Implement operator role for apps

There are two main use cases: * A consultant/contractor/external developer is given access to just an app. * A "service" personnel (say upstream app author) is to be given access to single app for debugging. Since, this is an "app admin", they are also given access to apps to be consistent with the idea that Cloudron admin has access to all apps. part of #791
2021-09-21 10:11:27 -07:00
parent f44fa2cf47
commit bb2ad0e986
7 changed files with 193 additions and 53 deletions
--- a/src/test/apps-test.js
+++ b/src/test/apps-test.js
@@ -108,6 +108,63 @@ describe('Apps', function () {
        });
    });

+    describe('isOperator', function () {
+        const someuser = { id: 'someuser', groupIds: [], role: 'user' };
+        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: 'admin' };
+
+        it('returns false for unrestricted access', function () {
+            expect(apps.isOperator({ operators: null }, someuser)).to.be(false);
+        });
+
+        it('returns true for allowed user', function () {
+            expect(apps.isOperator({ operators: { users: [ 'someuser' ] } }, someuser)).to.be(true);
+        });
+
+        it('returns true for allowed user with multiple allowed', function () {
+            expect(apps.isOperator({ operators: { users: [ 'foo', 'someuser', 'anotheruser' ] } }, someuser)).to.be(true);
+        });
+
+        it('returns false for not allowed user', function () {
+            expect(apps.isOperator({ operators: { users: [ 'foo' ] } }, someuser)).to.be(false);
+        });
+
+        it('returns false for not allowed user with multiple allowed', function () {
+            expect(apps.isOperator({ operators: { users: [ 'foo', 'anotheruser' ] } }, someuser)).to.be(false);
+        });
+
+        it('returns false for no group or user', function () {
+            expect(apps.isOperator({ operators: { users: [ ], groups: [ ] } }, someuser)).to.be(false);
+        });
+
+        it('returns false for invalid group or user', function () {
+            expect(apps.isOperator({ operators: { users: [ ], groups: [ 'nop' ] } }, someuser)).to.be(false);
+        });
+
+        it('returns true for admin user', function () {
+            expect(apps.isOperator({ operators: { users: [ ], groups: [ 'nop' ] } }, adminuser)).to.be(true);
+        });
+    });
+
+    describe('accessLevel', function () {
+        const someuser = { id: 'someuser', groupIds: [ 'ops' ], role: 'user' };
+        const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: 'admin' };
+
+        it('return user for normal user', function () {
+            expect(apps._accessLevel({ accessRestriction: null, operators: null }, someuser)).to.be('user');
+            expect(apps._accessLevel({ accessRestriction: null, operators: { users: [ ], groups: [ 'groupie' ] } }, someuser)).to.be('user');
+        });
+
+        it('returns operator for operator user', function () {
+            expect(apps._accessLevel({ accessRestriction: null, operators: { users: [ 'someuser' ], groups: [ 'groupie' ] } }, someuser)).to.be('operator');
+            expect(apps._accessLevel({ accessRestriction: null, operators: { users: [], groups: [ 'ops' ] } }, someuser)).to.be('operator');
+        });
+
+        it('returns admin for admin user', function () {
+            expect(apps._accessLevel({ accessRestriction: null, operators: null }, adminuser)).to.be('admin');
+            expect(apps._accessLevel({ accessRestriction: null, operators: { users: [], groups: [] } }, adminuser)).to.be('admin');
+        });
+    });
+
    describe('crud', function () {
        it('cannot get invalid app', async function () {
            const result = await apps.get('nope');