src/routes/users.js

'use strict';

exports = module.exports = {
    get,
    update,
    list,
    create,
    del,
    changePassword,
    verifyPassword,
    createInvite,
    sendInvite,
    setGroups,
    makeOwner,

    disableTwoFactorAuthentication,

    load
};

const assert = require('assert'),
    auditSource = require('../auditsource.js'),
    BoxError = require('../boxerror.js'),
    HttpError = require('connect-lastmile').HttpError,
    HttpSuccess = require('connect-lastmile').HttpSuccess,
    safe = require('safetydance'),
    users = require('../users.js');

function load(req, res, next) {
    assert.strictEqual(typeof req.params.userId, 'string');

    users.get(req.params.userId, function (error, result) {
        if (error) return next(BoxError.toHttpError(error));

        req.resource = result;

        next();
    });
}

function create(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
    if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be string'));
    if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
    if ('password' in req.body && typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be string'));
    if ('role' in req.body) {
        if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be string'));
        if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
    }

    var password = req.body.password || null;
    var email = req.body.email;
    var username = 'username' in req.body ? req.body.username : null;
    var displayName = req.body.displayName || '';

    users.create(username, password, email, displayName, { invitor: req.user, role: req.body.role || users.ROLE_USER }, auditSource.fromRequest(req), function (error, user) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(201, users.removePrivateFields(user)));
    });
}

function update(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.body, 'object');

    if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
    if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));
    if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
    if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be a string'));

    if ('role' in req.body) {
        if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
        if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));

        if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
    }

    if ('active' in req.body) {
        if (typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
        if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
    }

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));

    users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(204));
    });
}

function list(req, res, next) {
    var page = typeof req.query.page !== 'undefined' ? parseInt(req.query.page) : 1;
    if (!page || page < 0) return next(new HttpError(400, 'page query param has to be a postive number'));

    var perPage = typeof req.query.per_page !== 'undefined'? parseInt(req.query.per_page) : 25;
    if (!perPage || perPage < 0) return next(new HttpError(400, 'per_page query param has to be a postive number'));

    if (req.query.search && typeof req.query.search !== 'string') return next(new HttpError(400, 'search must be a string'));

    users.getAllPaged(req.query.search || null, page, perPage, function (error, results) {
        if (error) return next(BoxError.toHttpError(error));

        results = results.map(users.removeRestrictedFields);

        next(new HttpSuccess(200, { users: results }));
    });
}

function get(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');
    assert.strictEqual(typeof req.user, 'object');

    next(new HttpSuccess(200, users.removePrivateFields(req.resource)));
}

async function del(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (req.user.id === req.resource.id) return next(new HttpError(409, 'Not allowed to remove yourself.'));
    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    const [error] = await safe(users.del(req.resource, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

function verifyPassword(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));

    users.verifyWithUsername(req.user.username, req.body.password, users.AP_WEBADMIN, function (error) {
        if (error) return next(BoxError.toHttpError(error));

        req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password

        next();
    });
}

function createInvite(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    users.createInvite(req.resource, function (error, result) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(200, result));
    });
}

function disableTwoFactorAuthentication(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    users.disableTwoFactorAuthentication(req.resource.id, function (error, result) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(200, result));
    });
}

function sendInvite(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    users.sendInvite(req.resource, { invitor: req.user }, function (error) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(200, { }));
    });
}

async function setGroups(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.resource, 'object');

    if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    const [error] = await safe(users.setMembership(req.resource, req.body.groupIds));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

function changePassword(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.resource, 'object');

    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be a string'));
    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    users.setPassword(req.resource, req.body.password, function (error) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(204));
    });
}

// This route transfers ownership from token user to user specified in path param
function makeOwner(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    // first make new one owner, then devote current one
    users.update(req.resource, { role: users.ROLE_OWNER }, auditSource.fromRequest(req), function (error) {
        if (error) return next(BoxError.toHttpError(error));

        users.update(req.user, { role: users.ROLE_USER }, auditSource.fromRequest(req), function (error) {
            if (error) return next(BoxError.toHttpError(error));

            next(new HttpSuccess(204));
        });
    });
}
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`'use strict';`

