diff --git a/migrations/20180615041128-groups-add-rolesJson.js b/migrations/20180615041128-groups-add-rolesJson.js deleted file mode 100644 index 66bc72f85..000000000 --- a/migrations/20180615041128-groups-add-rolesJson.js +++ /dev/null @@ -1,19 +0,0 @@ -'use strict'; - -var async = require('async'); - -exports.up = function(db, callback) { - async.series([ - db.runSql.bind(db, 'START TRANSACTION;'), - db.runSql.bind(db, 'ALTER TABLE groups ADD COLUMN rolesJson TEXT'), - db.runSql.bind(db, 'UPDATE groups SET rolesJson=? WHERE id=?', JSON.stringify([ 'owner' ]), 'admin'), - db.runSql.bind(db, 'COMMIT') - ], callback); -}; - -exports.down = function(db, callback) { - db.runSql('ALTER TABLE groups DROP COLUMN rolesJson', function (error) { - if (error) console.error(error); - callback(error); - }); -}; diff --git a/migrations/schema.sql b/migrations/schema.sql index 4f8c4928e..d1e48be4f 100644 --- a/migrations/schema.sql +++ b/migrations/schema.sql @@ -31,7 +31,6 @@ CREATE TABLE IF NOT EXISTS users( CREATE TABLE IF NOT EXISTS groups( id VARCHAR(128) NOT NULL UNIQUE, name VARCHAR(254) NOT NULL UNIQUE, - rolesJson TEXT NOT NULL, PRIMARY KEY(id)); CREATE TABLE IF NOT EXISTS groupMembers( @@ -193,4 +192,4 @@ CREATE TABLE IF NOT EXISTS subdomains( FOREIGN KEY(appId) REFERENCES apps(id), UNIQUE (subdomain, domain)) - CHARACTER SET utf8 COLLATE utf8_bin; \ No newline at end of file + CHARACTER SET utf8 COLLATE utf8_bin; diff --git a/src/accesscontrol.js b/src/accesscontrol.js index dc5b75d78..06702bc7d 100644 --- a/src/accesscontrol.js +++ b/src/accesscontrol.js @@ -17,32 +17,12 @@ exports = module.exports = { SCOPE_ANY: '*', - ROLE_OWNER: 'owner', - - validateRoles: validateRoles, - validateScopeString: validateScopeString, hasScopes: hasScopes, canonicalScopeString: canonicalScopeString, intersectScopes: intersectScopes, validateToken: validateToken, - scopesForRoles: scopesForRoles -}; - -// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions -const ROLE_DEFINITIONS = { - 'owner': { - scopes: exports.VALID_SCOPES - }, - 'manage_apps': { - scopes: [ 'apps', 'domains:read', 'users:read' ] - }, - 'manage_users': { - scopes: [ 'users' ] - }, - 'manage_domains': { - scopes: [ 'domains' ] - } + scopesForUser: scopesForUser }; var assert = require('assert'), @@ -94,16 +74,6 @@ function intersectScopes(allowedScopes, wantedScopes) { return results; } -function validateRoles(roles) { - assert(Array.isArray(roles)); - - for (let role of roles) { - if (Object.keys(ROLE_DEFINITIONS).indexOf(role) === -1) return new Error(`Invalid role ${role}`); - } - - return null; -} - function validateScopeString(scope) { assert.strictEqual(typeof scope, 'string'); @@ -137,26 +107,8 @@ function hasScopes(authorizedScopes, requiredScopes) { return null; } -function scopesForRoles(roles) { - assert(Array.isArray(roles), 'Expecting array'); - - let scopes = [ 'profile', 'apps:read' ]; // the minimum scopes - - for (let r of roles) { - if (!ROLE_DEFINITIONS[r]) continue; // unknown or some legacy role - - scopes = scopes.concat(ROLE_DEFINITIONS[r].scopes); - } - - // fold scopes so we don't have duplicate scopes - let sortedScopes = scopes.sort(); - let set = new Set(); - for (let s of sortedScopes) { - var parts = s.split(':'); - if (set.has(parts[0])) continue; - set.add(s); - } - return Array.from(set); +function scopesForUser(user) { + return users.isAdmin(user) ? exports.VALID_SCOPES : [ 'profile', 'apps:read' ]; } function validateToken(accessToken, callback) { @@ -167,11 +119,11 @@ function validateToken(accessToken, callback) { if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401 if (error) return callback(error); // this triggers 'internal error' in passport - users.getWithRoles(token.identifier, function (error, user) { + users.get(token.identifier, function (error, user) { if (error && error.reason === UsersError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401 if (error) return callback(error); - const userScopes = scopesForRoles(user.roles); + const userScopes = scopesForUser(user); var authorizedScopes = intersectScopes(userScopes, token.scope.split(',')); const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; // these clients do not require password checks unlike UI var info = { authorizedScopes: authorizedScopes, skipPasswordVerification: skipPasswordVerification }; // ends up in req.authInfo diff --git a/src/clients.js b/src/clients.js index 1561abb73..a5bc66a34 100644 --- a/src/clients.js +++ b/src/clients.js @@ -253,11 +253,11 @@ function addTokenByUserId(clientId, userId, expiresAt, callback) { get(clientId, function (error, result) { if (error) return callback(error); - users.getWithRoles(userId, function (error, user) { + users.get(userId, function (error, user) { if (error && error.reason === UsersError.NOT_FOUND) return callback(new ClientsError(ClientsError.NOT_FOUND, 'No such user')); if (error) return callback(new ClientsError(ClientsError.INTERNAL_ERROR, error)); - const userScopes = accesscontrol.scopesForRoles(user.roles); + const userScopes = accesscontrol.scopesForUser(user); var scope = accesscontrol.canonicalScopeString(result.scope); var authorizedScopes = accesscontrol.intersectScopes(userScopes, scope.split(',')); diff --git a/src/groupdb.js b/src/groupdb.js index 354f5612c..61d083c04 100644 --- a/src/groupdb.js +++ b/src/groupdb.js @@ -26,18 +26,9 @@ exports = module.exports = { var assert = require('assert'), database = require('./database.js'), - DatabaseError = require('./databaseerror'), - safe = require('safetydance'); + DatabaseError = require('./databaseerror'); -var GROUPS_FIELDS = [ 'id', 'name', 'rolesJson' ].join(','); - -function postProcess(result) { - assert.strictEqual(typeof result, 'object'); - - assert(result.rolesJson === null || typeof result.rolesJson === 'string'); - result.roles = safe.JSON.parse(result.rolesJson) || [ ]; - delete result.rolesJson; -} +var GROUPS_FIELDS = [ 'id', 'name' ].join(','); function get(groupId, callback) { assert.strictEqual(typeof groupId, 'string'); @@ -47,8 +38,6 @@ function get(groupId, callback) { if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error)); if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND)); - postProcess(result[0]); - callback(null, result[0]); }); } @@ -67,8 +56,6 @@ function getWithMembers(groupId, callback) { var result = results[0]; result.userIds = result.userIds ? result.userIds.split(',') : [ ]; - postProcess(result); - callback(null, result); }); } @@ -79,8 +66,6 @@ function getAll(callback) { database.query('SELECT ' + GROUPS_FIELDS + ' FROM groups', function (error, results) { if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error)); - results.forEach(postProcess); - callback(null, results); }); } @@ -94,19 +79,16 @@ function getAllWithMembers(callback) { results.forEach(function (result) { result.userIds = result.userIds ? result.userIds.split(',') : [ ]; }); - results.forEach(postProcess); - callback(null, results); }); } -function add(id, name, roles, callback) { +function add(id, name, callback) { assert.strictEqual(typeof id, 'string'); assert.strictEqual(typeof name, 'string'); - assert(Array.isArray(roles)); assert.strictEqual(typeof callback, 'function'); - database.query('INSERT INTO groups (id, name, rolesJson) VALUES (?, ?, ?)', [ id, name, JSON.stringify(roles) ], function (error, result) { + database.query('INSERT INTO groups (id, name) VALUES (?, ?)', [ id, name ], function (error, result) { if (error && error.code === 'ER_DUP_ENTRY') return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS, error)); if (error || result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error)); @@ -122,11 +104,7 @@ function update(id, data, callback) { var args = [ ]; var fields = [ ]; for (var k in data) { - if (k === 'roles') { - assert(Array.isArray(data.roles)); - fields.push('rolesJson = ?'); - args.push(data.roles.length === 0 ? null : JSON.stringify(data.roles)); - } else if (k === 'name') { + if (k === 'name') { assert.strictEqual(typeof data.name, 'string'); fields.push(k + ' = ?'); args.push(data.name); @@ -291,8 +269,6 @@ function getGroups(userId, callback) { ' FROM groups INNER JOIN groupMembers ON groups.id = groupMembers.groupId AND groupMembers.userId = ?', [ userId ], function (error, results) { if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error)); - results.forEach(postProcess); - callback(null, results); }); } diff --git a/src/groups.js b/src/groups.js index c5f03456a..83cda61dc 100644 --- a/src/groups.js +++ b/src/groups.js @@ -77,9 +77,8 @@ function validateGroupname(name) { return null; } -function create(name, roles, callback) { +function create(name, callback) { assert.strictEqual(typeof name, 'string'); - assert(Array.isArray(roles)); assert.strictEqual(typeof callback, 'function'); // we store names in lowercase @@ -88,11 +87,8 @@ function create(name, roles, callback) { var error = validateGroupname(name); if (error) return callback(error); - error = accesscontrol.validateRoles(roles); - if (error) return callback(new GroupsError(GroupsError.BAD_FIELD, error.message)); - var id = 'gid-' + uuid.v4(); - groupdb.add(id, name, roles, function (error) { + groupdb.add(id, name, function (error) { if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(new GroupsError(GroupsError.ALREADY_EXISTS)); if (error) return callback(new GroupsError(GroupsError.INTERNAL_ERROR, error)); @@ -251,7 +247,7 @@ function isMember(groupId, userId, callback) { function addOwnerGroup(callback) { assert.strictEqual(typeof callback, 'function'); - groupdb.add(constants.ADMIN_GROUP_ID, constants.ADMIN_GROUP_NAME, [ accesscontrol.ROLE_OWNER ], callback); + groupdb.add(constants.ADMIN_GROUP_ID, constants.ADMIN_GROUP_NAME, callback); } function update(groupId, data, callback) { @@ -266,13 +262,7 @@ function update(groupId, data, callback) { if (error) return callback(error); } - if ('roles' in data) { - assert(Array.isArray(data.roles)); - error = accesscontrol.validateRoles(data.roles); - if (error) return callback(new GroupsError(GroupsError.BAD_FIELD, error.message)); - } - - groupdb.update(groupId, _.pick(data, 'name', 'roles'), function (error) { + groupdb.update(groupId, _.pick(data, 'name'), function (error) { if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new GroupsError(GroupsError.NOT_FOUND)); if (error) return callback(new GroupsError(GroupsError.INTERNAL_ERROR, error)); diff --git a/src/routes/groups.js b/src/routes/groups.js index af0625a9a..c41e47181 100644 --- a/src/routes/groups.js +++ b/src/routes/groups.js @@ -19,14 +19,8 @@ function create(req, res, next) { assert.strictEqual(typeof req.body, 'object'); if (typeof req.body.name !== 'string') return next(new HttpError(400, 'name must be string')); - if ('roles' in req.body) { - if (!Array.isArray(req.body.roles)) return next(new HttpError(400, 'roles must be an array')); - for (let role of req.body.roles) { - if (typeof role !== 'string') return next(new HttpError(400, 'roles must be an array of strings')); - } - } - groups.create(req.body.name, req.body.roles || [ ], function (error, group) { + groups.create(req.body.name, function (error, group) { if (error && error.reason === GroupsError.BAD_FIELD) return next(new HttpError(400, error.message)); if (error && error.reason === GroupsError.ALREADY_EXISTS) return next(new HttpError(409, 'Already exists')); if (error) return next(new HttpError(500, error)); @@ -57,13 +51,6 @@ function update(req, res, next) { if ('name' in req.body && typeof req.body.name !== 'string') return next(new HttpError(400, 'name must be a string')); - if ('roles' in req.body) { - if (!Array.isArray(req.body.roles)) return next(new HttpError(400, 'roles must be an array')); - for (let role of req.body.roles) { - if (typeof role !