remove ROLE_USER
every authenticated user has ROLE_USER. So, this role is superfluous
This commit is contained in:
Girish Ramakrishnan
@@ -2,7 +2,6 @@
|
||||
|
||||
exports = module.exports = {
|
||||
ROLE_ADMIN: 'admin',
|
||||
ROLE_USER: 'user',
|
||||
|
||||
verifyToken: verifyToken,
|
||||
hasRole: hasRole
|
||||
@@ -17,7 +16,6 @@ function hasRole(user, requiredRole) {
|
||||
assert.strictEqual(typeof user, 'object');
|
||||
assert.strictEqual(typeof requiredRole, 'string');
|
||||
|
||||
if (requiredRole === exports.ROLE_USER) return null;
|
||||
if (requiredRole === exports.ROLE_ADMIN && user.admin) return null;
|
||||
|
||||
return new BoxError(BoxError.ACCESS_DENIED, 'Not allowed');
|
||||
|
||||
+23
-24
@@ -80,7 +80,6 @@ function initializeExpressSync() {
|
||||
const password = routes.accesscontrol.passwordAuth;
|
||||
const token = routes.accesscontrol.tokenAuth;
|
||||
const authorizeAdmin = routes.accesscontrol.authorize(accesscontrol.ROLE_ADMIN);
|
||||
const authorizeUser = routes.accesscontrol.authorize(accesscontrol.ROLE_USER);
|
||||
|
||||
// public routes
|
||||
router.post('/api/v1/cloudron/setup', routes.provision.providerTokenAuth, routes.provision.setup); // only available until no-domain
|
||||
@@ -127,9 +126,9 @@ function initializeExpressSync() {
|
||||
router.post('/api/v1/tasks/:taskId/stop', token, authorizeAdmin, routes.tasks.stopTask);
|
||||
|
||||
// notifications
|
||||
router.get ('/api/v1/notifications', token, authorizeUser, routes.notifications.verifyOwnership, routes.notifications.list);
|
||||
router.get ('/api/v1/notifications/:notificationId', token, authorizeUser, routes.notifications.verifyOwnership, routes.notifications.get);
|
||||
router.post('/api/v1/notifications/:notificationId', token, authorizeUser, routes.notifications.verifyOwnership, routes.notifications.ack);
|
||||
router.get ('/api/v1/notifications', token, routes.notifications.verifyOwnership, routes.notifications.list);
|
||||
router.get ('/api/v1/notifications/:notificationId', token, routes.notifications.verifyOwnership, routes.notifications.get);
|
||||
router.post('/api/v1/notifications/:notificationId', token, routes.notifications.verifyOwnership, routes.notifications.ack);
|
||||
|
||||
// backups
|
||||
router.get ('/api/v1/backups', token, authorizeAdmin, routes.backups.list);
|
||||
@@ -137,29 +136,29 @@ function initializeExpressSync() {
|
||||
router.post('/api/v1/backups/cleanup', token, authorizeAdmin, routes.backups.cleanup);
|
||||
|
||||
// config route (for dashboard)
|
||||
router.get ('/api/v1/config', token, authorizeUser, routes.cloudron.getConfig);
|
||||
router.get ('/api/v1/config', token, routes.cloudron.getConfig);
|
||||
|
||||
// working off the user behind the provided token
|
||||
router.get ('/api/v1/profile', token, authorizeUser, routes.profile.get);
|
||||
router.post('/api/v1/profile', token, authorizeUser, routes.profile.update);
|
||||
router.get ('/api/v1/profile', token, routes.profile.get);
|
||||
router.post('/api/v1/profile', token, routes.profile.update);
|
||||
router.get ('/api/v1/profile/avatar/:identifier', routes.profile.getAvatar); // this is not scoped so it can used directly in img tag
|
||||
router.post('/api/v1/profile/avatar', token, authorizeUser, multipart, routes.profile.setAvatar);
|
||||
router.del ('/api/v1/profile/avatar', token, authorizeUser, routes.profile.clearAvatar);
|
||||
router.post('/api/v1/profile/password', token, authorizeUser, routes.users.verifyPassword, routes.profile.changePassword);
|
||||
router.post('/api/v1/profile/twofactorauthentication', token, authorizeUser, routes.profile.setTwoFactorAuthenticationSecret);
|
||||
router.post('/api/v1/profile/twofactorauthentication/enable', token, authorizeUser, routes.profile.enableTwoFactorAuthentication);
|
||||
