diff --git a/src/routes/users.js b/src/routes/users.js index 84a62cbf7..8025a7c9b 100644 --- a/src/routes/users.js +++ b/src/routes/users.js @@ -13,6 +13,7 @@ exports = module.exports = { setGroups, setAvatar, clearAvatar, + makeOwner, load }; @@ -216,3 +217,19 @@ function clearAvatar(req, res, next) { next(new HttpSuccess(202, {})); }); } + +// This route transfers ownership from token user to user specified in path param +function makeOwner(req, res, next) { + assert.strictEqual(typeof req.resource, 'object'); + + // first make new one owner, then devote current one + users.update(req.resource, { role: users.ROLE_OWNER }, auditSource.fromRequest(req), function (error) { + if (error) return next(BoxError.toHttpError(error)); + + users.update(req.user, { role: users.ROLE_USER }, auditSource.fromRequest(req), function (error) { + if (error) return next(BoxError.toHttpError(error)); + + next(new HttpSuccess(204)); + }); + }); +} diff --git a/src/server.js b/src/server.js index 4be30b9b3..0b5e274c1 100644 --- a/src/server.js +++ b/src/server.js @@ -174,6 +174,7 @@ function initializeExpressSync() { router.post('/api/v1/users/:userId', json, token, authorizeUserManager, routes.users.load, routes.users.update); router.post('/api/v1/users/:userId/password', json, token, authorizeUserManager, routes.users.load, routes.users.changePassword); router.put ('/api/v1/users/:userId/groups', json, token, authorizeUserManager, routes.users.load, routes.users.setGroups); + router.post('/api/v1/users/:userId/make_owner', json, token, authorizeOwner, routes.users.load, routes.users.makeOwner); router.post('/api/v1/users/:userId/send_invite', json, token, authorizeUserManager, routes.users.load, routes.users.sendInvite); router.post('/api/v1/users/:userId/create_invite', json, token, authorizeUserManager, routes.users.load, routes.users.createInvite); router.post('/api/v1/users/:userId/avatar', json, token, authorizeUserManager, routes.users.load, multipart, routes.users.setAvatar);