			`exports = module.exports = {`
user: add routes to set/clear avatar 2020-07-10 07:23:33 -07:00			`get,`
			`update,`
			`list,`
			`create,`
users: asyncify and merge userdb.del 2021-06-26 09:57:07 -07:00			`del,`
user: add routes to set/clear avatar 2020-07-10 07:23:33 -07:00			`changePassword,`
			`verifyPassword,`
			`createInvite,`
			`sendInvite,`
			`setGroups,`
Add route to transfer ownership 2021-01-15 14:28:41 +01:00			`makeOwner,`
user: add routes to set/clear avatar 2020-07-10 07:23:33 -07:00
users: add route to disable 2fa 2021-04-14 20:45:13 -07:00			`disableTwoFactorAuthentication,`

user: add routes to set/clear avatar 2020-07-10 07:23:33 -07:00			`load`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`};`

users: asyncify and merge userdb.del 2021-06-26 09:57:07 -07:00			`const assert = require('assert'),`
re-factor all the audit source objects 2019-03-25 15:07:06 -07:00			`auditSource = require('../auditsource.js'),`
Move UsersError to BoxError 2019-10-24 14:40:26 -07:00			`BoxError = require('../boxerror.js'),`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`HttpError = require('connect-lastmile').HttpError,`
			`HttpSuccess = require('connect-lastmile').HttpSuccess,`
users: asyncify and merge userdb.del 2021-06-26 09:57:07 -07:00			`safe = require('safetydance'),`
Move UsersError to BoxError 2019-10-24 14:40:26 -07:00			`users = require('../users.js');`

user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`function load(req, res, next) {`
			`assert.strictEqual(typeof req.params.userId, 'string');`

			`users.get(req.params.userId, function (error, result) {`
			`if (error) return next(BoxError.toHttpError(error));`

			`req.resource = result;`

			`next();`
			`});`
			`}`

remove unused user route functions 2016-04-17 18:27:11 +02:00			`function create(req, res, next) {`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`assert.strictEqual(typeof req.body, 'object');`

			`if (typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));`
Do not require a username to be present when creating a user 2016-04-01 16:48:50 +02:00			`if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be string'));`
Fix typo 2016-01-20 00:05:06 -08:00			`if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));`
enhance user creation API to take a password 2018-04-26 13:58:21 -07:00			`if ('password' in req.body && typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be string'));`
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			`if ('role' in req.body) {`
			`if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be string'));`
Improve role add/edit error message 2020-03-06 13:16:47 -08:00			if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
add manage user permission 2020-02-13 22:06:54 -08:00			`}`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Move password generation logic to model code 2018-06-11 12:59:52 -07:00			`var password = req.body.password \|\| null;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`var email = req.body.email;`
Allow usernames and groupnames of length 1 2017-02-02 00:23:11 -08:00			`var username = 'username' in req.body ? req.body.username : null;`
Add displayName to create user and activate routes 2016-01-19 23:34:49 -08:00			`var displayName = req.body.displayName \|\| '';`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			`users.create(username, password, email, displayName, { invitor: req.user, role: req.body.role \|\| users.ROLE_USER }, auditSource.fromRequest(req), function (error, user) {`
Refactor toHttpError code into BoxError 2019-10-24 18:05:14 -07:00			`if (error) return next(BoxError.toHttpError(error));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Keep user objects in REST api responses more coherent 2020-01-06 11:54:00 +01:00			`next(new HttpSuccess(201, users.removePrivateFields(user)));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`});`
			`}`

			`function update(req, res, next) {`
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`assert.strictEqual(typeof req.resource, 'object');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`assert.strictEqual(typeof req.user, 'object');`
			`assert.strictEqual(typeof req.body, 'object');`

Make email in user change optional 2016-01-25 14:12:09 +01:00			`if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));`
Add fallbackEmail to user data model 2018-01-21 14:25:39 +01:00			`if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));`
Support changing the displayName 2016-01-25 14:08:11 +01:00			`if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));`
user.update does not need the user object 2016-06-02 23:53:06 -07:00			`if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be a string'));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			`if ('role' in req.body) {`
			`if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));`
Revert "To allow transfer ownership, a user has to be able to update its role if permissions are granted by current role" 2021-01-15 14:16:55 +01:00			`if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));`

Fix incorrect role comparison 2020-03-15 15:56:06 -07:00			if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
add manage user permission 2020-02-13 22:06:54 -08:00			`}`

