Remove redundant requireAdmin

We already hand out scopes based on the user's access control
2018-04-27 21:47:11 -07:00
parent 9789966017
commit bc4f9cf596
7 changed files with 116 additions and 109 deletions
@@ -32,7 +32,7 @@ function scope(requestedScope) {

        function (req, res, next) {
            var error = accesscontrol.validateRequestedScopes(req.authInfo || null, requestedScopes);
-            if (error) return next(new HttpError(401, error.message));
+            if (error) return next(new HttpError(403, error.message));

            next();
        }
@@ -6,7 +6,8 @@

 'use strict';

-var async = require('async'),
+var accesscontrol = require('../../accesscontrol.js'),
+    async = require('async'),
    config = require('../../config.js'),
    database = require('../../database.js'),
    expect = require('expect.js'),
@@ -62,7 +63,7 @@ function setup(done) {
            token_1 = tokendb.generateToken();

            // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-            tokendb.add(token_1, USER_1_ID, 'test-client-id',  Date.now() + 100000, '*', callback);
+            tokendb.add(token_1, USER_1_ID, 'test-client-id',  Date.now() + 100000, accesscontrol.SCOPE_PROFILE, callback);
        }

    ], done);
@@ -6,7 +6,8 @@

 'use strict';

-var async = require('async'),
+var accesscontrol = require('../../accesscontrol.js'),
+    async = require('async'),
    config = require('../../config.js'),
    database = require('../../database.js'),
    expect = require('expect.js'),
@@ -69,7 +70,7 @@ function setup(done) {
                    userId_1 = result.body.id;

                    // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-                    tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, '*', callback);
+                    tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, accesscontrol.SCOPE_PROFILE, callback);
                });
        }
    ], done);
@@ -279,6 +280,20 @@ describe('Groups API', function () {
                });
        });

+        it('can add user_1 to admin', function (done) {
+            superagent.put(SERVER_URL + '/api/v1/users/' + userId_1 + '/groups')
+                .query({ access_token: token })
+                .send({ groupIds: [ 'admin' ]})
+                .end(function (error, result) {
+                    expect(result.statusCode).to.equal(204);
+
+                    token_1 = tokendb.generateToken();
+
+                    // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
+                    tokendb.add(token_1, userId_1, 'test-client-id',  Date.now() + 100000, accesscontrol.SCOPE_ANY, done);
+                });
+        });
+
        it('remove activation user from admin', function (done) {
            superagent.put(SERVER_URL + '/api/v1/users/' + userId + '/groups')
                .query({ access_token: token_1 })
@@ -5,7 +5,8 @@

 'use strict';

-var async = require('async'),
+var accesscontrol = require('../../accesscontrol.js'),
+    async = require('async'),
    config = require('../../config.js'),
    constants = require('../../constants.js'),
    database = require('../../database.js'),
@@ -174,7 +175,7 @@ describe('Users API', function () {
        var token = tokendb.generateToken();
        var expires = Date.now() + 2000; // 1 sec

-        tokendb.add(token, user_0.id, null, expires, '*', function (error) {
+        tokendb.add(token, user_0.id, null, expires, accesscontrol.SCOPE_PROFILE, function (error) {
            expect(error).to.not.be.ok();

            setTimeout(function () {
@@ -270,7 +271,7 @@ describe('Users API', function () {
                expect(error).to.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
-        });
+            });
    });

    it('create second user succeeds', function (done) {
@@ -287,7 +288,7 @@ describe('Users API', function () {

                checkMails(2, function () {
                    // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
-                    tokendb.add(token_1, user_1.id, 'test-client-id',  Date.now() + 10000, '*', done);
+                    tokendb.add(token_1, user_1.id, 'test-client-id',  Date.now() + 10000, accesscontrol.SCOPE_PROFILE, done);
                });
            });
    });
@@ -681,7 +682,7 @@ describe('Users API', function () {
                expect(error).to.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
-        });
+            });
    });

    it('can create user with a password', function (done) {
@@ -697,7 +698,7 @@ describe('Users API', function () {
                token = tokendb.generateToken();
                var expires = Date.now() + 2000; // 1 sec

-                tokendb.add(token, user_4.id, null, expires, '*', done);
+                tokendb.add(token, user_4.id, null, expires, accesscontrol.SCOPE_PROFILE, done);
            });
    });

@@ -7,7 +7,6 @@ exports = module.exports = {
    create: create,
    remove: remove,
    verifyPassword: verifyPassword,
-    requireAdmin: requireAdmin,
    sendInvite: sendInvite,
    setGroups: setGroups
 };
@@ -146,17 +145,6 @@ function verifyPassword(req, res, next) {
    });
 }

-/*
-    Middleware which makes the route only accessable for the admin user.
-*/
-function requireAdmin(req, res, next) {
-    assert.strictEqual(typeof req.user, 'object');
-
-    if (!req.user.admin) return next(new HttpError(403, 'API call requires admin rights.'));
-
-    next();
-}
-
 function sendInvite(req, res, next) {
    assert.strictEqual(typeof req.params.userId, 'string');