From 6fe2c38bce95dd310965654572591812bf339640 Mon Sep 17 00:00:00 2001 From: Mel O'Hagan Date: Wed, 30 Nov 2022 09:29:56 +0000 Subject: [PATCH] Move custom rbac from controller to routes --- .../src/api/controllers/global/users.ts | 6 ---- .../worker/src/api/routes/global/users.js | 10 +++++- .../worker/src/tests/TestConfiguration.ts | 34 +++++-------------- 3 files changed, 17 insertions(+), 33 deletions(-) diff --git a/packages/worker/src/api/controllers/global/users.ts b/packages/worker/src/api/controllers/global/users.ts index 0d2e5b3c7f..ea1df5b45a 100644 --- a/packages/worker/src/api/controllers/global/users.ts +++ b/packages/worker/src/api/controllers/global/users.ts @@ -23,12 +23,6 @@ const MAX_USERS_UPLOAD_LIMIT = 1000 export const save = async (ctx: any) => { try { - const body = ctx.request.body - const isCreate = !body._id - const isAdmin = !!ctx.user.admin?.global - if (isCreate && !isAdmin) { - ctx.throw(403, "Only admin user can create new user.") - } ctx.body = await sdk.users.save(ctx.request.body) } catch (err: any) { ctx.throw(err.status || 400, err) diff --git a/packages/worker/src/api/routes/global/users.js b/packages/worker/src/api/routes/global/users.js index 7740276dee..af1fbb0baf 100644 --- a/packages/worker/src/api/routes/global/users.js +++ b/packages/worker/src/api/routes/global/users.js @@ -40,6 +40,14 @@ function buildInviteMultipleValidation() { )) } +const createUserAdminOnly = (ctx, next) => { + if (!ctx.request.body._id) { + return adminOnly(ctx, next) + } else { + return builderOrAdmin(ctx, next) + } +} + function buildInviteAcceptValidation() { // prettier-ignore return joiValidator.body(Joi.object({ @@ -51,7 +59,7 @@ function buildInviteAcceptValidation() { router .post( "/api/global/users", - builderOrAdmin, + createUserAdminOnly, users.buildUserSaveValidation(), controller.save ) diff --git a/packages/worker/src/tests/TestConfiguration.ts b/packages/worker/src/tests/TestConfiguration.ts index 2875cc00e9..746e1ccf1b 100644 --- a/packages/worker/src/tests/TestConfiguration.ts +++ b/packages/worker/src/tests/TestConfiguration.ts @@ -72,29 +72,12 @@ class TestConfiguration { // UTILS - async _req( - config: any, - params: any, - controlFunc: any, - opts: { force?: boolean } = {} - ) { + async _req(config: any, params: any, controlFunc: any) { const request: any = {} // fake cookies, we don't need them request.cookies = { set: () => {}, get: () => {} } request.config = { jwtSecret: env.JWT_SECRET } - if (opts.force) { - request.user = { - tenantId: this.getTenantId(), - admin: { global: true }, - builder: { global: true }, - } - } else if (this.defaultUser) { - request.user = this.defaultUser - } else { - request.user = { - tenantId: this.getTenantId(), - } - } + request.user = { tenantId: this.getTenantId() } request.query = {} request.request = { body: config, @@ -146,7 +129,7 @@ class TestConfiguration { email: "test@test.com", password: "test", }) - this.defaultUser = await this.createUser(user, { force: true }) + this.defaultUser = await this.createUser(user) } async createTenant1User() { @@ -154,16 +137,15 @@ class TestConfiguration { email: "tenant1@test.com", password: "test", }) - this.tenant1User = await this.createUser(user, { force: true }) + this.tenant1User = await this.createUser(user) } async createSession(user: User) { - const session: any = { + await sessions.createASession(user._id!, { sessionId: "sessionid", tenantId: user.tenantId, csrfToken: CSRF_TOKEN, - } - await sessions.createASession(user._id!, session) + }) } cookieHeader(cookies: any) { @@ -203,11 +185,11 @@ class TestConfiguration { }) } - async createUser(user?: User, opts: any = {}) { + async createUser(user?: User) { if (!user) { user = structures.users.user() } - const response = await this._req(user, null, controllers.users.save, opts) + const response = await this._req(user, null, controllers.users.save) const body = response as CreateUserResponse return this.getUser(body.email) }