Do not allow to set active flag for the operating user 2020-03-05 21:00:59 -08:00			`if ('active' in req.body) {`
			`if (typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));`
			`if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));`
			`}`
Merge active flag into update route 2019-08-08 07:39:32 -07:00
Fix incorrect role comparison 2020-03-15 15:56:06 -07:00			if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
Do not allow lower level roles to edit higher level ones 2020-03-07 13:52:57 -08:00
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {`
Refactor toHttpError code into BoxError 2019-10-24 18:05:14 -07:00			`if (error) return next(BoxError.toHttpError(error));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
user.update does not need the user object 2016-06-02 23:53:06 -07:00			`next(new HttpSuccess(204));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`});`
			`}`

remove unused user route functions 2016-04-17 18:27:11 +02:00			`function list(req, res, next) {`
Add user pagination to rest api 2019-01-14 16:39:20 +01:00			`var page = typeof req.query.page !== 'undefined' ? parseInt(req.query.page) : 1;`
			`if (!page \|\| page < 0) return next(new HttpError(400, 'page query param has to be a postive number'));`

			`var perPage = typeof req.query.per_page !== 'undefined'? parseInt(req.query.per_page) : 25;`
			`if (!perPage \|\| perPage < 0) return next(new HttpError(400, 'per_page query param has to be a postive number'));`

Support username search in user listing api 2019-01-15 17:21:40 +01:00			`if (req.query.search && typeof req.query.search !== 'string') return next(new HttpError(400, 'search must be a string'));`

			`users.getAllPaged(req.query.search \|\| null, page, perPage, function (error, results) {`
Refactor toHttpError code into BoxError 2019-10-24 18:05:14 -07:00			`if (error) return next(BoxError.toHttpError(error));`
filter out correct fields in the route code 2016-06-03 00:04:17 -07:00
Add user management scope 2018-06-25 15:54:24 -07:00			`results = results.map(users.removeRestrictedFields);`
filter out correct fields in the route code 2016-06-03 00:04:17 -07:00
Rename user.js to users.js 2018-04-29 10:58:45 -07:00			`next(new HttpSuccess(200, { users: results }));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`});`
			`}`

remove unused user route functions 2016-04-17 18:27:11 +02:00			`function get(req, res, next) {`
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`assert.strictEqual(typeof req.resource, 'object');`
Do not require password for user profile changes 2016-02-25 14:03:42 +01:00			`assert.strictEqual(typeof req.user, 'object');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`next(new HttpSuccess(200, users.removePrivateFields(req.resource)));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`

users: asyncify and merge userdb.del 2021-06-26 09:57:07 -07:00			`async function del(req, res, next) {`
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`assert.strictEqual(typeof req.resource, 'object');`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`if (req.user.id === req.resource.id) return next(new HttpError(409, 'Not allowed to remove yourself.'));`
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
make the tests work 2021-06-29 09:44:16 -07:00			`const [error] = await safe(users.del(req.resource, auditSource.fromRequest(req)));`
users: asyncify and merge userdb.del 2021-06-26 09:57:07 -07:00			`if (error) return next(BoxError.toHttpError(error));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
users: asyncify and merge userdb.del 2021-06-26 09:57:07 -07:00			`next(new HttpSuccess(204));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`

			`function verifyPassword(req, res, next) {`
			`assert.strictEqual(typeof req.body, 'object');`

			`if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));`

Add app passwords feature 2020-01-31 15:28:42 -08:00			`users.verifyWithUsername(req.user.username, req.body.password, users.AP_WEBADMIN, function (error) {`
Refactor toHttpError code into BoxError 2019-10-24 18:05:14 -07:00			`if (error) return next(BoxError.toHttpError(error));`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
redact the password so it is never displayed in logs 2017-05-05 15:36:47 -07:00			`req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password`

Simplify the password change logic 2016-04-17 19:17:01 +02:00			`next();`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`});`
			`}`

Split the invite route into two 2018-08-17 09:49:58 -07:00			`function createInvite(req, res, next) {`
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`assert.strictEqual(typeof req.resource, 'object');`
Split the invite route into two 2018-08-17 09:49:58 -07:00
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
add manage user permission 2020-02-13 22:06:54 -08:00
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`users.createInvite(req.resource, function (error, result) {`
Refactor toHttpError code into BoxError 2019-10-24 18:05:14 -07:00			`if (error) return next(BoxError.toHttpError(error));`
users: add route to disable 2fa 2021-04-14 20:45:13 -07:00
			`next(new HttpSuccess(200, result));`
			`});`
			`}`

