feat(users): Add user roles handling (#41)

Closes: #36

Added a field `roles` in users and handle it in /users routes. See updates to the documentation for full explanation.

Author: D34THWINGS

cli/index.js

@@ -13,6 +13,13 @@ mongoose.connect(`mongodb://${userPart}${mongodb.host}:${mongodb.port}/${mongodb
       lastName: 'admin',
       email: 'admin@link-value.fr',
       fallbackEmail: 'admin@link-value.fr',
+      roles: [
+        'tech',
+        'business',
+        'hr',
+        'staff',
+        'board',
+      ],
     });
 
     return user.hashPassword('admin');

docs/endpoint-users.md

@@ -16,14 +16,16 @@ Retrieve the whole collection of users.
     "lastName": String,
     "email": String,
     "fallbackEmail": String,
-    "createdAt": Date
+    "createdAt": Date,
+    "roles": [String]
   }
 ]
 ```
 
 ## `POST /users`
 
-Creates a new user.
+Creates a new user. Requires to specify at least one valid role in: tech, hr, staff, business and board.
+Also requires to have either hr or staff in logged user roles to perform request.
 
 #### Request payload
 
@@ -34,6 +36,7 @@ Creates a new user.
   "email": String,          // required
   "fallbackEmail": String,   
   "plainPassword": String   // required
+  "roles": [String]         // required
 }
 ```
 
@@ -46,7 +49,8 @@ Creates a new user.
   "lastName": String,
   "email": String,
   "fallbackEmail": String,
-  "createdAt": Date
+  "createdAt": Date,
+  "roles": [String]
 }
 ```
 
@@ -63,13 +67,15 @@ Retrieve an user.
   "lastName": String,
   "email": String,
   "fallbackEmail": String,
-  "createdAt": Date
+  "createdAt": Date,
+  "roles": [String]
 }
 ```
 
 ## `PUT /users/{id}`
 
-Updates an user.
+Updates an user. Connected user can edit himself.
+To edit user roles, connected user requires either hr or staff in his roles.
 
 #### Request payload
 
@@ -78,14 +84,23 @@ Updates an user.
   "firstName": String,
   "lastName": String,
   "email": String,
-  "fallbackEmail": String
+  "fallbackEmail": String,
+  "roles": [String]         // requires hr/staff role
 }
 ```
 
 ## `DELETE /users/{id}`
 
 Deletes an user.
+To delete a user, connected user requires either hr or staff in his roles.
+
+#### Request payload
 
+```js
+{
+  "deleted": Boolean,
+}
+```
 
 ## `GET /users/me`
 
@@ -100,6 +115,7 @@ Retrieve the user corresponding to given access token.
   "lastName": String,
   "email": String,
   "fallbackEmail": String,
-  "createdAt": Date
+  "createdAt": Date,
+  "roles": [String]
 }
 ```

server/users/middlewares/index.js

@@ -0,0 +1,30 @@
+const Boom = require('boom');
+
+const rightsError = Boom.forbidden('insufficient_rights');
+
+// Role checking middleware
+function hasRoleInList(...roles) {
+  return {
+    method(request, reply) {
+      const hasGivenRole = roles.some(role => request.auth.credentials.roles.some(r => r === role));
+      return reply(hasGivenRole ? undefined : rightsError);
+    },
+    assign: 'hasRights',
+  };
+}
+
+// Check connected user is requested user
+const isConnectedUser = {
+  method(request, reply) {
+    const isSelf = request.params.user === request.auth.credentials._id.toString();
+    return reply(isSelf || rightsError);
+  },
+  assign: 'isConnectedUser',
+  failAction: 'ignore',
+};
+
+module.exports = {
+  rightsError,
+  hasRoleInList,
+  isConnectedUser,
+};

server/users/models/user.js

@@ -7,6 +7,7 @@ const userSchema = new mongoose.Schema({
   email: { type: String, index: true, unique: true },
   fallbackEmail: String,
   password: String,
+  roles: [String],
   thirdParty: Object,
   createdAt: { type: Date, default: Date.now },
 });

