diff --git a/src/groupdb.js b/src/groupdb.js index ed802f11f..c9cf3ef9d 100644 --- a/src/groupdb.js +++ b/src/groupdb.js @@ -76,7 +76,7 @@ function clear(callback) { database.query('DELETE FROM groupMembers', function (error) { if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error)); - database.query('DELETE FROM groups', function (error) { + database.query('DELETE FROM groups WHERE id != ?', [ 'gid:admin' ], function (error) { if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error)); callback(error); diff --git a/src/routes/test/oauth2-test.js b/src/routes/test/oauth2-test.js index 17f54a87d..39a2193ef 100644 --- a/src/routes/test/oauth2-test.js +++ b/src/routes/test/oauth2-test.js @@ -292,7 +292,7 @@ describe('OAuth2', function () { appdb.add.bind(null, APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, APP_1.portBindings, APP_1.accessRestriction, APP_1.oauthProxy), appdb.add.bind(null, APP_2.id, APP_2.appStoreId, APP_2.manifest, APP_2.location, APP_2.portBindings, APP_2.accessRestriction, APP_2.oauthProxy), function (callback) { - user.create(USER_0.username, USER_0.password, USER_0.email, USER_0.displayName, true, '', false, function (error, userObject) { + user.create(USER_0.username, USER_0.password, USER_0.email, USER_0.displayName, function (error, userObject) { expect(error).to.not.be.ok(); // update the global objects to reflect the new user id diff --git a/src/routes/user.js b/src/routes/user.js index 356dccede..b05853ed4 100644 --- a/src/routes/user.js +++ b/src/routes/user.js @@ -18,6 +18,7 @@ exports = module.exports = { var assert = require('assert'), generatePassword = require('../password.js').generate, + groups = require('../groups.js'), HttpError = require('connect-lastmile').HttpError, HttpSuccess = require('connect-lastmile').HttpSuccess, user = require('../user.js'), @@ -146,13 +147,17 @@ function info(req, res, next) { if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'No such user')); if (error) return next(new HttpError(500, error)); - next(new HttpSuccess(200, { - id: result.id, - username: result.username, - email: result.email, - admin: result.admin, - displayName: result.displayName - })); + groups.isMember(groups.ADMIN_GROUP_ID, req.params.userId, function (error, isAdmin) { + if (error) return next(new HttpError(500, error)); + + next(new HttpSuccess(200, { + id: result.id, + username: result.username, + email: result.email, + admin: isAdmin, + displayName: result.displayName + })); + }); }); } @@ -200,9 +205,15 @@ function verifyPassword(req, res, next) { function requireAdmin(req, res, next) { assert.strictEqual(typeof req.user, 'object'); - if (!req.user.admin) return next(new HttpError(403, 'API call requires admin rights.')); + groups.isMember(groups.ADMIN_GROUP_ID, req.user.id, function (error, isAdmin) { + if (error) return next(new HttpError(500, error)); - next(); + if (!isAdmin) return next(new HttpError(403, 'API call requires admin rights.')); + + req.user.admin = true; + + next(); + }); } function sendInvite(req, res, next) { diff --git a/src/test/database-test.js b/src/test/database-test.js index afdebd689..c42a22c80 100644 --- a/src/test/database-test.js +++ b/src/test/database-test.js @@ -16,7 +16,8 @@ var appdb = require('../appdb.js'), async = require('async'), settingsdb = require('../settingsdb.js'), tokendb = require('../tokendb.js'), - userdb = require('../userdb.js'); + userdb = require('../userdb.js'), + _ = require('underscore'); describe('database', function () { before(function (done) { @@ -118,12 +119,16 @@ describe('database', function () { }); }); - it('can get all', function (done) { - userdb.getAll(function (error, all) { + it('can get all with group ids', function (done) { + userdb.getAllWithGroupIds(function (error, all) { expect(error).to.not.be.ok(); expect(all.length).to.equal(2); - expect(all[0]).to.eql(USER_0); - expect(all[1]).to.eql(USER_1); + var user0Copy = _.extend({}, USER_0); + user0Copy.groupIds = [ ]; + expect(all[0]).to.eql(user0Copy); + var user1Copy = _.extend({}, USER_1); + user1Copy.groupIds = [ ]; + expect(all[1]).to.eql(user1Copy); done(); }); }); diff --git a/src/test/ldap-test.js b/src/test/ldap-test.js index cf4b2a43f..204a307e6 100644 --- a/src/test/ldap-test.js +++ b/src/test/ldap-test.js @@ -15,18 +15,20 @@ var database = require('../database.js'), ldapServer = require('../ldap.js'), ldap = require('ldapjs'); +// owner var USER_0 = { - username: 'foobar0', - password: 'Foobar?1234', - email: 'foo0@bar.com', - displayName: 'Bob bobson' + username: 'username0', + password: 'Username0pass?1234', + email: 'user0@email.com', + displayName: 'User 0' }; +// normal user var USER_1 = { - username: 'foobar1', - password: 'Foobar?12345', - email: 'foo1@bar.com', - displayName: 'Jesus' + username: 'username1', + password: 'Username1pass?12345', + email: 'user1@email.com', + displayName: 'User 1' }; function setup(done) { @@ -34,7 +36,7 @@ function setup(done) { database.initialize.bind(null), database._clear.bind(null), ldapServer.start.bind(null), - user.create.bind(null, USER_0.username, USER_0.password, USER_0.email, USER_0.displayName), + user.createOwner.bind(null, USER_0.username, USER_0.password, USER_0.email, USER_0.displayName), user.create.bind(null, USER_1.username, USER_1.password, USER_1.email, USER_0.displayName, { invitor: USER_0 }) ], done); } @@ -81,7 +83,7 @@ describe('Ldap', function () { var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') }); var opts = { - filter: '(&(l=Seattle)(email=*@foo.com))' + filter: '(&(l=Seattle)(email=*@email.com))' }; client.search('o=example', opts, function (error, result) { @@ -127,7 +129,7 @@ describe('Ldap', function () { var client = ldap.createClient({ url: 'ldap://127.0.0.1:' + config.get('ldapPort') }); var opts = { - filter: '&(objectcategory=person)(username=foobar*)' + filter: '&(objectcategory=person)(username=username*)' }; client.search('ou=users,dc=cloudron', opts, function (error, result) { diff --git a/src/test/user-test.js b/src/test/user-test.js index 12fa5e6fc..62919aea6 100644 --- a/src/test/user-test.js +++ b/src/test/user-test.js @@ -29,7 +29,6 @@ var userObject = null; function cleanupUsers(done) { async.series([ groupdb._clear, - database.query.bind(null, 'INSERT INTO groups (id, name) VALUES (?, ?)', [ groups.ADMIN_GROUP_ID, 'admin' ]), userdb._clear, mailer._clearMailQueue ], done); diff --git a/src/user.js b/src/user.js index 24cc119ea..86a633c7d 100644 --- a/src/user.js +++ b/src/user.js @@ -222,7 +222,7 @@ function removeUser(userId, callback) { function listUsers(callback) { assert.strictEqual(typeof callback, 'function'); - userdb.getAll(function (error, result) { + userdb.getAllWithGroupIds(function (error, result) { if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error)); var allUsers = result.map(function (obj) { diff --git a/src/userdb.js b/src/userdb.js index d36166b92..6b0d50afd 100644 --- a/src/userdb.js +++ b/src/userdb.js @@ -7,7 +7,7 @@ exports = module.exports = { getByAccessToken: getByAccessToken, getByResetToken: getByResetToken, getOwner: getOwner, - getAll: getAll, + getAllWithGroupIds: getAllWithGroupIds, getAllAdmins: getAllAdmins, add: add, del: del, @@ -84,7 +84,7 @@ function getByResetToken(resetToken, callback) { }); } -function getAll(callback) { +function getAllWithGroupIds(callback) { assert.strictEqual(typeof callback, 'function'); database.query('SELECT ' + USERS_FIELDS + ',GROUP_CONCAT(groupMembers.groupId) AS groupIds ' +