Revised user management and permissions

ormconfig.js

@@ -7,7 +7,7 @@ module.exports = {
     "database": "os2iot",
     "synchronize": false,
     "logging": false,
-    "entities": ["src/entities/*.ts"],
+    "entities": ["src/entities/*.ts", "src/entities/permissions/*.ts"],
     "migrations": ["src/migration/*.ts"],
     "cli": {
         "migrationsDir": "src/migration"

src/auth/roles.decorator.ts

@@ -4,7 +4,7 @@ import { SetMetadata } from "@nestjs/common";
 import { RolesMetaData } from "./constants";
 
 export const Read = () => SetMetadata(RolesMetaData, PermissionType.Read);
-export const Write = () => SetMetadata(RolesMetaData, PermissionType.Write);
-export const OrganizationAdmin = () =>
-    SetMetadata(RolesMetaData, PermissionType.OrganizationAdmin);
+export const UserAdmin = () => SetMetadata(RolesMetaData, PermissionType.OrganizationUserAdmin);
+export const GatewayAdmin = () => SetMetadata(RolesMetaData, PermissionType.OrganizationGatewayAdmin);
+export const ApplicationAdmin = () => SetMetadata(RolesMetaData, PermissionType.OrganizationApplicationAdmin);
 export const GlobalAdmin = () => SetMetadata(RolesMetaData, PermissionType.GlobalAdmin);

src/auth/roles.guard.ts

@@ -40,34 +40,37 @@ export class RolesGuard implements CanActivate {
     hasAccess(user: AuthenticatedUser, roleRequired: string): boolean {
         if (user.permissions.isGlobalAdmin) {
             return true;
-        } else if (roleRequired == PermissionType.OrganizationAdmin) {
-            return this.hasOrganizationAdminAccess(user);
-        } else if (roleRequired == PermissionType.Write) {
-            return this.hasOrganizationAdminAccess(user) || this.hasWriteAccess(user);
+        } else if (roleRequired == PermissionType.OrganizationApplicationAdmin) {
+            return this.hasOrganizationApplicationAdminAccess(user);
+        } else if (roleRequired == PermissionType.OrganizationUserAdmin) {
+            return this.hasOrganizationUserAdminAccess(user);
+        } else if (roleRequired == PermissionType.OrganizationGatewayAdmin) {
+            return this.hasOrganizationGatewayAdminAccess(user);
         } else if (roleRequired == PermissionType.Read) {
             return (
-                this.hasOrganizationAdminAccess(user) ||
-                this.hasWriteAccess(user) ||
+                this.hasOrganizationApplicationAdminAccess(user) ||
+                this.hasOrganizationUserAdminAccess(user) ||
+                this.hasOrganizationGatewayAdminAccess(user) ||
                 this.hasReadAccess(user)
             );
         }
 
         return false;
     }
 
-    hasOrganizationAdminAccess(user: AuthenticatedUser): boolean {
-        return user.permissions.organizationAdminPermissions.size > 0;
+    hasOrganizationApplicationAdminAccess(user: AuthenticatedUser): boolean {
+        return user.permissions.orgToApplicationAdminPermissions.size > 0;
     }
 
-    hasWriteAccess(user: AuthenticatedUser): boolean {
-        return this.hasSomeAccess(user.permissions.writePermissions);
+    hasOrganizationUserAdminAccess(user: AuthenticatedUser): boolean {
+        return user.permissions.orgToUserAdminPermissions.size > 0;
     }
 
-    hasReadAccess(user: AuthenticatedUser): boolean {
-        return this.hasSomeAccess(user.permissions.readPermissions);
+    hasOrganizationGatewayAdminAccess(user: AuthenticatedUser): boolean {
+        return user.permissions.orgToGatewayAdminPermissions.size > 0;
     }
 