server/users/routes/delete-users.js

@@ -1,9 +1,11 @@
+const { hasRoleInList } = require('../middlewares');
 const { params } = require('./user-validation');
 
 module.exports = {
   method: 'DELETE',
   path: '/users/{user}',
   config: {
+    pre: [hasRoleInList('rh', 'staff')],
     validate: {
       params,
     },

server/users/routes/post-users.js

@@ -1,9 +1,12 @@
+const Boom = require('boom');
+const { hasRoleInList } = require('../middlewares');
 const { payload } = require('./user-validation');
 
 module.exports = {
   method: 'POST',
   path: '/users',
   config: {
+    pre: [hasRoleInList('rh', 'staff')],
     validate: {
       payload: payload.post,
     },
@@ -19,7 +22,7 @@ module.exports = {
       fallbackEmail: req.payload.fallbackEmail,
     });
 
-    res.mongodb(user
+    const userPromise = user
       .hashPassword(req.payload.plainPassword)
       .then(() => user.save())
       .then((savedUser) => {
@@ -29,6 +32,14 @@ module.exports = {
           plainPassword: req.payload.plainPassword,
         }).save();
         return savedUser;
-      }), ['password']);
+      })
+      .catch((err) => {
+        if (err.message.startsWith('E11000')) {
+          return Promise.reject(Boom.badRequest('email_already_used'));
+        }
+        return Promise.reject(Boom.wrap(err));
+      });
+
+    res.mongodb(userPromise, ['password']);
   },
 };

server/users/routes/put-users.js

@@ -1,10 +1,12 @@
 const Boom = require('boom');
+const { hasRoleInList, isConnectedUser, rightsError } = require('../middlewares');
 const { payload, params } = require('./user-validation');
 
 module.exports = {
   method: 'PUT',
   path: '/users/{user}',
   config: {
+    pre: [isConnectedUser, hasRoleInList('rh', 'staff')],
     validate: {
       payload: payload.put,
       params,
@@ -13,23 +15,29 @@ module.exports = {
   handler(req, res) {
     const { User } = req.server.plugins.users.models;
 
+    // User can't edit his roles if doesn't have rights.
+    if (req.pre.isOwner && !req.pre.hasRights && req.payload.roles) {
+      return res(rightsError);
+    }
+
     const userPromise = User
       .findOne({ _id: req.params.user })
       .exec()
       .then((user) => {
         if (!user) {
-          return Boom.notFound('User Not Found');
+          return Promise.reject(Boom.notFound('User Not Found'));
         }
 
         return Object
           .assign(user, {
-            firstName: req.payload.firstName,
-            lastName: req.payload.lastName,
-            fallbackEmail: req.payload.fallbackEmail,
+            firstName: req.payload.firstName || user.firstName,
+            lastName: req.payload.lastName || user.lastName,
+            fallbackEmail: req.payload.fallbackEmail || user.fallbackEmail,
+            roles: req.payload.roles || user.roles,
           })
           .save();
       });
 
-    res.mongodb(userPromise, ['password']);
+    return res.mongodb(userPromise, ['password']);
   },
 };

server/users/routes/user-validation.js

@@ -1,18 +1,28 @@
 const Joi = require('joi');
 const { Types } = require('mongoose');
 
+const validRoles = [
+  'tech',
+  'business',
+  'hr',
+  'staff',
+  'board',
+];
+
 exports.payload = {
   post: Joi.object({
     firstName: Joi.string().min(2).required(),
     lastName: Joi.string().min(2).required(),
     plainPassword: Joi.string().min(6).required(),
     email: Joi.string().email().required(),
     fallbackEmail: Joi.string().email(),
+    roles: Joi.array().items(Joi.string().valid(validRoles)).min(1).required(),
   }),
   put: Joi.object({
-    firstName: Joi.string().min(2).required(),
-    lastName: Joi.string().min(2).required(),
+    firstName: Joi.string().min(2),
+    lastName: Joi.string().min(2),
     fallbackEmail: Joi.string().email(),
+    roles: Joi.array().items(Joi.string().valid(validRoles)).min(1),
   }),
 };