Pode

2.9.0

Private/Access.ps1

                                function Get-PodeAccessMiddlewareScript {

    return {

        param($opts)

        if ($null -eq $WebEvent.Auth) {

            Set-PodeResponseStatus -Code 403

            return $false

        }

        # test access

        $WebEvent.Auth.IsAuthorised = Invoke-PodeAccessValidation -Name $opts.Name

        # 403 if unauthorised

        if (!$WebEvent.Auth.IsAuthorised) {

            Set-PodeResponseStatus -Code 403

        }

        # run next middleware or stop?

        return $WebEvent.Auth.IsAuthorised

    }

}

function Invoke-PodeAccessValidation {

    param(

        [Parameter(Mandatory = $true)]

        [string]

        $Name

    )

    # get the access method

    $access = $PodeContext.Server.Authorisations.Methods[$Name]

    # if it's a merged access, re-call this function and check against "succeed" value

    if ($access.Merged) {

        foreach ($accName in $access.Access) {

            $result = Invoke-PodeAccessValidation -Name $accName

            # if the access passed, and we only need one access to pass, return true

            if ($result -and $access.PassOne) {

                return $true

            }

            # if the access failed, but we need all to pass, return false

            if (!$result -and !$access.PassOne) {

                return $false

            }

        }

        # if the last access failed, and we only need one access to pass, return false

        if (!$result -and $access.PassOne) {

            return $false

        }

        # if the last access succeeded, and we need all to pass, return true

        if ($result -and !$access.PassOne) {

            return $true

        }

        # default failure

        return $false

    }

    # main access validation logic

    return (Test-PodeAccessRoute -Name $Name)

}