-    hasSomeAccess(userPermission: Map<number, number[]>): boolean {
-        return userPermission.size > 0;
+    hasReadAccess(user: AuthenticatedUser): boolean {
+        return user.permissions.orgToReadPermissions.size > 0;
     }
 }

src/controllers/admin-controller/application.controller.ts

@@ -27,7 +27,7 @@ import {
 } from "@nestjs/swagger";
 import { ApiResponse } from "@nestjs/swagger";
 
-import { Read, Write } from "@auth/roles.decorator";
+import { Read, ApplicationAdmin } from "@auth/roles.decorator";
 import { RolesGuard } from "@auth/roles.guard";
 import { CreateApplicationDto } from "@dto/create-application.dto";
 import { DeleteResponseDto } from "@dto/delete-application-response.dto";
@@ -38,10 +38,10 @@ import { Application } from "@entities/application.entity";
 import { AuthenticatedRequest } from "@entities/dto/internal/authenticated-request";
 import { ErrorCodes } from "@enum/error-codes.enum";
 import {
-    checkIfUserHasReadAccessToApplication,
-    checkIfUserHasReadAccessToOrganization,
-    checkIfUserHasWriteAccessToApplication,
-    checkIfUserHasWriteAccessToOrganization,
+    ApplicationAccessScope,
+    checkIfUserHasAccessToApplication,
+    checkIfUserHasAccessToOrganization,
+    OrganizationAccessScope,
 } from "@helpers/security-helper";
 import { ApplicationService } from "@services/device-management/application.service";
 import { AuditLog } from "@services/audit-log.service";
@@ -90,11 +90,11 @@ export class ApplicationController {
         query: ListAllApplicationsDto
     ) {
         if (query?.organizationId) {
-            checkIfUserHasReadAccessToOrganization(req, query.organizationId);
+            checkIfUserHasAccessToOrganization(req, query.organizationId, OrganizationAccessScope.ApplicationRead);
             return await this.getApplicationsInOrganization(req, query);
         }
 
-        const allFromOrg = req.user.permissions.getAllOrganizationsWithAtLeastAdmin();
+        const allFromOrg = req.user.permissions.getAllOrganizationsWithApplicationAdmin();
         const allowedApplications = req.user.permissions.getAllApplicationsWithAtLeastRead();
         const applications = await this.applicationService.findAndCountApplicationInWhitelistOrOrganization(
             query,
@@ -109,7 +109,7 @@ export class ApplicationController {
         query: ListAllApplicationsDto
     ) {
         // If org admin give all
-        const allFromOrg = req.user.permissions.getAllOrganizationsWithAtLeastAdmin();
+        const allFromOrg = req.user.permissions.getAllOrganizationsWithApplicationAdmin();
         if (this.isOrganizationAdmin(allFromOrg, query)) {
             return await this.applicationService.findAndCountWithPagination(query, [
                 query.organizationId,
@@ -137,7 +137,7 @@ export class ApplicationController {
         @Req() req: AuthenticatedRequest,
         @Param("id", new ParseIntPipe()) id: number
     ): Promise<Application> {
-        checkIfUserHasReadAccessToApplication(req, id);
+        checkIfUserHasAccessToApplication(req, id, ApplicationAccessScope.Read);
 
         try {
             return await this.applicationService.findOne(id);
@@ -155,7 +155,7 @@ export class ApplicationController {
         @Param("id", new ParseIntPipe()) applicationId: number,
         @Query() query?: ListAllEntitiesDto
     ): Promise<ListAllIoTDevicesResponseDto> {
-        checkIfUserHasReadAccessToApplication(req, applicationId);
+        checkIfUserHasAccessToApplication(req, applicationId, ApplicationAccessScope.Read);
 
         try {
             return await this.applicationService.findDevicesForApplication(
@@ -167,7 +167,7 @@ export class ApplicationController {
         }
     }
 
