fix(mongoose): makes sure abilityConditions does not override existin…

…g `$and` conditions Fixes stalniy#272
m-weeks · Mar 13, 2020 · 4a5cbcf · 4a5cbcf
1 parent d471aa0
commit 4a5cbcf
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/packages/casl-mongoose/package.json b/packages/casl-mongoose/package.json
@@ -14,7 +14,7 @@
   },
   "homepage": "https://stalniy.github.io/casl/",
   "scripts": {
-    "build": "BUILD_TYPES=es6,umd:cjs rollup -c ../../tools/rollup.config.js -e @casl/ability/extra",
+    "build": "BUILD_TYPES=es6,umd:cjs rollup -c ../../tools/rollup.config.js -e @casl/ability/extra,mongoose",
     "lint": "eslint src/",
     "test": "NODE_ENV=test jest --config ../../tools/jest.config.js --env node",
     "prerelease": "npm test && NODE_ENV=production npm run build",

diff --git a/packages/casl-mongoose/spec/accessible_records.spec.js b/packages/casl-mongoose/spec/accessible_records.spec.js
@@ -51,11 +51,11 @@ describe('Accessible Records Plugin', () => {
       expect(ability.rulesFor).to.have.been.called.with.exactly('delete', Post.modelName)
     })
 
-    it('calls `where` method of the query', () => {
-      spy.on(Post, 'where')
-      Post.accessibleBy(ability)
+    it('does not change query return type', () => {
+      const originalType = Post.findById(1).op
+      const type = Post.findById(1).accessibleBy(ability).op
 
-      expect(Post.where).to.be.called()
+      expect(type).to.equal(originalType)
     })
 
     it('wraps `toMongoQuery` result with additional `$and` to prevent collisions when combined with `$or` query', () => {
@@ -66,11 +66,15 @@ describe('Accessible Records Plugin', () => {
       expect(Post.where).to.be.called.with.exactly({ $and: [query] })
     })
 
-    it('does not change query return type', () => {
-      const originalType = Post.findById(1).op
-      const type = Post.findById(1).accessibleBy(ability).op
+    it('properly merges `toMongoQuery` result with existing in query `$and` conditions', () => {
+      const existingConditions = [{ prop: true }, { anotherProp: false }]
+      const query = Post.find({ $and: existingConditions })
+      const conditions = query.accessibleBy(ability).getQuery()
 
-      expect(type).to.equal(originalType)
+      expect(conditions.$and).to.eql([
+        ...existingConditions,
+        toMongoQuery(ability, 'Post')
+      ])
     })
 
     describe('when ability disallow to perform an action', () => {

diff --git a/packages/casl-mongoose/src/accessible_records.js b/packages/casl-mongoose/src/accessible_records.js
@@ -1,3 +1,4 @@
+import { Query } from 'mongoose';
 import { toMongoQuery } from './mongo';
 
 const DENY_CONDITION_NAME = '__forbiddenByCasl__';
@@ -32,7 +33,11 @@ function emptyQuery(query) {
 function accessibleBy(ability, action) {
   const query = toMongoQuery(ability, this.modelName || this.model.modelName, action);
 
-  return query === null ? emptyQuery(this.where()) : this.where({ $and: [query] });
+  if (query === null) {
+    return emptyQuery(this.where());
+  }
+
+  return this instanceof Query ? this.and([query]) : this.where({ $and: [query] });
 }
 
 export function accessibleRecordsPlugin(schema) {