Updates to post save permissions updates

makinde · makinde · commit 6601f1374cce · 2020-03-20T12:50:09.000-07:00
Previously, if you did a `find()` with permissions, then did a save on that doc with `{ authLevel: false }`, the resulting document would still have the original permissions and it would not reflect the latest data in the document. This change stores the query options used for the find query in the document at find time. Then, if you take an action that skips authz, the permissions in the doc will be recalculated using those original options.
diff --git a/index.js b/index.js
@@ -112,10 +112,17 @@ module.exports = (schema, installationOptions) => {
   // is to have arguments to the middleware function. If we have arguments, mongoose
   // assume we want to use a `next()` function. FML
   schema.pre('save', function preSave(next, options) {
-    // Embed the options into the doc so we have access to them in post save hooks
-    this[docOptionsSymbol] = options;
+    // If we don't have options saved in the doc already, put whatever options
+    // we have now in there. This way there are always options saved in the doc.
+    if (!this[docOptionsSymbol]) this[docOptionsSymbol] = options;
+
+    // If auth is disabled, don't store the options in the doc. This will leave options
+    // that have been stored when the doc was retrieved (if any).
     if (authIsDisabled(options)) { return next(); }
 
+    // Okay, we are not disabled, so definitely use these options going forward.
+    this[docOptionsSymbol] = options;
+
     return save(this, options)
       .then(() => next())
       .catch(next);
@@ -145,10 +152,26 @@ module.exports = (schema, installationOptions) => {
   });
   schema.post('find', async function postFind(docs) {
     if (authIsDisabled(this.options)) { return; }
+
+    // Store the options in the doc in case we do a write operation later on.
+    // If that write skips authz checks, it'll be able to use these options to
+    // recalculate permissions.
+    if (this.options && docs && docs.forEach) {
+      docs.forEach((doc) => { doc[docOptionsSymbol] = this.options; });
+    }
+
     await find(this, docs);
   });
   schema.post('findOne', async function postFindOne(doc) {
     if (authIsDisabled(this.options)) { return; }
+
+    // Store the options in the doc in case we do a write operation later on.
+    // If that write skips authz checks, it'll be able to use these options to
+    // recalculate permissions.
+    if (this.options && doc) {
+      doc[docOptionsSymbol] = this.options;
+    }
+
     await find(this, doc);
   });
   schema.pre('update', async function preUpdate() {
