Merge pull request formio#2141 from formio/bugfix/user-permissions

travist · web-flow · commit 89398dd879c0 · 2019-12-03T15:08:07.000-06:00
Fixed userPermissions function not taking into account Group Permissions
diff --git a/Changelog.md b/Changelog.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [Unreleased]
+### Fixed
+ - ```userPermissions``` function not taking into account Group Permissions
+
 ## 4.8.0-beta.5
 ### Fixed
  - Problem where the accordion parent names are incorrect.
diff --git a/src/Formio.js b/src/Formio.js
@@ -11,6 +11,8 @@ import _intersection from 'lodash/intersection';
 import _get from 'lodash/get';
 import _cloneDeep from 'lodash/cloneDeep';
 import _defaults from 'lodash/defaults';
+import { eachComponent } from './utils/utils';
+
 const { fetch, Headers } = fetchPonyfill({
   Promise: NativePromise
 });
@@ -558,10 +560,12 @@ export default class Formio {
     return NativePromise.all([
       (form !== undefined) ? NativePromise.resolve(form) : this.loadForm(),
       (user !== undefined) ? NativePromise.resolve(user) : this.currentUser(),
+      (submission !== undefined) ? NativePromise.resolve(submission) : this.loadSubmission(),
       this.accessInfo()
     ]).then((results) => {
       const form = results.shift();
       const user = results.shift() || { _id: false, roles: [] };
+      const submission = results.shift();
       const access = results.shift();
       const permMap = {
         create: 'create',
@@ -605,6 +609,39 @@ export default class Formio {
           }
         }
       }
+      // check for Group Permissions
+      if (submission) {
+        // we would anyway need to loop through components for create permission, so we'll do that for all of them
+        eachComponent(form.components, (component, path) => {
+          if (component && component.defaultPermission) {
+            // we assume that there might be only single value of group component
+            const value = _get(submission.data, path);
+            if (
+              value && value._id && // group id is present
+              user.roles.indexOf(value._id) > -1 // user has group id in his roles
+            ) {
+              if (component.defaultPermission === 'read') {
+                perms[permMap.read] = true;
+              }
+              if (component.defaultPermission === 'create') {
+                perms[permMap.create] = true;
+                perms[permMap.read] = true;
+              }
+              if (component.defaultPermission === 'write') {
+                perms[permMap.create] = true;
+                perms[permMap.read] = true;
+                perms[permMap.update] = true;
+              }
+              if (component.defaultPermission === 'admin') {
+                perms[permMap.create] = true;
+                perms[permMap.read] = true;
+                perms[permMap.update] = true;
+                perms[permMap.delete] = true;
+              }
+            }
+          }
+        });
+      }
       return perms;
     });
   }
