For multiple users return the intersection of actions on child actions

adobe · Jan 24, 2025 · 4184a2c · 4184a2c
1 parent e20c4d2
commit 4184a2c
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/src/utils/auth.js b/src/utils/auth.js
@@ -252,14 +252,24 @@ export function getChildRules(daCtx) {
   const pd = daCtx.key.endsWith('/') ? daCtx.key : daCtx.key.concat('/');
   const probeDir = pd.startsWith('/') ? pd : '/'.concat(pd);
   const probeKey = probeDir.concat('acl.probe');
-  const allActions = new Set();
+  const actionSets = [];
   for (const u of daCtx.users) {
     const { actions } = getUserActions(daCtx.aclCtx.pathLookup, u, probeKey);
-    actions.forEach((a) => allActions.add(a));
+    actionSets.push(actions);
+  }
+
+  let resultSet;
+  if (actionSets.length === 0) {
+    resultSet = new Set();
+  } else {
+    resultSet = actionSets.shift();
+    for (const as of actionSets) {
+      resultSet = resultSet.intersection(as);
+    }
   }
 
   // eslint-disable-next-line no-param-reassign
-  daCtx.aclCtx.childRules = [`${probeDir}**=${[...allActions].join(',')}`];
+  daCtx.aclCtx.childRules = [`${probeDir}**=${[...resultSet].join(',')}`];
 }
 
 export function hasPermission(daCtx, path, action, keywordPath = false) {

diff --git a/test/utils/auth.test.js b/test/utils/auth.test.js
@@ -587,10 +587,12 @@ describe('DA auth', () => {
       {path: '/blah/haha', actions: ['read']},
       {path: '/blah/hoho/**', actions: ['read']},
       {path: '/blah/hoho/hihi', actions: ['read']},
+      {path: '/hello/+**', actions: ['read','write']},
     ]);
     pathLookup.set('ABCDEF', [
       {path: '/blah/hohoho', actions: ['read']},
       {path: '/blah/+**', actions: ['read']},
+      {path: '/hello/+**', actions: ['read']},
     ]);
     pathLookup.forEach((value) => value.sort(pathSorter));
 
@@ -632,6 +634,13 @@ describe('DA auth', () => {
     getChildRules(daCtx3);
     const rules6 = daCtx3.aclCtx.childRules;
     assert.strictEqual(1, rules6.length);
-    assert(rules6[0] === '/blah/**=read,write' || rules6[0] === '/blah/**=write,read');
+    assert.strictEqual('/blah/**=', rules6[0]);
+
+    delete daCtx.aclCtx.childRules;
+    const daCtx4 = { users, aclCtx, key: '/hello' };
+    getChildRules(daCtx4);
+    const rules7 = daCtx4.aclCtx.childRules;
+    assert.strictEqual(1, rules7.length);
+    assert.strictEqual('/hello/**=read', rules7[0]);
   });
 });