-    @Write()
+    @ApplicationAdmin()
     @Post()
     @Header("Cache-Control", "none")
     @ApiOperation({ summary: "Create a new Application" })
@@ -176,9 +176,10 @@ export class ApplicationController {
         @Req() req: AuthenticatedRequest,
         @Body() createApplicationDto: CreateApplicationDto
     ): Promise<Application> {
-        checkIfUserHasWriteAccessToOrganization(
+        checkIfUserHasAccessToOrganization(
             req,
-            createApplicationDto?.organizationId
+            createApplicationDto?.organizationId,
+            OrganizationAccessScope.ApplicationWrite
         );
 
         const isValid = await this.applicationService.isNameValidAndNotUsed(
@@ -207,7 +208,7 @@ export class ApplicationController {
         return application;
     }
 
-    @Write()
+    @ApplicationAdmin()
     @Put(":id")
     @Header("Cache-Control", "none")
     @ApiOperation({ summary: "Update an existing Application" })
@@ -217,7 +218,7 @@ export class ApplicationController {
         @Param("id", new ParseIntPipe()) id: number,
         @Body() updateApplicationDto: UpdateApplicationDto
     ): Promise<Application> {
-        checkIfUserHasWriteAccessToApplication(req, id);
+        checkIfUserHasAccessToApplication(req, id, ApplicationAccessScope.Write);
         if (
             !(await this.applicationService.isNameValidAndNotUsed(
                 updateApplicationDto?.name,
@@ -247,15 +248,15 @@ export class ApplicationController {
         return application;
     }
 
-    @Write()
+    @ApplicationAdmin()
     @Delete(":id")
     @ApiOperation({ summary: "Delete an existing Application" })
     @ApiBadRequestResponse()
     async delete(
         @Req() req: AuthenticatedRequest,
         @Param("id", new ParseIntPipe()) id: number
     ): Promise<DeleteResponseDto> {
-        checkIfUserHasWriteAccessToApplication(req, id);
+        checkIfUserHasAccessToApplication(req, id, ApplicationAccessScope.Write);
 
         try {
             const result = await this.applicationService.delete(id);

src/controllers/admin-controller/chirpstack/chirpstack-gateway.controller.ts

@@ -20,7 +20,7 @@ import {
     ApiTags,
 } from "@nestjs/swagger";
 
-import { Read, Write } from "@auth/roles.decorator";
+import { Read, GatewayAdmin } from "@auth/roles.decorator";
 import { RolesGuard } from "@auth/roles.guard";
 import { ChirpstackResponseStatus } from "@dto/chirpstack/chirpstack-response.dto";
 import { CreateGatewayDto } from "@dto/chirpstack/create-gateway.dto";
@@ -29,7 +29,7 @@ import { SingleGatewayResponseDto } from "@dto/chirpstack/single-gateway-respons
 import { UpdateGatewayDto } from "@dto/chirpstack/update-gateway.dto";
 import { ErrorCodes } from "@enum/error-codes.enum";
 import { ChirpstackGatewayService } from "@services/chirpstack/chirpstack-gateway.service";
-import { checkIfUserHasWriteAccessToOrganization } from "@helpers/security-helper";
+import { checkIfUserHasAccessToOrganization, OrganizationAccessScope } from "@helpers/security-helper";
 import { AuthenticatedRequest } from "@dto/internal/authenticated-request";
 import { AuditLog } from "@services/audit-log.service";
 import { ActionType } from "@entities/audit-log-entry";
@@ -47,12 +47,12 @@ export class ChirpstackGatewayController {
     @ApiProduces("application/json")
     @ApiOperation({ summary: "Create a new Chirpstack Gateway" })
     @ApiBadRequestResponse()
-    @Write()
+    @GatewayAdmin()
     async create(
         @Req() req: AuthenticatedRequest,
         @Body() dto: CreateGatewayDto
     ): Promise<ChirpstackResponseStatus> {
-        checkIfUserHasWriteAccessToOrganization(req, dto.organizationId);
+        checkIfUserHasAccessToOrganization(req, dto.organizationId, OrganizationAccessScope.GatewayWrite);
         try {
             const gateway = await this.chirpstackGatewayService.createNewGateway(
                 dto,
@@ -86,12 +86,8 @@ export class ChirpstackGatewayController {
     @ApiProduces("application/json")
     @ApiOperation({ summary: "List all Chirpstack gateways" })
     @Read()
-    async getAll(
-        @Query() query?: ChirpstackGetAll
-    ): Promise<ListAllGatewaysResponseDto> {
-        return await this.chirpstackGatewayService.getAll(
-            query.organizationId
-        );
+    async getAll(@Query() query?: ChirpstackGetAll): Promise<ListAllGatewaysResponseDto> {
+        return await this.chirpstackGatewayService.getAll(query.organizationId);
     }
 
