migrate permissions and admin flag to user.role
This commit is contained in:
Girish Ramakrishnan
@@ -41,14 +41,9 @@ function create(req, res, next) {
|
||||
if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be string'));
|
||||
if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
|
||||
if ('password' in req.body && typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be string'));
|
||||
if ('admin' in req.body && typeof req.body.admin !== 'boolean') return next(new HttpError(400, 'admin flag must be a boolean'));
|
||||
if ('permissions' in req.body) {
|
||||
if (!Array.isArray(req.body.permissions)) return next(new HttpError(400, 'permissions must be an array'));
|
||||
if (req.body.permissions.some((p) => typeof p !== 'string')) return next(new HttpError(400, 'permissions array must contain strings'));
|
||||
}
|
||||
|
||||
if (!req.user.admin) {
|
||||
if ('admin' in req.body || 'permissions' in req.body) return next(new HttpError(403, 'Only admin add admins or set permissions'));
|
||||
if ('role' in req.body) {
|
||||
if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be string'));
|
||||
if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but user has only '${req.user.role}'`));
|
||||
}
|
||||
|
||||
var password = req.body.password || null;
|
||||
@@ -56,7 +51,7 @@ function create(req, res, next) {
|
||||
var username = 'username' in req.body ? req.body.username : null;
|
||||
var displayName = req.body.displayName || '';
|
||||
|
||||
users.create(username, password, email, displayName, { invitor: req.user, admin: req.body.admin, permissions: req.body.permissions }, auditSource.fromRequest(req), function (error, user) {
|
||||
users.create(username, password, email, displayName, { invitor: req.user, role: req.body.role || users.ROLE_USER }, auditSource.fromRequest(req), function (error, user) {
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(201, users.removePrivateFields(user)));
|
||||
@@ -73,23 +68,15 @@ function update(req, res, next) {
|
||||
if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
|
||||
if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be a string'));
|
||||
|
||||
if ('admin' in req.body) {
|
||||
if (typeof req.body.admin !== 'boolean') return next(new HttpError(400, 'admin must be a boolean'));
|
||||
// this route is only allowed for admins, so req.user has to be an admin
|
||||
if (req.user.id === req.resource.id && !req.body.admin) return next(new HttpError(409, 'Cannot remove admin flag on self'));
|
||||
}
|
||||
if ('role' in req.body) {
|
||||
if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));
|
||||
|
||||
if ('permissions' in req.body) {
|
||||
if (!Array.isArray(req.body.permissions)) return next(new HttpError(400, 'permissions must be an array'));
|
||||
if (req.body.permissions.some((p) => typeof p !== 'string')) return next(new HttpError(400, 'permissions array must contain strings'));
|
||||
if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but user has only '${req.user.role}'`));
|
||||
}
|
||||
|
||||
if ('active' in req.body && typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
|
||||
|
||||
if (!req.user.admin) {
|
||||
if ('admin' in req.body || 'permissions' in req.body) return next(new HttpError(403, 'Only admin add admins or set permissions'));
|
||||
}
|
||||
|
||||
users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
@@ -126,7 +113,7 @@ function remove(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Not allowed to remove yourself.'));
|
||||
if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot remove admin user'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
users.remove(req.resource, auditSource.fromRequest(req), function (error) {
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
@@ -152,7 +139,7 @@ function verifyPassword(req, res, next) {
|
||||
function createInvite(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
|
||||
if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot reset admin user'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
users.createInvite(req.resource, function (error, result) {
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
@@ -164,7 +151,7 @@ function createInvite(req, res, next) {
|
||||
function sendInvite(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
|
||||
if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot invite admin user'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
users.sendInvite(req.resource, { invitor: req.user }, function (error) {
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
@@ -178,7 +165,7 @@ function setGroups(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
|
||||
if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
|
||||
if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot modify admin user'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
users.setMembership(req.resource, req.body.groupIds, function (error) {
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
@@ -192,7 +179,7 @@ function changePassword(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
|
||||
if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be a string'));
|
||||
if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot modify admin user'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
users.setPassword(req.resource, req.body.password, function (error) {
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
Reference in New Issue
Block a user