From b7e2d9c1271a63900a5e184c3defb2ea9e1064cd Mon Sep 17 00:00:00 2001
From: Mitja Zivkovic <mitjaz@gmail.com>
Date: Wed, 27 Feb 2019 10:24:52 +0100
Subject: [PATCH] upd(system): check service grant permission on read and list

---
 system/service/permissions.go      | 22 +++++++++++++++++++---
 system/service/permissions_test.go | 14 ++++++++++++--
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/system/service/permissions.go b/system/service/permissions.go
index 22166efc5..f9caa237d 100644
--- a/system/service/permissions.go
+++ b/system/service/permissions.go
@@ -53,8 +53,11 @@ func (p *permissions) With(ctx context.Context) PermissionsService {
 func (p *permissions) List() (interface{}, error) {
 	perms := []types.Permission{}
 	for resource, operations := range permissionList {
-		for ops := range operations {
-			perms = append(perms, types.Permission{Resource: resource, Operation: ops})
+		err := p.checkServiceAccess(resource)
+		if err == nil {
+			for ops := range operations {
+				perms = append(perms, types.Permission{Resource: resource, Operation: ops})
+			}
 		}
 	}
 	return perms, nil
@@ -65,7 +68,20 @@ func (p *permissions) Check(resource string, operation string) rules.Access {
 }
 
 func (p *permissions) Read(roleID uint64) (interface{}, error) {
-	return p.resources.Read(roleID)
+	ret, err := p.resources.Read(roleID)
+	if err != nil {
+		return nil, err
+	}
+
+	// Only display rules under granted scopes.
+	rules := []rules.Rule{}
+	for _, rule := range ret {
+		err = p.checkServiceAccess(rule.Resource)
+		if err == nil {
+			rules = append(rules, rule)
+		}
+	}
+	return rules, nil
 }
 
 func (p *permissions) Update(roleID uint64, rules []rules.Rule) (interface{}, error) {
diff --git a/system/service/permissions_test.go b/system/service/permissions_test.go
index ceab22040..e6302b2bc 100644
--- a/system/service/permissions_test.go
+++ b/system/service/permissions_test.go
@@ -74,6 +74,16 @@ func TestPermission(t *testing.T) {
 		NoError(t, err, "expected no error, got %v", err)
 	}
 
+	// List possible permissions with `messaging` and `system` grants.
+	{
+		ret, err := permissionSvc.List()
+		NoError(t, err, "expected no error, got %v", err)
+
+		perms := ret.([]types.Permission)
+
+		Assert(t, len(perms) > 0, "expected len(rules) > 0, got %v", len(perms))
+	}
+
 	// Update rules for test role.
 	{
 		list := []rules.Rule{
@@ -141,13 +151,13 @@ func TestPermission(t *testing.T) {
 		Assert(t, len(rules) == 0, "expected len(rules) == 0, got %v", len(rules))
 	}
 
-	// List defined permissions.
+	// List possible permissions with no grants.
 	{
 		ret, err := permissionSvc.List()
 		NoError(t, err, "expected no error, got %v", err)
 
 		perms := ret.([]types.Permission)
 
-		Assert(t, len(perms) > 0, "expected len(rules) > 0, got %v", len(perms))
+		Assert(t, len(perms) == 0, "expected len(rules) == 0, got %v", len(perms))
 	}
 }