From 4dcf256371206eca990ad4f5083af555160a9ec7 Mon Sep 17 00:00:00 2001
From: kirrg001 <katharina.irrgang@googlemail.com>
Date: Fri, 12 Oct 2018 20:02:08 +0200
Subject: [PATCH] Added ability to define permission identifier

refs #9866

- by default it used `options.id`, which tells the permission layer the target id
- but some controllers want to use a different identifier
- e.g. settings -> settings.key
- e.g. password changes -> password[0].user_id
---
 core/server/api/v2/utils/permissions.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/server/api/v2/utils/permissions.js b/core/server/api/v2/utils/permissions.js
index 6832b24ada..2d6d4ba620 100644
--- a/core/server/api/v2/utils/permissions.js
+++ b/core/server/api/v2/utils/permissions.js
@@ -9,8 +9,14 @@ const nonePublicAuth = (apiConfig, frame) => {
 
     const singular = apiConfig.docName.replace(/s$/, '');
 
-    let unsafeAttrObject = apiConfig.unsafeAttrs && _.has(frame, `data.[${apiConfig.docName}][0]`) ? _.pick(frame.data[apiConfig.docName][0], apiConfig.unsafeAttrs) : {},
-        permsPromise = permissions.canThis(frame.options.context)[apiConfig.method][singular](frame.options.id, unsafeAttrObject);
+    let permissionIdentifier = frame.options.id;
+
+    if (apiConfig.permissionIdentifier) {
+        permissionIdentifier = apiConfig.permissionIdentifier(frame);
+    }
+
+    const unsafeAttrObject = apiConfig.unsafeAttrs && _.has(frame, `data.[${apiConfig.docName}][0]`) ? _.pick(frame.data[apiConfig.docName][0], apiConfig.unsafeAttrs) : {};
+    const permsPromise = permissions.canThis(frame.options.context)[apiConfig.method][singular](permissionIdentifier, unsafeAttrObject);
 
     return permsPromise.then((result) => {
         /*