Support populate blueprints

api/policies/CriteriaPolicy.js

@@ -32,11 +32,13 @@ module.exports = function(req, res, next) {
   // set up response filters if we are not mutating an existing object
   if (!_.contains(['update', 'delete'], action)) {
 
+    var checkPermissions = req.options.action === 'populate' ? req.populatePermissions : req.permissions;
+
     // get all of the where clauses and blacklists into one flat array
     // if a permission has no criteria then it is always true
     var criteria = _.compact(_.flatten(
       _.map(
-        _.pluck(permissions, 'criteria'),
+        _.pluck(checkPermissions, 'criteria'),
         function(c) {
           if (c.length == 0) {
             return [{where: {}}];

api/policies/ModelPolicy.js

@@ -11,34 +11,69 @@ function parseModel (req) {
 /**
  * Query the Model that is being acted upon, and set it on the req object.
  */
+
+var Promise = require('bluebird');
+
 module.exports = function ModelPolicy (req, res, next) {
-  var modelCache = sails.hooks.permissions._modelCache;
-  req.options.modelIdentity = parseModel(req);
 
-  if (_.isEmpty(req.options.modelIdentity)) {
-    return next();
+  var promiseAry = [];
+
+  var modelPromise = genModelPromise(req.options.model)
+  .then(function(model) {
+    if (!model) {
+      req.options.unknownModel = true;
+    }
+    req.options.modelDefinition = sails.models[model.identity];
+    req.model = model;
+  });
+  promiseAry.push(modelPromise);
+
+  if (req.options.action === 'populate') {
+    var assoc = _.find(req.options.associations,{alias: req.options.alias})
+    var modelName = assoc[assoc.type];
+    var model = sails.models[assoc[assoc.type]];
+
+    var populateModelPromise = genModelPromise(modelName)
+    .then(function(model) {
+      if (!model) {
+        req.options.unknownPopulateModel = true;
+      }
+      req.options.populateModelDefinition = sails.models[model.identity];
+      req.populateModel = model;
+    });
+    promiseAry.push(populateModelPromise);
+
   }
 
-  req.options.modelDefinition = sails.models[req.options.modelIdentity];
-  req.model = modelCache[req.options.modelIdentity];
+  Promise.all(promiseAry)
+  .nodeify(next);
 
-  if (_.isObject(req.model) && !_.isNull(req.model.id)) {
-    return next();
+};
+
+
+var genModelPromise = function(reqModel) {
+
+  var modelCache = sails.hooks['sails-permissions']._modelCache;
+  var model = modelCache[reqModel];
+
+  if (_.isObject(model) && !_.isUndefined(model.id)) {
+    return Promise.resolve(model);
   }
 
-  sails.log.warn('Model [', req.options.modelIdentity, '] not found in model cache');
+  sails.log.warn('Model [', model, '] not found in model cache');
 
   // if the model is not found in the cache for some reason, get it from the database
-  Model.findOne({ identity: req.options.modelIdentity })
+  return Model.findOne({ identity: reqModel})
     .then(function (model) {
       if (!_.isObject(model)) {
-        req.options.unknownModel = true;
 
-        model = sails.models[req.options.modelIdentity];
+        if (!sails.config.permissions.allowUnknownModelDefinition) {
+          throw new Error('Model definition not found: '+ reqModel);
+        }
+        else {
+          model = sails.models[reqModel];
+        }
       }
-
-      req.model = model;
-      next();
+      return model;
     })
-    .catch(next);
 };

api/policies/PermissionPolicy.js

@@ -29,7 +29,9 @@ module.exports = function (req, res, next) {
     return next();
   }
 
-  PermissionService
+  var promiseAry = [];
+
+  var modelPromise = PermissionService
     .findModelPermissions(options)
     .then(function (permissions) {
       sails.log.silly('PermissionPolicy:', permissions.length, 'permissions grant',
@@ -41,6 +43,39 @@ module.exports = function (req, res, next) {
 
       req.permissions = permissions;
 
-      next();
     });
+
+  promiseAry.push(modelPromise);
+
+  // If the request action is populate also grab permissions for the model to be populated
+  if (req.options.action === 'populate') {
+
+    var populatePromise = PermissionService
+      .findModelPermissions(_.merge(req.options,{
+        model: req.populateModel,
+        user: options.user
+      }))
+      .then(function (permissions) {
+        sails.log.silly('PermissionPolicy:', permissions.length, 'permissions grant',
+            PermissionService.getAction(options), 'on', req.populateModel.name, 'for', req.user.username);
+
+        if (!permissions || permissions.length === 0) {
+          throw new Error(PermissionService.getErrorMessage(options));
+        }
+
+        req.populatePermissions = permissions;
+
+      });
+
+      promiseAry.push(populatePromise);
+
+  }
+
+  Promise.all(promiseAry)
+  .then(function() {
+    next();
+  })
+  .catch(function(e) {
+    return res.badRequest({error: e.message});
+  });
 };

api/services/ModelService.js

@@ -8,7 +8,9 @@ module.exports = {
   getTargetModelName: function (req) {
     // TODO there has to be a more sails-y way to do this without including
     // external modules
-    if (_.isString(req.options.alias)) {
+    //
+    // TODO if action is 'add' or 'remove' check to see if the user has read access on the relation
+    if (_.isString(req.options.alias) && !_.contains(['add','remove','populate'],req.options.action) ) {
       sails.log.silly('singularizing', req.options.alias, 'to use as target model');
       return pluralize.singular(req.options.alias);
     } else if (_.isString(req.options.model)) {