			`function disableTwoFactorAuthentication(req, res, next) {`
			`assert.strictEqual(typeof req.resource, 'object');`

			if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

			`users.disableTwoFactorAuthentication(req.resource.id, function (error, result) {`
			`if (error) return next(BoxError.toHttpError(error));`
Split the invite route into two 2018-08-17 09:49:58 -07:00
Generate the user invite link only in one location 2020-02-05 15:53:05 +01:00			`next(new HttpSuccess(200, result));`
Split the invite route into two 2018-08-17 09:49:58 -07:00			`});`
			`}`

Add send invite route 2016-01-18 15:37:03 +01:00			`function sendInvite(req, res, next) {`
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`assert.strictEqual(typeof req.resource, 'object');`
Add send invite route 2016-01-18 15:37:03 +01:00
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
add manage user permission 2020-02-13 22:06:54 -08:00
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`users.sendInvite(req.resource, { invitor: req.user }, function (error) {`
Refactor toHttpError code into BoxError 2019-10-24 18:05:14 -07:00			`if (error) return next(BoxError.toHttpError(error));`
Add send invite route 2016-01-18 15:37:03 +01:00
Split the invite route into two 2018-08-17 09:49:58 -07:00			`next(new HttpSuccess(200, { }));`
Add send invite route 2016-01-18 15:37:03 +01:00			`});`
			`}`
Add route to set the users groups 2016-02-09 15:47:02 -08:00
async'ify the groups code 2021-06-28 15:15:28 -07:00			`async function setGroups(req, res, next) {`
Add route to set the users groups 2016-02-09 15:47:02 -08:00			`assert.strictEqual(typeof req.body, 'object');`
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`assert.strictEqual(typeof req.resource, 'object');`
Add route to set the users groups 2016-02-09 15:47:02 -08:00
			`if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));`
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
Add route to set the users groups 2016-02-09 15:47:02 -08:00
async'ify the groups code 2021-06-28 15:15:28 -07:00			`const [error] = await safe(users.setMembership(req.resource, req.body.groupIds));`
			`if (error) return next(BoxError.toHttpError(error));`
Add route to set the users groups 2016-02-09 15:47:02 -08:00
async'ify the groups code 2021-06-28 15:15:28 -07:00			`next(new HttpSuccess(204));`
Add route to set the users groups 2016-02-09 15:47:02 -08:00			`}`
Add API to set and transfer ownership 2018-06-28 16:48:04 -07:00
Add route to let admin set user password 2018-08-31 14:30:00 -07:00			`function changePassword(req, res, next) {`
			`assert.strictEqual(typeof req.body, 'object');`
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`assert.strictEqual(typeof req.resource, 'object');`
Add route to let admin set user password 2018-08-31 14:30:00 -07:00
			`if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be a string'));`
migrate permissions and admin flag to user.role 2020-02-21 12:17:06 -08:00			if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
Add route to let admin set user password 2018-08-31 14:30:00 -07:00
user: load the resource with middleware 2020-02-13 20:45:00 -08:00			`users.setPassword(req.resource, req.body.password, function (error) {`
Refactor toHttpError code into BoxError 2019-10-24 18:05:14 -07:00			`if (error) return next(BoxError.toHttpError(error));`
Add route to let admin set user password 2018-08-31 14:30:00 -07:00
			`next(new HttpSuccess(204));`
			`});`
			`}`
user: add routes to set/clear avatar 2020-07-10 07:23:33 -07:00
Add route to transfer ownership 2021-01-15 14:28:41 +01:00			`// This route transfers ownership from token user to user specified in path param`
			`function makeOwner(req, res, next) {`
			`assert.strictEqual(typeof req.resource, 'object');`

			`// first make new one owner, then devote current one`
			`users.update(req.resource, { role: users.ROLE_OWNER }, auditSource.fromRequest(req), function (error) {`
			`if (error) return next(BoxError.toHttpError(error));`

			`users.update(req.user, { role: users.ROLE_USER }, auditSource.fromRequest(req), function (error) {`
			`if (error) return next(BoxError.toHttpError(error));`

			`next(new HttpSuccess(204));`
			`});`
			`});`
			`}`