diff --git a/src/apps.js b/src/apps.js index e306d26d6..4fb20ae88 100644 --- a/src/apps.js +++ b/src/apps.js @@ -309,12 +309,18 @@ function hasAccessTo(app, user, callback) { if (app.accessRestriction.users.some(function (e) { return e === user.id; })) return callback(null, true); // check group access - if (!app.accessRestriction.groups) return callback(null, false); + groups.getGroups(user.id, function (error, groupIds) { + if (error) return callback(null, false); - async.some(app.accessRestriction.groups, function (groupId, iteratorDone) { - groups.isMember(groupId, user.id, iteratorDone); - }, function (error, result) { - callback(null, !error && result); + const isAdmin = groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1; + + if (isAdmin) return callback(null, true); // admins can always access any app + + if (!app.accessRestriction.groups) return callback(null, false); + + if (app.accessRestriction.groups.some(function (gid) { return groupIds.indexOf(gid) !== -1; })) return callback(null, true); + + callback(null, false); }); } diff --git a/src/ldap.js b/src/ldap.js index 22b876024..0e4716360 100644 --- a/src/ldap.js +++ b/src/ldap.js @@ -479,13 +479,13 @@ function start(callback) { gServer.compare('cn=admins,ou=groups,dc=cloudron', groupAdminsCompare); // this is the bind for addons (after bind, they might search and authenticate) - gServer.bind('ou=addons,dc=cloudron', function(req, res, next) { + gServer.bind('ou=addons,dc=cloudron', function(req, res /*, next */) { debug('addons bind: %s', req.dn.toString()); // note: cn can be email or id res.end(); }); // this is the bind for apps (after bind, they might search and authenticate user) - gServer.bind('ou=apps,dc=cloudron', function(req, res, next) { + gServer.bind('ou=apps,dc=cloudron', function(req, res /*, next */) { // TODO: validate password debug('application bind: %s', req.dn.toString()); res.end(); diff --git a/src/test/apps-test.js b/src/test/apps-test.js index fce0d87e3..6ba66d670 100644 --- a/src/test/apps-test.js +++ b/src/test/apps-test.js @@ -325,11 +325,13 @@ describe('Apps', function () { }); }); - it('succeeds with admin not being special', function (done) { + it('returns all apps for admin', function (done) { apps.getAllByUser(ADMIN_0, function (error, result) { expect(error).to.equal(null); - expect(result.length).to.equal(1); + expect(result.length).to.equal(3); expect(result[0].id).to.equal(APP_0.id); + expect(result[1].id).to.equal(APP_1.id); + expect(result[2].id).to.equal(APP_2.id); done(); }); }); diff --git a/src/test/ldap-test.js b/src/test/ldap-test.js index 9075a5425..83971ab98 100644 --- a/src/test/ldap-test.js +++ b/src/test/ldap-test.js @@ -143,28 +143,28 @@ function setup(done) { if (req.method === 'GET' && req.url === '/networks/cloudron') { answer = { - Name: "cloudron", - Id: "f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566", - Scope: "local", - Driver: "bridge", + Name: 'cloudron', + Id: 'f2de39df4171b0dc801e8002d1d999b77256983dfc63041c0f34030aa3977566', + Scope: 'local', + Driver: 'bridge', IPAM: { - Driver: "default", + Driver: 'default', Config: [{ - Subnet: "172.18.0.0/16" + Subnet: '172.18.0.0/16' }] }, - "Containers": { + 'Containers': { someOtherContainerId: { - "EndpointID": "ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda", - "MacAddress": "02:42:ac:11:00:02", - "IPv4Address": "127.0.0.2/16", - "IPv6Address": "" + 'EndpointID': 'ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda', + 'MacAddress': '02:42:ac:11:00:02', + 'IPv4Address': '127.0.0.2/16', + 'IPv6Address': '' }, someContainerId: { - "EndpointID": "ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda", - "MacAddress": "02:42:ac:11:00:02", - "IPv4Address": "127.0.0.1/16", - "IPv6Address": "" + 'EndpointID': 'ed2419a97c1d9954d05b46e462e7002ea552f216e9b136b80a7db8d98b442eda', + 'MacAddress': '02:42:ac:11:00:02', + 'IPv4Address': '127.0.0.1/16', + 'IPv6Address': '' } } }; @@ -266,10 +266,10 @@ describe('Ldap', function () { it('fails with accessRestriction denied', function (done) { var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') }); - appdb.update(APP_0.id, { accessRestriction: { users: [ USER_1.id ], groups: [] }}, function (error) { + appdb.update(APP_0.id, { accessRestriction: { users: [ USER_0.id ], groups: [] }}, function (error) { expect(error).to.eql(null); - client.bind('cn=' + USER_0.id + ',ou=users,dc=cloudron', USER_0.password, function (error) { + client.bind('cn=' + USER_1.id + ',ou=users,dc=cloudron', USER_1.password, function (error) { expect(error).to.be.a(ldap.NoSuchObjectError); done(); }); @@ -457,7 +457,7 @@ describe('Ldap', function () { }); }); - it ('does not list users who have no access', function (done) { + it ('always lists admins', function (done) { appdb.update(APP_0.id, { accessRestriction: { users: [], groups: [] } }, function (error) { expect(error).to.be(null); @@ -477,7 +477,9 @@ describe('Ldap', function () { result.on('error', done); result.on('end', function (result) { expect(result.status).to.equal(0); - expect(entries.length).to.equal(0); + expect(entries.length).to.equal(1); + expect(entries[0].username).to.equal(USER_0.username.toLowerCase()); + expect(entries[0].memberof.length).to.equal(2); appdb.update(APP_0.id, { accessRestriction: null }, done); }); @@ -725,7 +727,7 @@ describe('Ldap', function () { }); it('cannot get alias as a mailbox', function (done) { - ldapSearch('cn=' + USER_0_ALIAS + ',ou=mailboxes,dc=cloudron', 'objectclass=mailbox', function (error, entries) { + ldapSearch('cn=' + USER_0_ALIAS + ',ou=mailboxes,dc=cloudron', 'objectclass=mailbox', function (error) { expect(error).to.be.a(ldap.NoSuchObjectError); done(); }); @@ -751,7 +753,7 @@ describe('Ldap', function () { }); it('cannot get mailbox as alias', function (done) { - ldapSearch('cn=' + USER_0.username + ',ou=mailaliases,dc=cloudron', 'objectclass=nismailalias', function (error, entries) { + ldapSearch('cn=' + USER_0.username + ',ou=mailaliases,dc=cloudron', 'objectclass=nismailalias', function (error) { expect(error).to.be.a(ldap.NoSuchObjectError); done(); });