Move custom rbac from controller to routes

packages/worker/src/api/controllers/global/users.ts

@@ -23,12 +23,6 @@ const MAX_USERS_UPLOAD_LIMIT = 1000
 
 export const save = async (ctx: any) => {
   try {
-    const body = ctx.request.body
-    const isCreate = !body._id
-    const isAdmin = !!ctx.user.admin?.global
-    if (isCreate && !isAdmin) {
-      ctx.throw(403, "Only admin user can create new user.")
-    }
     ctx.body = await sdk.users.save(ctx.request.body)
   } catch (err: any) {
     ctx.throw(err.status || 400, err)

packages/worker/src/api/routes/global/users.js

@@ -40,6 +40,14 @@ function buildInviteMultipleValidation() {
   ))
 }
 
+const createUserAdminOnly = (ctx, next) => {
+  if (!ctx.request.body._id) {
+    return adminOnly(ctx, next)
+  } else {
+    return builderOrAdmin(ctx, next)
+  }
+}
+
 function buildInviteAcceptValidation() {
   // prettier-ignore
   return joiValidator.body(Joi.object({
@@ -51,7 +59,7 @@ function buildInviteAcceptValidation() {
 router
   .post(
     "/api/global/users",
-    builderOrAdmin,
+    createUserAdminOnly,
     users.buildUserSaveValidation(),
     controller.save
   )

packages/worker/src/tests/TestConfiguration.ts

@@ -72,29 +72,12 @@ class TestConfiguration {
 
   // UTILS
 
-  async _req(
+  async _req(config: any, params: any, controlFunc: any) {
-    config: any,
-    params: any,
-    controlFunc: any,
-    opts: { force?: boolean } = {}
-  ) {
     const request: any = {}
     // fake cookies, we don't need them
     request.cookies = { set: () => {}, get: () => {} }
     request.config = { jwtSecret: env.JWT_SECRET }
-    if (opts.force) {
+    request.user = { tenantId: this.getTenantId() }
-      request.user = {
-        tenantId: this.getTenantId(),
-        admin: { global: true },
-        builder: { global: true },
-      }
-    } else if (this.defaultUser) {
-      request.user = this.defaultUser
-    } else {
-      request.user = {
-        tenantId: this.getTenantId(),
-      }
-    }
     request.query = {}
     request.request = {
       body: config,
@@ -146,7 +129,7 @@ class TestConfiguration {
       email: "test@test.com",
       password: "test",
     })
-    this.defaultUser = await this.createUser(user, { force: true })
+    this.defaultUser = await this.createUser(user)
   }
 
   async createTenant1User() {
@@ -154,16 +137,15 @@ class TestConfiguration {
       email: "tenant1@test.com",
       password: "test",
     })
-    this.tenant1User = await this.createUser(user, { force: true })
+    this.tenant1User = await this.createUser(user)
   }
 
   async createSession(user: User) {
-    const session: any = {
+    await sessions.createASession(user._id!, {
       sessionId: "sessionid",
       tenantId: user.tenantId,
       csrfToken: CSRF_TOKEN,
-    }
+    })
-    await sessions.createASession(user._id!, session)
   }
 
   cookieHeader(cookies: any) {
@@ -203,11 +185,11 @@ class TestConfiguration {
     })
   }
 
-  async createUser(user?: User, opts: any = {}) {
+  async createUser(user?: User) {
     if (!user) {
       user = structures.users.user()
     }
-    const response = await this._req(user, null, controllers.users.save, opts)
+    const response = await this._req(user, null, controllers.users.save)
     const body = response as CreateUserResponse
     return this.getUser(body.email)
   }