Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is middleware or ( || ) operator not working #22

Open
erikkallen opened this issue Aug 29, 2018 · 11 comments
Open

is middleware or ( || ) operator not working #22

erikkallen opened this issue Aug 29, 2018 · 11 comments

Comments

@erikkallen
Copy link

In my application I have added multiple roles such as administrator and I am trying to limit routes to specific roles as shown in the documentation

Route.post('/device/:id/upload', 'DeviceController.upload')
  .middleware(['auth:jwt', 'is:(administrator || support || productionOwner)'])

however only the first role is considered and if I have a support role (in this example) I receive a forbidden error.

Looking at the code in the middleware (src/Middlewares/Is.js)

class Is {
  async handle ({ auth }, next, ...args) {
    let expression = args[0]
    if (Array.isArray(expression)) {
      expression = expression[0]
    }
    console.log("Expression ", args, expression)
    const is = await auth.user.is(expression)
    if (!is) {
      throw new ForbiddenException()
    }

    await next()
  }
}

I looked at the values passed and it seems to me the method does not receive the expected input
Expression [ [ '(administrator ' ] ] (administrator where to me it looks like the function expects something like 'administrator || support'

Looking at the documentation of adonis middleware it seems that the pipe operator is used for passing multiple middlewares Middleware uses the pipe expression to define props. this might have recently changed (I see no mention of the pipe syntax in the adonis 3.2 docs)

I would like to know if I am missing something obvious if not my guess is that the passing of operators has to be changed to text versions like 'or' and 'and'
erikkallen pushed a commit to erikkallen/adonis-acl that referenced this issue Aug 29, 2018
Regression in adonis4.x in passing properties to middleware fixes enn…
359b66c 
…iel#22
@erikkallen
Copy link
Author

I have created a pull request with a possible fix/workaround

@cmelgarejo
Copy link

No need on a workaround, just an update to the README.md feel free to merge #24 or just use @erikkallen 's PR when he corrects the README.md too. 👍

@gideaoms
Copy link

gideaoms commented Feb 5, 2019
edited
Loading

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

@AndreCosta101
Copy link

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

It works!! Many thanks!

@ajkal5
Copy link

ajkal5 commented May 24, 2020

Hi Erik Kallen,

I have tried with || and or, for both I get Invalid Expression when I test from PostMan.

Route.resource('/permissions', 'PermissionController').apiOnly().middleware(['auth', 'is:(administrator or moderator)'])

Any suggestions with changes?

Thanks

Ajay K

@erikkallen
Copy link
Author

erikkallen commented May 24, 2020 via email

@ajkal5
Copy link

ajkal5 commented May 24, 2020

Erik,

I have changed to :

Route.resource('/roles', 'RoleController').apiOnly().middleware(['auth:jwt', 'is:(administrator || moderator)'])
, still same issue.
2020-05-25_003442

Thanks

Ajay K

@erikkallen
Copy link
Author

erikkallen commented May 24, 2020 via email

@ajkal5
Copy link

ajkal5 commented May 24, 2020

Hi Erik,

Yes, it finally works.

Thanks

Ajay K

@Kledenai
Copy link

Kledenai commented Sep 6, 2020

This way solve this problem:

Route.post('/device/:id/upload', 'DeviceController.upload') 
.middleware(['auth:jwt', 'is:(administrator or support or productionOwner)'])

owwwwwwwwww mannn thanks thanks thanks mann ahhhhhhhh!!!

saved me a really big time 😆

@ewchow
Copy link

ewchow commented May 1, 2024

In case anyone is interested in knowing why |s get stripped from middleware arguments (at least up to v5):
In @adonisjs/http-server, a package called @poppinss/haye supplies a parsing function called Pipe that parses named middleware. It looks for delimiters like : to get the middleware args. Here is where it matches for |s, and I'm guessing the intention is that middleware can be supplied as "auth:web|is:admin" or something like that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@erikkallen @ewchow @cmelgarejo @gideaoms @Kledenai @ajkal5 @AndreCosta101