go +++ b/pkg/permission/ruleset_test.go @@ -49,3 +49,44 @@ func TestMerge(t *testing.T) { }) } } + +func TestRule_GetPermission(t *testing.T) { + tests := []struct { + name string + action Action + rule Rule + unallowedFields []string + want *Permission + }{ + { + name: "ActionRead", + action: ActionRead, + rule: Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f3"}}, + unallowedFields: []string{"f2", "f3"}, + }, + { + name: "ActionRead readonly&writeonly", + action: ActionRead, + rule: Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f1"}}, + unallowedFields: []string{"f2"}, + }, + { + name: "ActionUpdate", + action: ActionUpdate, + rule: Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f3"}}, + unallowedFields: []string{"f1"}, + }, + { + name: "ActionUpdate readonly&writeonly", + action: ActionUpdate, + rule: Rule{Actions: []Action{ActionRead, ActionUpdate}, ReadonlyFields: []string{"f1"}, HiddenFields: []string{"f2"}, WriteonlyFields: []string{"f1"}}, + unallowedFields: []string{}, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + p := tt.rule.GetPermission(tt.action) + assert.ElementsMatch(t, tt.unallowedFields, p.UnallowedFields) + }) + } +}