router.post('/api/v1/profile/twofactorauthentication/disable', token, authorizeUser, routes.users.verifyPassword, routes.profile.disableTwoFactorAuthentication);
|
||||
router.post('/api/v1/profile/avatar', token, multipart, routes.profile.setAvatar);
|
||||
router.del ('/api/v1/profile/avatar', token, routes.profile.clearAvatar);
|
||||
router.post('/api/v1/profile/password', token, routes.users.verifyPassword, routes.profile.changePassword);
|
||||
router.post('/api/v1/profile/twofactorauthentication', token, routes.profile.setTwoFactorAuthenticationSecret);
|
||||
router.post('/api/v1/profile/twofactorauthentication/enable', token, routes.profile.enableTwoFactorAuthentication);
|
||||
router.post('/api/v1/profile/twofactorauthentication/disable', token, routes.users.verifyPassword, routes.profile.disableTwoFactorAuthentication);
|
||||
|
||||
router.get ('/api/v1/app_passwords', token, authorizeUser, routes.appPasswords.list);
|
||||
router.post('/api/v1/app_passwords', token, authorizeUser, routes.appPasswords.add);
|
||||
router.get ('/api/v1/app_passwords/:id', token, authorizeUser, routes.appPasswords.get);
|
||||
router.del ('/api/v1/app_passwords/:id', token, authorizeUser, routes.appPasswords.del);
|
||||
router.get ('/api/v1/app_passwords', token, routes.appPasswords.list);
|
||||
router.post('/api/v1/app_passwords', token, routes.appPasswords.add);
|
||||
router.get ('/api/v1/app_passwords/:id', token, routes.appPasswords.get);
|
||||
router.del ('/api/v1/app_passwords/:id', token, routes.appPasswords.del);
|
||||
|
||||
// access tokens
|
||||
router.get ('/api/v1/tokens', token, authorizeUser, routes.tokens.getAll);
|
||||
router.post('/api/v1/tokens', token, authorizeUser, routes.tokens.add);
|
||||
router.get ('/api/v1/tokens/:id', token, authorizeUser, routes.tokens.verifyOwnership, routes.tokens.get);
|
||||
router.del ('/api/v1/tokens/:id', token, authorizeUser, routes.tokens.verifyOwnership, routes.tokens.del);
|
||||
router.get ('/api/v1/tokens', token, routes.tokens.getAll);
|
||||
router.post('/api/v1/tokens', token, routes.tokens.add);
|
||||
router.get ('/api/v1/tokens/:id', token, routes.tokens.verifyOwnership, routes.tokens.get);
|
||||
router.del ('/api/v1/tokens/:id', token, routes.tokens.verifyOwnership, routes.tokens.del);
|
||||
|
||||
// user routes
|
||||
router.get ('/api/v1/users', token, authorizeAdmin, routes.users.list);
|
||||
@@ -188,9 +187,9 @@ function initializeExpressSync() {
|
||||
router.get ('/api/v1/appstore/apps/:appstoreId/versions/:versionId', token, authorizeAdmin, routes.appstore.getAppVersion);
|
||||
|
||||
// app routes
|
||||
router.get ('/api/v1/apps', token, authorizeUser, routes.apps.getApps);
|
||||
router.get ('/api/v1/apps', token, routes.apps.getApps);
|
||||
router.get ('/api/v1/apps/:id', token, authorizeAdmin, routes.apps.getApp);
|
||||
router.get ('/api/v1/apps/:id/icon', token, authorizeUser, routes.apps.getAppIcon);
|
||||
router.get ('/api/v1/apps/:id/icon', token, routes.apps.getAppIcon);
|
||||
|
||||
router.post('/api/v1/apps/install', token, authorizeAdmin, routes.apps.installApp);
|
||||
router.post('/api/v1/apps/:id/uninstall', token, authorizeAdmin, routes.apps.uninstallApp);
|
||||
@@ -269,7 +268,7 @@ function initializeExpressSync() {
|
||||
|
||||
// domain routes
|
||||
router.post('/api/v1/domains', token, authorizeAdmin, routes.domains.add);
|
||||
router.get ('/api/v1/domains', token, authorizeUser, routes.domains.getAll);
|
||||
router.get ('/api/v1/domains', token, routes.domains.getAll);
|
||||
router.get ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.get); // this is manage scope because it returns non-restricted fields
|
||||
router.put ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.update);
|
||||
router.del ('/api/v1/domains/:domain', token, authorizeAdmin, routes.domains.del);
|
||||
|
||||
Reference in New Issue
Block a user