groups: members cannot be set for external groups

src/routes/groups.js

@@ -59,7 +59,7 @@ async function setName(req, res, next) {
 }
 
 async function setMembers(req, res, next) {
-    assert.strictEqual(typeof req.params.groupId, 'string');
+    assert.strictEqual(typeof req.resource, 'object');
 
     if (req.resource.source === 'ldap') return next(new HttpError(409, 'members of an external group cannot be set'));
 
@@ -67,7 +67,7 @@ async function setMembers(req, res, next) {
     if (!Array.isArray(req.body.userIds)) return next(new HttpError(404, 'userIds must be an array'));
     if (req.body.userIds.some((u) => typeof u !== 'string')) return next(new HttpError(400, 'userIds array must contain strings'));
 
-    const [error] = await safe(groups.setMembers(req.params.groupId, req.body.userIds));
+    const [error] = await safe(groups.setMembers(req.resource, req.body.userIds, { skipSourceCheck: false }));
     if (error) return next(BoxError.toHttpError(error));
 
     next(new HttpSuccess(200, { }));

src/routes/users.js

@@ -170,7 +170,7 @@ async function setGroups(req, res, next) {
     if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
     if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));
 
-    const [error] = await safe(groups.setMembership(req.resource.id, req.body.groupIds));
+    const [error] = await safe(groups.setMembership(req.resource, req.body.groupIds));
     if (error) return next(BoxError.toHttpError(error));
 
     next(new HttpSuccess(204));