Start using req.resources = { app, volume, ...} pattern
Reason was that req.app was clashing with expressjs v5 which stores the main expressjs app object there
This commit is contained in:
Johannes Zellner
+43
-42
@@ -42,7 +42,8 @@ async function load(req, res, next) {
|
||||
const [error, result] = await safe(users.get(req.params.userId));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
if (!result) return next(new HttpError(404, 'User not found'));
|
||||
req.resource = result; // this is not req.user because req.user is already the authenticated user
|
||||
|
||||
req.resources.user = result; // this is not req.user because req.user is already the authenticated user
|
||||
|
||||
next();
|
||||
}
|
||||
@@ -73,40 +74,40 @@ async function add(req, res, next) {
|
||||
}
|
||||
|
||||
async function setRole(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
assert.strictEqual(typeof req.user, 'object');
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
|
||||
if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));
|
||||
if (req.user.id === req.resources.user.id) return next(new HttpError(409, 'Cannot set role flag on self'));
|
||||
|
||||
if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but you are only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.update(req.resource, { role: req.body.role }, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.update(req.resources.user, { role: req.body.role }, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
}
|
||||
|
||||
async function setActive(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
assert.strictEqual(typeof req.user, 'object');
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
|
||||
if (typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
|
||||
if (req.user.id === req.resources.user.id) return next(new HttpError(409, 'Cannot set active flag on self'));
|
||||
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but you are only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.update(req.resource, { active: req.body.active }, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.update(req.resources.user, { active: req.body.active }, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
}
|
||||
|
||||
async function updateProfile(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
assert.strictEqual(typeof req.user, 'object');
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
|
||||
@@ -115,10 +116,10 @@ async function updateProfile(req, res, next) {
|
||||
if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));
|
||||
if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
|
||||
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but you are only '${req.user.role}'`));
|
||||
|
||||
const data = _.pick(req.body, ['username', 'email', 'fallbackEmail', 'displayName']);
|
||||
const [error] = await safe(users.updateProfile(req.resource, data, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.updateProfile(req.resources.user, data, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
@@ -142,19 +143,19 @@ async function list(req, res, next) {
|
||||
}
|
||||
|
||||
function get(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
assert.strictEqual(typeof req.user, 'object');
|
||||
|
||||
next(new HttpSuccess(200, users.removePrivateFields(req.resource)));
|
||||
next(new HttpSuccess(200, users.removePrivateFields(req.resources.user)));
|
||||
}
|
||||
|
||||
async function del(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Not allowed to remove yourself.'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (req.user.id === req.resources.user.id) return next(new HttpError(409, 'Not allowed to remove yourself.'));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.del(req.resource, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.del(req.resources.user, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
@@ -175,11 +176,11 @@ async function verifyPassword(req, res, next) {
|
||||
}
|
||||
|
||||
async function disableTwoFactorAuthentication(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.disableTwoFactorAuthentication(req.resource, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.disableTwoFactorAuthentication(req.resources.user, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(200, {}));
|
||||
@@ -187,13 +188,13 @@ async function disableTwoFactorAuthentication(req, res, next) {
|
||||
|
||||
async function setLocalGroups(req, res, next) {
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
|
||||
if (req.body.groupIds.some((gid) => typeof gid !== 'string')) return next(new HttpError(400, 'groupIds array must contain strings'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(groups.setLocalMembership(req.resource, req.body.groupIds, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(groups.setLocalMembership(req.resources.user, req.body.groupIds, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
@@ -201,13 +202,13 @@ async function setLocalGroups(req, res, next) {
|
||||
|
||||
async function setGhost(req, res, next) {
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (typeof req.body.password !== 'string' || !req.body.password) return next(new HttpError(400, 'password must be non-empty string'));
|
||||
if ('expiresAt' in req.body && typeof req.body.expiresAt !== 'number') return next(new HttpError(400, 'expiresAt must be a number'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.setGhost(req.resource, req.body.password, req.body.expiresAt || 0));
|
||||
const [error] = await safe(users.setGhost(req.resources.user, req.body.password, req.body.expiresAt || 0));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
@@ -215,12 +216,12 @@ async function setGhost(req, res, next) {
|
||||
|
||||
async function setPassword(req, res, next) {
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be a string'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.setPassword(req.resource, req.body.password, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.setPassword(req.resources.user, req.body.password, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
@@ -228,46 +229,46 @@ async function setPassword(req, res, next) {
|
||||
|
||||
// This will always return a reset link, if none is set or expired a new one will be created
|
||||
async function getPasswordResetLink(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error, passwordResetLink] = await safe(users.getPasswordResetLink(req.resource, AuditSource.fromRequest(req)));
|
||||
const [error, passwordResetLink] = await safe(users.getPasswordResetLink(req.resources.user, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(200, { passwordResetLink }));
|
||||
}
|
||||
|
||||
async function sendPasswordResetEmail(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (!req.body.email || typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be a non-empty string'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.sendPasswordResetEmail(req.resource, req.body.email, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.sendPasswordResetEmail(req.resources.user, req.body.email, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(202, {}));
|
||||
}
|
||||
|
||||
async function getInviteLink(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error, inviteLink] = await safe(users.getInviteLink(req.resource, AuditSource.fromRequest(req)));
|
||||
const [error, inviteLink] = await safe(users.getInviteLink(req.resources.user, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(200, { inviteLink }));
|
||||
}
|
||||
|
||||
async function sendInviteEmail(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.resources.user, 'object');
|
||||
|
||||
if (!req.body.email || typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be a non-empty string'));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resources.user.role) < 0) return next(new HttpError(403, `role '${req.resources.user.role}' is required but user has only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.sendInviteEmail(req.resource, req.body.email, AuditSource.fromRequest(req)));
|
||||
const [error] = await safe(users.sendInviteEmail(req.resources.user, req.body.email, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(202, {}));
|
||||
|
||||
Reference in New Issue
Block a user