'use strict'; var actionUtil = require('sails/lib/hooks/blueprints/actionUtil'); var _ = require('lodash'); /** * Policy to limit GET /project results to just contain those projects that current * user has access to. * * @param {Request} request Request object * @param {Response} response Response object * @param {Function} next Callback function * * @returns {*} */ module.exports = function(request, response, next) { sails.log.verbose(' POLICY - ' + __filename); // Parse where criteria var where = actionUtil.parseCriteria(request); sails.models['projectuser'] .find() .where({user: request.token}) .populate('project') .then( function(projectUsers) { // Determine valid project ids var validIds = _.map(projectUsers, function(projectUser) { return parseInt(projectUser.project.id, 10); }); // We have id condition set so we need to check if that / those are allowed if (where.id) { // Normalize current ids var currentIds = _.map((!_.isArray(where.id)) ? [where.id] : where.id, function(id) { return parseInt(id, 10); }); // Remove not valid ids where.id = _.intersection(currentIds, validIds); } else { // Otherwise just add id collection to where query where.id = validIds; } // There is no "valid" ids so we need to send 404 back to client if (_.isEmpty(where.id)) { var error = { status: 404 }; return response.negotiate(error); } // Remove existing query delete request.query; // Set new query to request, that blueprints will use after this request.query = { where: where }; return next(); } ) .catch(function(error) { return response.negotiate(error); }); };