== 'string') return next(new HttpError(400, 'roles must be an array of strings')); - } - } - groups.update(req.params.groupId, req.body, function (error) { if (error && error.reason === GroupsError.BAD_FIELD) return next(new HttpError(400, error.message)); if (error) return next(new HttpError(500, error)); diff --git a/src/routes/test/groups-test.js b/src/routes/test/groups-test.js index d5006b1aa..38bbd8452 100644 --- a/src/routes/test/groups-test.js +++ b/src/routes/test/groups-test.js @@ -152,38 +152,6 @@ describe('Groups API', function () { }); }); - describe('Roles', function () { - it('can set roles', function (done) { - superagent.post(SERVER_URL + '/api/v1/groups/' + groupObject.id) - .query({ access_token: token }) - .send({ roles: [ accesscontrol.ROLE_OWNER ]}) - .end(function (error, result) { - expect(result.statusCode).to.equal(200); - done(); - }); - }); - - it('fails with invalid roles', function (done) { - superagent.post(SERVER_URL + '/api/v1/groups/' + groupObject.id) - .query({ access_token: token }) - .send({ roles: [ 'bogus' ]}) - .end(function (error, result) { - expect(result.statusCode).to.equal(400); - done(); - }); - }); - - it('can get roles', function (done) { - superagent.get(SERVER_URL + '/api/v1/groups/' + groupObject.id) - .query({ access_token: token }) - .end(function (error, result) { - expect(result.statusCode).to.equal(200); - expect(result.body.roles).to.eql([ accesscontrol.ROLE_OWNER ]); - done(); - }); - }); - }); - describe('get', function () { it('cannot get non-existing group', function (done) { superagent.get(SERVER_URL + '/api/v1/groups/nope') @@ -249,9 +217,9 @@ describe('Groups API', function () { describe('Set groups', function () { var group0Object, group1Object; before(function (done) { - groups.create('group0', [ ], function (e, r) { + groups.create('group0', function (e, r) { group0Object = r; - groups.create('group1', [ ], function (e, r) { + groups.create('group1', function (e, r) { group1Object = r; done(); }); diff --git a/src/routes/test/users-test.js b/src/routes/test/users-test.js index 0fc618fe2..b0946f085 100644 --- a/src/routes/test/users-test.js +++ b/src/routes/test/users-test.js @@ -50,7 +50,7 @@ function setup(done) { ], function (error) { expect(error).to.not.be.ok(); - groups.create('somegroupname', [ ], function (error, result) { + groups.create('somegroupname', function (error, result) { expect(error).to.not.be.ok(); groupObject = result; diff --git a/src/test/accesscontrol-test.js b/src/test/accesscontrol-test.js index fb51e664a..7d117031c 100644 --- a/src/test/accesscontrol-test.js +++ b/src/test/accesscontrol-test.js @@ -77,14 +77,4 @@ describe('access control', function () { expect(accesscontrol.hasScopes([ 'apps:write' ], [ 'apps:read' ])).to.be.an(Error); }); }); - - describe('validateRoles', function () { - it('succeeds for valid roles', function () { - expect(accesscontrol.validateRoles([ accesscontrol.ROLE_OWNER ])).to.be(null); - }); - - it('fails for invalid roles', function () { - expect(accesscontrol.validateRoles([ 'janitor' ])).to.be.an(Error); - }); - }); }); diff --git a/src/test/apps-test.js b/src/test/apps-test.js index e66ecfdc7..0972527c7 100644 --- a/src/test/apps-test.js +++ b/src/test/apps-test.js @@ -155,8 +155,8 @@ describe('Apps', function () { userdb.add.bind(null, ADMIN_0.id, ADMIN_0), userdb.add.bind(null, USER_0.id, USER_0), userdb.add.bind(null, USER_1.id, USER_1), - groupdb.add.bind(null, GROUP_0.id, GROUP_0.name, [ /* roles */ ]), - groupdb.add.bind(null, GROUP_1.id, GROUP_1.name, [ /* roles */ ]), + groupdb.add.bind(null, GROUP_0.id, GROUP_0.name), + groupdb.add.bind(null, GROUP_1.id, GROUP_1.name), groups.addMember.bind(null, constants.ADMIN_GROUP_ID, ADMIN_0.id), groups.addMember.bind(null, GROUP_0.id, USER_1.id), appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.domain, APP_0.ownerId, APP_0.portBindings, APP_0), diff --git a/src/test/database-test.js b/src/test/database-test.js index d4e1314c1..6784f4764 100644 --- a/src/test/database-test.js +++ b/src/test/database-test.js @@ -1465,7 +1465,7 @@ describe('database', function () { async.series([ database.initialize, database._clear, - groupdb.add.bind(null, constants.ADMIN_GROUP_ID, constants.ADMIN_GROUP_NAME, [ /* roles */]), + groupdb.add.bind(null, constants.ADMIN_GROUP_ID, constants.ADMIN_GROUP_NAME), userdb.add.bind(null, USER_0.id, USER_0), userdb.add.bind(null, USER_1.id, USER_1), userdb.add.bind(null, USER_2.id, USER_2) @@ -1475,7 +1475,7 @@ describe('database', function () { var GROUP_ID_1 = 'foundersid'; it('can create a group', function (done) { - groupdb.add(GROUP_ID_1, 'founders', [ /* roles */ ], function (error) { + groupdb.add(GROUP_ID_1, 'founders', function (error) { expect(error).to.be(null); done(); }); @@ -1579,17 +1579,6 @@ describe('database', function () { done(); }); }); - - it('can update roles of the group', function (done) { - groupdb.update(GROUP_ID_1, { roles: [ 'manage_app' ] }, function (error) { - expect(error).to.be(null); - - groupdb.get(GROUP_ID_1, function (error, result) { - expect(result.roles).to.eql([ 'manage_app' ]); - done(); - }); - }); - }); }); describe('importFromFile', function () { diff --git a/src/test/groups-test.js b/src/test/groups-test.js index 74cf8ea50..7676ba18e 100644 --- a/src/test/groups-test.js +++ b/src/test/groups-test.js @@ -81,42 +81,42 @@ describe('Groups', function () { after(cleanup); it('cannot create group - too small', function (done) { - groups.create('', [ ], function (error) { + groups.create('', function (error) { expect(error.reason).to.be(GroupsError.BAD_FIELD); done(); }); }); it('cannot create group - too big', function (done) { - groups.create(new Array(256).join('a'), [ ], function (error) { + groups.create(new Array(256).join('a'), function (error) { expect(error.reason).to.be(GroupsError.BAD_FIELD); done(); }); }); it('cannot create group - bad name', function (done) { - groups.create('bad:name', [ ], function (error) { + groups.create('bad:name', function (error) { expect(error.reason).to.be(GroupsError.BAD_FIELD); done(); }); }); it('cannot create group - reserved', function (done) { - groups.create('users', [ ], function (error) { + groups.create('users', function (error) { expect(error.reason).to.be(GroupsError.BAD_FIELD); done(); }); }); it('cannot create group - invalid', function (done) { - groups.create('cloudron+admin', [ ], function (error) { + groups.create('cloudron+admin', function (error) { expect(error.reason).to.be(GroupsError.BAD_FIELD); done(); }); }); it('can create valid group', function (done) { - groups.create(GROUP0_NAME, [ ], function (error, result) { + groups.create(GROUP0_NAME, function (error, result) { expect(error).to.be(null); group0Object = result; done(); @@ -125,14 +125,14 @@ describe('Groups', function () { it('cannot create existing group with mixed case', function (done) { var name = GROUP0_NAME[0].toUpperCase() + GROUP0_NAME.substr(1); - groups.create(name, [ ], function (error) { + groups.create(name, function (error) { expect(error.reason).to.be(GroupsError.ALREADY_EXISTS); done(); }); }); it('cannot add existing group', function (done) { - groups.create(GROUP0_NAME, [ ], function (error) { + groups.create(GROUP0_NAME, function (error) { expect(error.reason).to.be(GroupsError.ALREADY_EXISTS); done(); }); @@ -180,7 +180,7 @@ describe('Group membership', function () { async.series([ setup, function (next) { - groups.create(GROUP0_NAME, [ /* roles */ ], function (error, result) { + groups.create(GROUP0_NAME, function (error, result) { if (error) return next(error); group0Object = result; next(); @@ -297,7 +297,7 @@ describe('Group membership', function () { }); it('can remove group with member', function (done) { - groups.create(GROUP0_NAME, [ /* roles */ ], function (error, result) { + groups.create(GROUP0_NAME, function (error, result) { expect(error).to.eql(null); group0Object = result; @@ -318,14 +318,14 @@ describe('Set user groups', function () { async.series([ setup, function (next) { - groups.create(GROUP0_NAME, [ ], function (error, result) { + groups.create(GROUP0_NAME, function (error, result) { if (error) return next(error); group0Object = result; next(); }); }, function (next) { - groups.create(GROUP1_NAME, [ ], function (error, result) { + groups.create(GROUP1_NAME, function (error, result) { if (error) return next(error); group1Object = result; next(); @@ -380,51 +380,3 @@ describe('Admin group', function () { }); }); }); - -describe('Roles', function () { - before(function (done) { - async.series([ - setup, - userdb.add.bind(null, USER_0.id, USER_0), - function (next) { - groups.create(GROUP0_NAME, [ /* roles */ ], function (error, result) { - if (error) return next(error); - group0Object = result; - - groups.setMembership(USER_0.id, [ group0Object.id ], next); - }); - }, - ], done); - }); - after(cleanup); - - it('can set roles', function (done) { - groups.update(group0Object.id, { roles: [ accesscontrol.ROLE_OWNER ] }, function (error) { - expect(error).to.be(null); - done(); - }); - }); - - it('can get roles of a group', function (done) { - groups.get(group0Object.id, function (error, result) { - expect(error).to.be(null); - expect(result.roles).to.eql([ accesscontrol.ROLE_OWNER ]); - done(); - }); - }); - - it('can get roles of a user', function (done) { - groups.getGroups(USER_0.id, function (error, results) { - expect(results.length).to.be(1); - expect(results[0].roles).to.eql([ 'owner' ]); - done(); - }); - }); - - it('cannot set invalid role', function (done) { - groups.update(group0Object.id, { roles: [ accesscontrol.ROLE_OWNER, 'janitor' ] }, function (error) { - expect(error).to.be.ok(); - done(); - }); - }); -}); diff --git a/src/test/ldap-test.js b/src/test/ldap-test.js index aeab7218c..1d091db50 100644 --- a/src/test/ldap-test.js +++ b/src/test/ldap-test.js @@ -132,7 +132,7 @@ function setup(done) { }); }, function (callback) { - groups.create(GROUP_NAME, [ /* roles */ ], function (error, result) { + groups.create(GROUP_NAME, function (error, result) { if (error) return callback(error); GROUP_ID = result.id; diff --git a/src/test/users-test.js b/src/test/users-test.js index ee551db4b..efc0473e1 100644 --- a/src/test/users-test.js +++ b/src/test/users-test.js @@ -647,7 +647,7 @@ describe('User', function () { createOwner(function (error) { expect(error).to.not.be.ok(); - groups.create(NON_ADMIN_GROUP, [ /* roles */ ], function (error, result) { + groups.create(NON_ADMIN_GROUP, function (error, result) { expect(error).to.be(null); groupObject = result; diff --git a/src/users.js b/src/users.js index fdc9ebed7..287c08d9d 100644 --- a/src/users.js +++ b/src/users.js @@ -14,7 +14,6 @@ exports = module.exports = { verifyWithEmail: verifyWithEmail, remove: removeUser, get: get, - getWithRoles: getWithRoles, getByResetToken: getByResetToken, getAllAdmins: getAllAdmins, resetPasswordByIdentifier: resetPasswordByIdentifier, @@ -27,7 +26,9 @@ exports = module.exports = { setTwoFactorAuthenticationSecret: setTwoFactorAuthenticationSecret, enableTwoFactorAuthentication: enableTwoFactorAuthentication, disableTwoFactorAuthentication: disableTwoFactorAuthentication, - transferOwnership: transferOwnership + transferOwnership: transferOwnership, + + isAdmin: isAdmin }; var apps = require('./apps.js'), @@ -323,6 +324,10 @@ function count(callback) { }); } +function isAdmin(user) { + return user.groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1; +} + function get(userId, callback) { assert.strictEqual(typeof userId, 'string'); assert.strictEqual(typeof callback, 'function'); @@ -341,24 +346,6 @@ function get(userId, callback) { }); } -function getWithRoles(userId, callback) { - assert.strictEqual(typeof userId, 'string'); - assert.strictEqual(typeof callback, 'function'); - - userdb.get(userId, function (error, result) { - if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new UsersError(UsersError.NOT_FOUND)); - if (error) return callback(new UsersError(UsersError.INTERNAL_ERROR, error)); - - groups.getGroups(userId, function (error, userGroups) { - if (error) return callback(new UsersError(UsersError.INTERNAL_ERROR, error)); - - result.roles = _.uniq(_.flatten(userGroups.map(function (r) { return r.roles; }))); - - return callback(null, result); - }); - }); -} - function getByResetToken(email, resetToken, callback) { assert.strictEqual(typeof email, 'string'); assert.strictEqual(typeof resetToken, 'string');