     @Get(":gatewayId")
@@ -116,7 +112,7 @@ export class ChirpstackGatewayController {
     @ApiProduces("application/json")
     @ApiOperation({ summary: "Create a new Chirpstack Gateway" })
     @ApiBadRequestResponse()
-    @Write()
+    @GatewayAdmin()
     async update(
         @Req() req: AuthenticatedRequest,
         @Param("gatewayId") gatewayId: string,
@@ -152,17 +148,18 @@ export class ChirpstackGatewayController {
     }
 
     @Delete(":gatewayId")
-    @Write()
+    @GatewayAdmin()
     async delete(
         @Req() req: AuthenticatedRequest,
         @Param("gatewayId") gatewayId: string
     ): Promise<ChirpstackResponseStatus> {
         try {
             const gw = await this.chirpstackGatewayService.getOne(gatewayId);
             if (gw.gateway.internalOrganizationId != null) {
-                checkIfUserHasWriteAccessToOrganization(
+                checkIfUserHasAccessToOrganization(
                     req,
-                    +gw.gateway.internalOrganizationId
+                    +gw.gateway.internalOrganizationId,
+                    OrganizationAccessScope.GatewayWrite
                 );
             }
             const deleteResult = await this.chirpstackGatewayService.deleteGateway(

src/controllers/admin-controller/chirpstack/device-profile.controller.ts

@@ -24,7 +24,7 @@ import {
     ApiTags,
 } from "@nestjs/swagger";
 
-import { Read, Write } from "@auth/roles.decorator";
+import { Read, ApplicationAdmin } from "@auth/roles.decorator";
 import { RolesGuard } from "@auth/roles.guard";
 import { CreateChirpstackProfileResponseDto } from "@dto/chirpstack/create-chirpstack-profile-response.dto";
 import { CreateDeviceProfileDto } from "@dto/chirpstack/create-device-profile.dto";
@@ -34,7 +34,7 @@ import { DeleteResponseDto } from "@dto/delete-application-response.dto";
 import { ErrorCodes } from "@enum/error-codes.enum";
 import { DeviceProfileService } from "@services/chirpstack/device-profile.service";
 import { AuthenticatedRequest } from "@dto/internal/authenticated-request";
-import { checkIfUserHasWriteAccessToOrganization } from "@helpers/security-helper";
+import { checkIfUserHasAccessToOrganization, OrganizationAccessScope } from "@helpers/security-helper";
 import { AuditLog } from "@services/audit-log.service";
 import { ActionType } from "@entities/audit-log-entry";
 import { ComposeAuthGuard } from "@auth/compose-auth.guard";
@@ -43,6 +43,7 @@ import { ComposeAuthGuard } from "@auth/compose-auth.guard";
 @Controller("chirpstack/device-profiles")
 @UseGuards(ComposeAuthGuard, RolesGuard)
 @ApiBearerAuth()
+@ApplicationAdmin()
 export class DeviceProfileController {
     constructor(private deviceProfileService: DeviceProfileService) {}
 
