users: cannot update profile fields of external user
This commit is contained in:
Girish Ramakrishnan
+43
-17
@@ -2,10 +2,14 @@
|
||||
|
||||
exports = module.exports = {
|
||||
get,
|
||||
update,
|
||||
list,
|
||||
add,
|
||||
del,
|
||||
|
||||
setRole,
|
||||
setActive,
|
||||
updateProfile,
|
||||
|
||||
setPassword,
|
||||
verifyPassword,
|
||||
setGroups,
|
||||
@@ -32,7 +36,8 @@ const assert = require('assert'),
|
||||
HttpError = require('connect-lastmile').HttpError,
|
||||
HttpSuccess = require('connect-lastmile').HttpSuccess,
|
||||
safe = require('safetydance'),
|
||||
users = require('../users.js');
|
||||
users = require('../users.js'),
|
||||
_ = require('underscore');
|
||||
|
||||
async function load(req, res, next) {
|
||||
assert.strictEqual(typeof req.params.userId, 'string');
|
||||
@@ -70,7 +75,40 @@ async function add(req, res, next) {
|
||||
next(new HttpSuccess(201, { id }));
|
||||
}
|
||||
|
||||
async function update(req, res, next) {
|
||||
async function setRole(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.user, 'object');
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
|
||||
if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));
|
||||
|
||||
if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.update(req.resource, { role: req.body.role }, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
}
|
||||
|
||||
async function setActive(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.user, 'object');
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
|
||||
if (typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
|
||||
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.update(req.resource, { active: req.body.active }, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
}
|
||||
|
||||
async function updateProfile(req, res, next) {
|
||||
assert.strictEqual(typeof req.resource, 'object');
|
||||
assert.strictEqual(typeof req.user, 'object');
|
||||
assert.strictEqual(typeof req.body, 'object');
|
||||
@@ -79,23 +117,11 @@ async function update(req, res, next) {
|
||||
if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
|
||||
if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));
|
||||
if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
|
||||
if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be a string'));
|
||||
|
||||
if ('role' in req.body) {
|
||||
if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));
|
||||
|
||||
if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
|
||||
}
|
||||
|
||||
if ('active' in req.body) {
|
||||
if (typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
|
||||
if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
|
||||
}
|
||||
|
||||
if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));
|
||||
|
||||
const [error] = await safe(users.update(req.resource, req.body, AuditSource.fromRequest(req)));
|
||||
const data = _.pick(req.body, 'username', 'email', 'fallbackEmail', 'displayName');
|
||||
const [error] = await safe(users.updateProfile(req.resource, data, AuditSource.fromRequest(req)));
|
||||
if (error) return next(BoxError.toHttpError(error));
|
||||
|
||||
next(new HttpSuccess(204));
|
||||
|
||||
Reference in New Issue
Block a user