diff --git a/src/apps.js b/src/apps.js index 301295e69..6e639f51b 100644 --- a/src/apps.js +++ b/src/apps.js @@ -1,7 +1,7 @@ 'use strict'; exports = module.exports = { - hasAccessTo, + canAccess, removeInternalFields, removeRestrictedFields, @@ -581,7 +581,7 @@ function attachProperties(app, domainObjectMap) { app.aliasDomains.forEach(function (ad) { ad.fqdn = dns.fqdn(ad.subdomain, domainObjectMap[ad.domain]); }); } -function hasAccessTo(app, user) { +function canAccess(app, user) { assert.strictEqual(typeof app, 'object'); assert.strictEqual(typeof user, 'object'); @@ -901,7 +901,7 @@ async function listByUser(user) { assert.strictEqual(typeof user, 'object'); const result = await list(); - return result.filter((app) => hasAccessTo(app, user)); + return result.filter((app) => canAccess(app, user)); } async function downloadManifest(appStoreId, manifest) { diff --git a/src/ldap.js b/src/ldap.js index 249ec3983..23a77648e 100644 --- a/src/ldap.js +++ b/src/ldap.js @@ -53,7 +53,7 @@ async function getUsersWithAccessToApp(req) { assert.strictEqual(typeof req.app, 'object'); const result = await users.list(); - const allowedUsers = result.filter((user) => apps.hasAccessTo(req.app, user)); + const allowedUsers = result.filter((user) => apps.canAccess(req.app, user)); return allowedUsers; } @@ -472,9 +472,9 @@ async function authorizeUserForApp(req, res, next) { assert.strictEqual(typeof req.user, 'object'); assert.strictEqual(typeof req.app, 'object'); - const hasAccess = apps.hasAccessTo(req.app, req.user); + const canAccess = apps.canAccess(req.app, req.user); // we return no such object, to avoid leakage of a users existence - if (!hasAccess) return next(new ldap.NoSuchObjectError(req.dn.toString())); + if (!canAccess) return next(new ldap.NoSuchObjectError(req.dn.toString())); await eventlog.upsertLoginEvent(eventlog.ACTION_USER_LOGIN, { authType: 'ldap', appId: req.app.id }, { userId: req.user.id, user: users.removePrivateFields(req.user) }); @@ -586,8 +586,8 @@ async function userSearchSftp(req, res, next) { if (req.requireAdmin && users.compareRoles(user.role, users.ROLE_ADMIN) < 0) return next(new ldap.InsufficientAccessRightsError('Insufficient previleges')); - const hasAccess = apps.hasAccessTo(app, user); - if (!hasAccess) return next(new ldap.InsufficientAccessRightsError('Not authorized')); + const canAccess = apps.canAccess(app, user); + if (!canAccess) return next(new ldap.InsufficientAccessRightsError('Not authorized')); const obj = { dn: ldap.parseDN(`cn=${username}@${appFqdn},ou=sftp,dc=cloudron`).toString(), diff --git a/src/proxyauth.js b/src/proxyauth.js index f69eaa0f8..a0f7ffc6e 100644 --- a/src/proxyauth.js +++ b/src/proxyauth.js @@ -167,7 +167,7 @@ async function authorize(req, res, next) { const [error, app] = await safe(apps.get(appId)); if (error) return next(new HttpError(403, 'No such app' )); - if (!apps.hasAccessTo(app, req.user)) return next(new HttpError(403, 'Forbidden' )); + if (!apps.canAccess(app, req.user)) return next(new HttpError(403, 'Forbidden' )); const token = jwt.sign({ user: users.removePrivateFields(req.user) }, TOKEN_SECRET, { expiresIn: `${constants.DEFAULT_TOKEN_EXPIRATION_DAYS}d` }); diff --git a/src/test/apps-test.js b/src/test/apps-test.js index 19dde3f73..f7f2c4f6e 100644 --- a/src/test/apps-test.js +++ b/src/test/apps-test.js @@ -71,40 +71,40 @@ describe('Apps', function () { }); }); - describe('hasAccessTo', function () { + describe('canAccess', function () { const someuser = { id: 'someuser', groupIds: [], role: 'user' }; const adminuser = { id: 'adminuser', groupIds: [ 'groupie' ], role: 'admin' }; it('returns true for unrestricted access', function () { - expect(apps.hasAccessTo({ accessRestriction: null }, someuser)).to.be(true); + expect(apps.canAccess({ accessRestriction: null }, someuser)).to.be(true); }); it('returns true for allowed user', function () { - expect(apps.hasAccessTo({ accessRestriction: { users: [ 'someuser' ] } }, someuser)).to.be(true); + expect(apps.canAccess({ accessRestriction: { users: [ 'someuser' ] } }, someuser)).to.be(true); }); it('returns true for allowed user with multiple allowed', function () { - expect(apps.hasAccessTo({ accessRestriction: { users: [ 'foo', 'someuser', 'anotheruser' ] } }, someuser)).to.be(true); + expect(apps.canAccess({ accessRestriction: { users: [ 'foo', 'someuser', 'anotheruser' ] } }, someuser)).to.be(true); }); it('returns false for not allowed user', function () { - expect(apps.hasAccessTo({ accessRestriction: { users: [ 'foo' ] } }, someuser)).to.be(false); + expect(apps.canAccess({ accessRestriction: { users: [ 'foo' ] } }, someuser)).to.be(false); }); it('returns false for not allowed user with multiple allowed', function () { - expect(apps.hasAccessTo({ accessRestriction: { users: [ 'foo', 'anotheruser' ] } }, someuser)).to.be(false); + expect(apps.canAccess({ accessRestriction: { users: [ 'foo', 'anotheruser' ] } }, someuser)).to.be(false); }); it('returns false for no group or user', function () { - expect(apps.hasAccessTo({ accessRestriction: { users: [ ], groups: [ ] } }, someuser)).to.be(false); + expect(apps.canAccess({ accessRestriction: { users: [ ], groups: [ ] } }, someuser)).to.be(false); }); it('returns false for invalid group or user', function () { - expect(apps.hasAccessTo({ accessRestriction: { users: [ ], groups: [ 'nop' ] } }, someuser)).to.be(false); + expect(apps.canAccess({ accessRestriction: { users: [ ], groups: [ 'nop' ] } }, someuser)).to.be(false); }); it('returns true for admin user', function () { - expect(apps.hasAccessTo({ accessRestriction: { users: [ ], groups: [ 'nop' ] } }, adminuser)).to.be(true); + expect(apps.canAccess({ accessRestriction: { users: [ ], groups: [ 'nop' ] } }, adminuser)).to.be(true); }); });