diff --git a/packages/backend/src/services/ProtectedAppService.js b/packages/backend/src/services/ProtectedAppService.js index a1a68e4ff..6628dd9e1 100644 --- a/packages/backend/src/services/ProtectedAppService.js +++ b/packages/backend/src/services/ProtectedAppService.js @@ -1,12 +1,28 @@ const { get_app } = require("../helpers"); const { UserActorType } = require("./auth/Actor"); -const { PermissionImplicator, PermissionUtil } = require("./auth/PermissionService"); +const { PermissionImplicator, PermissionUtil, PermissionRewriter } = require("./auth/PermissionService"); const BaseService = require("./BaseService"); class ProtectedAppService extends BaseService { async _init () { const svc_permission = this.services.get('permission'); + svc_permission.register_rewriter(PermissionRewriter.create({ + matcher: permission => { + if ( ! permission.startsWith('app:') ) return false; + const [_, specifier] = PermissionUtil.split(permission); + if ( specifier.startsWith('uid#') ) return false; + return true; + }, + rewriter: async permission => { + const [_1, name, ...rest] = PermissionUtil.split(permission); + const app = await get_app({ name }); + return PermissionUtil.join( + _1, `uid#${app.uid}`, ...rest, + ); + }, + })); + // track: object description in comment // Owner of procted app has implicit permission to access it svc_permission.register_implicator(PermissionImplicator.create({