diff --git a/src/ldap.js b/src/ldap.js index 17813881e..16be48715 100644 --- a/src/ldap.js +++ b/src/ldap.js @@ -10,6 +10,7 @@ var assert = require('assert'), apps = require('./apps.js'), async = require('async'), config = require('./config.js'), + constants = require('./constants.js'), DatabaseError = require('./databaseerror.js'), debug = require('debug')('box:ldap'), eventlog = require('./eventlog.js'), @@ -57,6 +58,9 @@ function getUsersWithAccessToApp(req, callback) { async.filter(result, apps.hasAccessTo.bind(null, app), function (error, result) { if (error) return callback(new ldap.OperationsError(error.toString())); + // TODO: in the long run, we should probably get rid of this "admin" integration altogether + result.forEach(function (r) { r.admin = r.groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1; }); + callback(null, result); }); }); diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js index fa1e52341..82f3cc10f 100644 --- a/src/routes/accesscontrol.js +++ b/src/routes/accesscontrol.js @@ -14,6 +14,7 @@ var accesscontrol = require('../accesscontrol.js'), clients = require('../clients.js'), ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy, ClientsError = clients.ClientsError, + constants = require('../constants.js'), DatabaseError = require('../databaseerror.js'), HttpError = require('connect-lastmile').HttpError, LocalStrategy = require('passport-local').Strategy, @@ -106,7 +107,7 @@ function accessTokenAuth(accessToken, callback) { // scopes here can define what capabilities that token carries // passport put the 'info' object into req.authInfo, where we can further validate the scopes - const userScope = user.admin ? '*' : 'profile'; + const userScope = user.groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1 ? '*' : 'profile'; var scope = accesscontrol.intersectScope(userScope, token.scope); // these clients do not require password checks unlike UI const skipPasswordVerification = token.clientId === 'cid-sdk' || token.clientId === 'cid-cli'; diff --git a/src/routes/profile.js b/src/routes/profile.js index 542872907..37cdb7361 100644 --- a/src/routes/profile.js +++ b/src/routes/profile.js @@ -29,7 +29,6 @@ function get(req, res, next) { username: req.user.username, email: req.user.email, fallbackEmail: req.user.fallbackEmail, - admin: req.user.admin, tokenScope: req.authInfo.authorizedScope, displayName: req.user.displayName, twoFactorAuthenticationEnabled: req.user.twoFactorAuthenticationEnabled diff --git a/src/routes/test/profile-test.js b/src/routes/test/profile-test.js index 1cffaf84b..b941e67c8 100644 --- a/src/routes/test/profile-test.js +++ b/src/routes/test/profile-test.js @@ -102,11 +102,10 @@ describe('Profile API', function () { expect(result.body.username).to.equal(USERNAME_0.toLowerCase()); expect(result.body.email).to.equal(EMAIL_0.toLowerCase()); expect(result.body.fallbackEmail).to.equal(EMAIL_0.toLowerCase()); - expect(result.body.admin).to.be.ok(); expect(result.body.displayName).to.be.a('string'); expect(result.body.password).to.not.be.ok(); expect(result.body.salt).to.not.be.ok(); - expect(result.body.tokenScope).to.be('apps,clients,cloudron,domains,mail,profile,settings,users'); + expect(result.body.tokenScope).to.be(accesscontrol.VALID_SCOPES.join(',')); user_0 = result.body; @@ -141,11 +140,10 @@ describe('Profile API', function () { expect(result.statusCode).to.equal(200); expect(result.body.username).to.equal(USERNAME_0.toLowerCase()); expect(result.body.email).to.equal(EMAIL_0.toLowerCase()); - expect(result.body.admin).to.be.ok(); expect(result.body.displayName).to.be.a('string'); expect(result.body.password).to.not.be.ok(); expect(result.body.salt).to.not.be.ok(); - expect(result.body.tokenScope).to.be('apps,clients,cloudron,domains,mail,profile,settings,users'); + expect(result.body.tokenScope).to.be(accesscontrol.VALID_SCOPES.join(',')); done(); }); }); @@ -198,7 +196,7 @@ describe('Profile API', function () { expect(res.body.username).to.equal(USERNAME_0.toLowerCase()); expect(res.body.email).to.equal(EMAIL_0_NEW.toLowerCase()); expect(res.body.fallbackEmail).to.equal(EMAIL_0_NEW_FALLBACK.toLowerCase()); - expect(res.body.admin).to.equal(true); + expect(res.body.tokenScope).to.be(accesscontrol.VALID_SCOPES.join(',')); expect(res.body.displayName).to.equal(''); done(); @@ -219,7 +217,7 @@ describe('Profile API', function () { expect(res.statusCode).to.equal(200); expect(res.body.username).to.equal(USERNAME_0.toLowerCase()); expect(res.body.email).to.equal(EMAIL_0_NEW.toLowerCase()); - expect(res.body.admin).to.be.ok(); + expect(res.body.tokenScope).to.be(accesscontrol.VALID_SCOPES.join(',')); expect(res.body.displayName).to.equal(DISPLAY_NAME_0_NEW); done(); diff --git a/src/routes/test/users-test.js b/src/routes/test/users-test.js index 431985c5a..ae18a01e7 100644 --- a/src/routes/test/users-test.js +++ b/src/routes/test/users-test.js @@ -165,7 +165,7 @@ describe('Users API', function () { expect(res.statusCode).to.equal(200); expect(res.body.username).to.equal(USERNAME_0.toLowerCase()); expect(res.body.email).to.equal(EMAIL_0.toLowerCase()); - expect(res.body.admin).to.be.ok(); + expect(res.body.groupIds).to.eql(['admin']); done(); }); @@ -196,7 +196,8 @@ describe('Users API', function () { expect(res.statusCode).to.equal(200); expect(res.body.username).to.equal(USERNAME_0.toLowerCase()); expect(res.body.email).to.equal(EMAIL_0.toLowerCase()); - expect(res.body.admin).to.be.ok(); + expect(res.body.groupIds).to.eql(['admin']); + done(); }); }); @@ -235,7 +236,7 @@ describe('Users API', function () { expect(res.statusCode).to.equal(200); expect(res.body.username).to.equal(USERNAME_0.toLowerCase()); expect(res.body.email).to.equal(EMAIL_0.toLowerCase()); - expect(res.body.admin).to.be.ok(); + expect(res.body.groupIds).to.eql(['admin']); expect(res.body.displayName).to.be.a('string'); expect(res.body.password).to.not.be.ok(); expect(res.body.salt).to.not.be.ok(); @@ -330,7 +331,7 @@ describe('Users API', function () { .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(200); - expect(res.body.admin).to.equal(true); + expect(res.body.groupIds).to.eql(['admin']); done(); }); @@ -346,7 +347,6 @@ describe('Users API', function () { expect(res.body.users).to.be.an('array'); res.body.users.forEach(function (user) { - expect(user.admin).to.be(true); expect(user.groupIds).to.eql([ constants.ADMIN_GROUP_ID ]); }); done(); @@ -374,7 +374,7 @@ describe('Users API', function () { .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(200); - expect(res.body.admin).to.equal(false); + expect(res.body.groupIds).to.eql([ groupObject.id ]); done(); }); @@ -461,7 +461,7 @@ describe('Users API', function () { expect(result.statusCode).to.equal(200); expect(result.body.username).to.equal(USERNAME_2.toLowerCase()); expect(result.body.email).to.equal(EMAIL_2.toLowerCase()); - expect(result.body.admin).to.not.be.ok(); + expect(result.body.groupIds).to.eql([]); done(); }); @@ -503,7 +503,6 @@ describe('Users API', function () { expect(user.password).to.not.be.ok(); expect(user.salt).to.not.be.ok(); expect(user.groupIds).to.be.an(Array); - expect(user.admin).to.be.a('boolean'); }); done(); @@ -622,7 +621,6 @@ describe('Users API', function () { expect(res.statusCode).to.equal(200); expect(res.body.username).to.equal(USERNAME_2.toLowerCase()); expect(res.body.email).to.equal(EMAIL_2_NEW.toLowerCase()); - expect(res.body.admin).to.equal(false); expect(res.body.displayName).to.equal(''); done(); @@ -643,7 +641,6 @@ describe('Users API', function () { expect(res.statusCode).to.equal(200); expect(res.body.username).to.equal(USERNAME_2.toLowerCase()); expect(res.body.email).to.equal(EMAIL_2.toLowerCase()); - expect(res.body.admin).to.equal(false); expect(res.body.displayName).to.equal(''); done(); @@ -664,7 +661,6 @@ describe('Users API', function () { expect(res.statusCode).to.equal(200); expect(res.body.username).to.equal(USERNAME_0.toLowerCase()); expect(res.body.email).to.equal(EMAIL_0.toLowerCase()); - expect(res.body.admin).to.be.ok(); expect(res.body.displayName).to.equal(DISPLAY_NAME_0_NEW); done(); diff --git a/src/users.js b/src/users.js index 3a20771d0..4cc34d3d1 100644 --- a/src/users.js +++ b/src/users.js @@ -298,10 +298,6 @@ function list(callback) { userdb.getAllWithGroupIds(function (error, results) { if (error) return callback(new UsersError(UsersError.INTERNAL_ERROR, error)); - results.forEach(function (result) { - result.admin = result.groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1; - }); - return callback(null, results); }); } @@ -328,7 +324,6 @@ function get(userId, callback) { if (error) return callback(new UsersError(UsersError.INTERNAL_ERROR, error)); result.groupIds = groupIds; - result.admin = groupIds.indexOf(constants.ADMIN_GROUP_ID) !== -1; return callback(null, result); });