add manage user permission

2020-02-13 22:06:54 -08:00
parent 11b5304cb9
commit c537dfabb2
17 changed files with 139 additions and 42 deletions
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -42,13 +42,21 @@ function create(req, res, next) {
    if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
    if ('password' in req.body && typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be string'));
    if ('admin' in req.body && typeof req.body.admin !== 'boolean') return next(new HttpError(400, 'admin flag must be a boolean'));
+    if ('permissions' in req.body) {
+        if (!Array.isArray(req.body.permissions)) return next(new HttpError(400, 'permissions must be an array'));
+        if (req.body.permissions.some((p) => typeof p !== 'string')) return next(new HttpError(400, 'permissions array must contain strings'));
+    }
+
+    if (!req.user.admin) {
+        if ('admin' in req.body || 'permissions' in req.body) return next(new HttpError(403, 'Only admin add admins or set permissions'));
+    }

    var password = req.body.password || null;
    var email = req.body.email;
    var username = 'username' in req.body ? req.body.username : null;
    var displayName = req.body.displayName || '';

-    users.create(username, password, email, displayName, { invitor: req.user, admin: req.body.admin }, auditSource.fromRequest(req), function (error, user) {
+    users.create(username, password, email, displayName, { invitor: req.user, admin: req.body.admin, permissions: req.body.permissions }, auditSource.fromRequest(req), function (error, user) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(201, users.removePrivateFields(user)));
@@ -71,8 +79,17 @@ function update(req, res, next) {
        if (req.user.id === req.resource.id && !req.body.admin) return next(new HttpError(409, 'Cannot remove admin flag on self'));
    }

+    if ('permissions' in req.body) {
+        if (!Array.isArray(req.body.permissions)) return next(new HttpError(400, 'permissions must be an array'));
+        if (req.body.permissions.some((p) => typeof p !== 'string')) return next(new HttpError(400, 'permissions array must contain strings'));
+    }
+
    if ('active' in req.body && typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));

+    if (!req.user.admin) {
+        if ('admin' in req.body || 'permissions' in req.body) return next(new HttpError(403, 'Only admin add admins or set permissions'));
+    }
+
    users.update(req.resource, req.body, auditSource.fromRequest(req), function (error) {
        if (error) return next(BoxError.toHttpError(error));

@@ -109,6 +126,7 @@ function remove(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (req.user.id === req.resource.id) return next(new HttpError(409, 'Not allowed to remove yourself.'));
+    if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot remove admin user'));

    users.remove(req.resource, auditSource.fromRequest(req), function (error) {
        if (error) return next(BoxError.toHttpError(error));
@@ -134,6 +152,8 @@ function verifyPassword(req, res, next) {
 function createInvite(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

+    if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot reset admin user'));
+
    users.createInvite(req.resource, function (error, result) {
        if (error) return next(BoxError.toHttpError(error));

@@ -144,6 +164,8 @@ function createInvite(req, res, next) {
 function sendInvite(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

+    if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot invite admin user'));
+
    users.sendInvite(req.resource, { invitor: req.user }, function (error) {
        if (error) return next(BoxError.toHttpError(error));

@@ -156,6 +178,7 @@ function setGroups(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
+    if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot modify admin user'));

    users.setMembership(req.resource, req.body.groupIds, function (error) {
        if (error) return next(BoxError.toHttpError(error));
@@ -169,6 +192,7 @@ function changePassword(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be a string'));
+    if (!req.user.admin && req.resource.admin) return next(new HttpError(403, 'Non-admin cannot modify admin user'));

    users.setPassword(req.resource, req.body.password, function (error) {
        if (error) return next(BoxError.toHttpError(error));