Includes function in ACL condition

问题

I have an asset called MedicalFile which contains a reference to an organization. The participant HealthCareProfessional also belongs to an organization.

Now I'd like to define an ACL rule which limits the health care professional to only view medical files which MedicalFile's are connected to his organisation.

I came up with the following rule:

rule OrganisationMedicalFilePermission {
    description: "An organisation may updates a medical file which they have permission from"
    participant(h): "nl.epd.blockchain.HealthCareProfessional"
    operation: ALL
    resource(m): "nl.epd.blockchain.MedicalFile"
    condition: (m.organisations.includes(h.organisation))
    action: ALLOW

}

This results in an empty array once I invoke the RESTful API with Loopback. I'm authenticated as a health care professional.

Assets & Participant:

asset Organisation identified by id {
      o String id
      o String name
      o String city
      o String zipCode
      o String street
      o String houseNumber
      o String houseNumberExtra optional
      o OrganisationType organisationType
}

asset MedicalFile identified by bsn {
  o String                 bsn
  --> Patient              owner
  --> Patient[]            mentors optional
  --> Organisation[]       organisations optional
  o Visit[]                visits optional
  o String[]               allergies optional
  o Treatment[]            treatments optional
  o Medicine[]             medicine optional
}

participant HealthCareProfessional identified by bsn {
  o String bsn
  o String firstName
  o String namePrefix optional
  o String lastName
  --> Organisation organisation
}

My question is if it's possible to create a condition which validates this problem. If not, what are my options?

回答1:

It's a good question; there's an updated ACL below that I've tested using the online playground.

This is the updated rule:

rule LimitAccess {
   description: "An organisation may updates a medical file which they have permission from"
   participant(h): "nl.epd.blockchain.HealthCareProfessional"
   operation: ALL
   resource(m): "nl.epd.blockchain.MedicalFile"
   condition: (
     m.organisations.some(function (organisation) {
        return organisation.getIdentifier() === h.organisation.getIdentifier();  
        } )
   )
   action: ALLOW
}

The some function is the critical piece here to scan the array of relationships. Also note the use of the getIdentifier() function as well rather than trying to access the identifier directly.

来源：https://stackoverflow.com/questions/44459155/includes-function-in-acl-condition