Move custom rbac from controller to routes

2022-11-30 09:29:56 +00:00 · 2022-11-30 09:29:56 +00:00 · d60a70af82
parent d484dc6011
commit d60a70af82
3 changed files with 17 additions and 33 deletions
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -23,12 +23,6 @@ const MAX_USERS_UPLOAD_LIMIT = 1000

 export const save = async (ctx: any) => {
  try {
-    const body = ctx.request.body
-    const isCreate = !body._id
-    const isAdmin = !!ctx.user.admin?.global
-    if (isCreate && !isAdmin) {
-      ctx.throw(403, "Only admin user can create new user.")
-    }
    ctx.body = await sdk.users.save(ctx.request.body)
  } catch (err: any) {
    ctx.throw(err.status || 400, err)
--- a/packages/worker/src/api/routes/global/users.js
+++ b/packages/worker/src/api/routes/global/users.js
@ -40,6 +40,14 @@ function buildInviteMultipleValidation() {
  ))
 }

+const createUserAdminOnly = (ctx, next) => {
+  if (!ctx.request.body._id) {
+    return adminOnly(ctx, next)
+  } else {
+    return builderOrAdmin(ctx, next)
+  }
+}
+
 function buildInviteAcceptValidation() {
  // prettier-ignore
  return joiValidator.body(Joi.object({
@ -51,7 +59,7 @@ function buildInviteAcceptValidation() {
 router
  .post(
    "/api/global/users",
-    builderOrAdmin,
+    createUserAdminOnly,
    users.buildUserSaveValidation(),
    controller.save
  )
--- a/packages/worker/src/tests/TestConfiguration.ts
+++ b/packages/worker/src/tests/TestConfiguration.ts
@ -72,29 +72,12 @@ class TestConfiguration {

  // UTILS

-  async _req(
-    config: any,
-    params: any,
-    controlFunc: any,
-    opts: { force?: boolean } = {}
-  ) {
+  async _req(config: any, params: any, controlFunc: any) {
    const request: any = {}
    // fake cookies, we don't need them
    request.cookies = { set: () => {}, get: () => {} }
    request.config = { jwtSecret: env.JWT_SECRET }
-    if (opts.force) {
-      request.user = {
-        tenantId: this.getTenantId(),
-        admin: { global: true },
-        builder: { global: true },
-      }
-    } else if (this.defaultUser) {
-      request.user = this.defaultUser
-    } else {
-      request.user = {
-        tenantId: this.getTenantId(),
-      }
-    }
+    request.user = { tenantId: this.getTenantId() }
    request.query = {}
    request.request = {
      body: config,
@ -146,7 +129,7 @@ class TestConfiguration {
      email: "test@test.com",
      password: "test",
    })
-    this.defaultUser = await this.createUser(user, { force: true })
+    this.defaultUser = await this.createUser(user)
  }

  async createTenant1User() {
@ -154,16 +137,15 @@ class TestConfiguration {
      email: "tenant1@test.com",
      password: "test",
    })
-    this.tenant1User = await this.createUser(user, { force: true })
+    this.tenant1User = await this.createUser(user)
  }

  async createSession(user: User) {
-    const session: any = {
+    await sessions.createASession(user._id!, {
      sessionId: "sessionid",
      tenantId: user.tenantId,
      csrfToken: CSRF_TOKEN,
-    }
-    await sessions.createASession(user._id!, session)
+    })
  }

  cookieHeader(cookies: any) {
@ -203,11 +185,11 @@ class TestConfiguration {
    })
  }

-  async createUser(user?: User, opts: any = {}) {
+  async createUser(user?: User) {
    if (!user) {
      user = structures.users.user()
    }
-    const response = await this._req(user, null, controllers.users.save, opts)
+    const response = await this._req(user, null, controllers.users.save)
    const body = response as CreateUserResponse
    return this.getUser(body.email)
  }