From 13517d529848f70101a4cfa8ec12a21cabc8d6a6 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Tue, 6 Jul 2021 18:43:04 +0100 Subject: [PATCH] make logged in users basic by default, prevent allowing users to be assigned as default in the UI --- packages/auth/src/security/roles.js | 4 ++-- .../src/pages/builder/portal/manage/users/[userId].svelte | 2 +- .../portal/manage/users/_components/UpdateRolesModal.svelte | 2 +- packages/server/src/middleware/currentapp.js | 4 ++-- packages/server/src/utilities/global.js | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/auth/src/security/roles.js b/packages/auth/src/security/roles.js index e7055c9147..baa8fc40dc 100644 --- a/packages/auth/src/security/roles.js +++ b/packages/auth/src/security/roles.js @@ -147,7 +147,7 @@ exports.getRole = async (appId, roleId) => { */ async function getAllUserRoles(appId, userRoleId) { if (!userRoleId) { - return [BUILTIN_IDS.PUBLIC] + return [BUILTIN_IDS.BASIC] } let currentRole = await exports.getRole(appId, userRoleId) let roles = currentRole ? [currentRole] : [] @@ -226,7 +226,7 @@ exports.getAllRoles = async appId => { dbRole => exports.getExternalRoleID(dbRole._id) === builtinRoleId )[0] if (dbBuiltin == null) { - roles.push(builtinRole || builtinRoles.PUBLIC) + roles.push(builtinRole || builtinRoles.BASIC) } else { // remove role and all back after combining with the builtin roles = roles.filter(role => role._id !== dbBuiltin._id) diff --git a/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte b/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte index 8b0591f575..27cf266c5d 100644 --- a/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte +++ b/packages/builder/src/pages/builder/portal/manage/users/[userId].svelte @@ -33,7 +33,7 @@ role: {}, } - $: defaultRoleId = $userFetch?.data?.builder?.global ? "ADMIN" : "PUBLIC" + $: defaultRoleId = $userFetch?.data?.builder?.global ? "ADMIN" : "BASIC" // Merge the Apps list and the roles response to get something that makes sense for the table $: appList = Object.keys($apps?.data).map(id => { const role = $userFetch?.data?.roles?.[id] || defaultRoleId diff --git a/packages/builder/src/pages/builder/portal/manage/users/_components/UpdateRolesModal.svelte b/packages/builder/src/pages/builder/portal/manage/users/_components/UpdateRolesModal.svelte index 08e4a2ec8b..436ba28bba 100644 --- a/packages/builder/src/pages/builder/portal/manage/users/_components/UpdateRolesModal.svelte +++ b/packages/builder/src/pages/builder/portal/manage/users/_components/UpdateRolesModal.svelte @@ -9,7 +9,7 @@ const dispatch = createEventDispatcher() const roles = app.roles - let options = roles.map(role => role._id) + let options = roles.map(role => role._id).filter(id => id !== "PUBLIC") let selectedRole = user?.roles?.[app?._id] async function updateUserRoles() { diff --git a/packages/server/src/middleware/currentapp.js b/packages/server/src/middleware/currentapp.js index 683b7f8ef3..0e9591456c 100644 --- a/packages/server/src/middleware/currentapp.js +++ b/packages/server/src/middleware/currentapp.js @@ -45,10 +45,10 @@ module.exports = async (ctx, next) => { updateCookie = true appId = requestAppId // retrieving global user gets the right role - roleId = globalUser.roleId || BUILTIN_ROLE_IDS.PUBLIC + roleId = globalUser.roleId || BUILTIN_ROLE_IDS.BASIC } else if (appCookie != null) { appId = appCookie.appId - roleId = appCookie.roleId || BUILTIN_ROLE_IDS.PUBLIC + roleId = appCookie.roleId || BUILTIN_ROLE_IDS.BASIC } // nothing more to do if (!appId) { diff --git a/packages/server/src/utilities/global.js b/packages/server/src/utilities/global.js index 17ce066551..eddbd63cd7 100644 --- a/packages/server/src/utilities/global.js +++ b/packages/server/src/utilities/global.js @@ -19,7 +19,7 @@ exports.updateAppRole = (appId, user) => { if (!user.roleId && user.builder && user.builder.global) { user.roleId = BUILTIN_ROLE_IDS.ADMIN } else if (!user.roleId) { - user.roleId = BUILTIN_ROLE_IDS.PUBLIC + user.roleId = BUILTIN_ROLE_IDS.BASIC } delete user.roles return user