@@ -53,16 +54,14 @@ export class DeviceProfileController {
     @ApiProduces("application/json")
     @ApiOperation({ summary: "Create a new DeviceProfile" })
     @ApiBadRequestResponse()
-    @Write()
+    @ApplicationAdmin()
     async create(
         @Req() req: AuthenticatedRequest,
         @Body() createDto: CreateDeviceProfileDto
     ): Promise<CreateChirpstackProfileResponseDto> {
+        checkIfUserHasAccessToOrganization(req, createDto.internalOrganizationId, OrganizationAccessScope.ApplicationWrite);
+
         try {
-            checkIfUserHasWriteAccessToOrganization(
-                req,
-                createDto.internalOrganizationId
-            );
             const result = await this.deviceProfileService.createDeviceProfile(
                 createDto,
                 req.user.userId
@@ -94,12 +93,18 @@ export class DeviceProfileController {
     @ApiOperation({ summary: "Update an existing DeviceProfile" })
     @ApiBadRequestResponse()
     @HttpCode(204)
-    @Write()
+    @ApplicationAdmin()
     async update(
         @Req() req: AuthenticatedRequest,
         @Param("id") id: string,
         @Body() updateDto: UpdateDeviceProfileDto
     ): Promise<void> {
+        checkIfUserHasAccessToOrganization(
+            req,
+            updateDto.deviceProfile.internalOrganizationId,
+            OrganizationAccessScope.ApplicationWrite
+        );
+
         try {
             await this.deviceProfileService.updateDeviceProfile(updateDto, id, req);
             AuditLog.success(
@@ -170,7 +175,7 @@ export class DeviceProfileController {
     @Delete(":id")
     @ApiOperation({ summary: "Delete one DeviceProfile by id" })
     @ApiNotFoundResponse()
-    @Write()
+    @ApplicationAdmin()
     async deleteOne(
         @Req() req: AuthenticatedRequest,
         @Param("id") id: string

src/controllers/admin-controller/chirpstack/service-profile.controller.ts

@@ -25,7 +25,7 @@ import {
     ApiTags,
 } from "@nestjs/swagger";
 
-import { Read, Write } from "@auth/roles.decorator";
+import { Read, ApplicationAdmin } from "@auth/roles.decorator";
 import { RolesGuard } from "@auth/roles.guard";
 import { CreateChirpstackProfileResponseDto } from "@dto/chirpstack/create-chirpstack-profile-response.dto";
 import { CreateServiceProfileDto } from "@dto/chirpstack/create-service-profile.dto";
@@ -42,6 +42,7 @@ import { AuthenticatedRequest } from "@dto/internal/authenticated-request";
 @Controller("chirpstack/service-profiles")
 @UseGuards(ComposeAuthGuard, RolesGuard)
 @ApiBearerAuth()
+@ApplicationAdmin()
 export class ServiceProfileController {
     constructor(private serviceProfileService: ServiceProfileService) {}
     private readonly logger = new Logger(ServiceProfileController.name);
@@ -50,7 +51,7 @@ export class ServiceProfileController {
     @ApiProduces("application/json")
     @ApiOperation({ summary: "Create a new ServiceProfile" })
     @ApiBadRequestResponse()
-    @Write()
+    @ApplicationAdmin()
     async create(
         @Req() req: AuthenticatedRequest,
         @Body() createDto: CreateServiceProfileDto
@@ -71,7 +72,7 @@ export class ServiceProfileController {
     @ApiOperation({ summary: "Update an existing ServiceProfile" })
     @ApiBadRequestResponse()
     @HttpCode(204)
-    @Write()
+    @ApplicationAdmin()
     async update(
         @Req() req: AuthenticatedRequest,
         @Param("id") id: string,
@@ -131,7 +132,7 @@ export class ServiceProfileController {
     @Delete(":id")
     @ApiOperation({ summary: "Delete one ServiceProfile by id" })
     @ApiNotFoundResponse()
-    @Write()
+    @ApplicationAdmin()
     async deleteOne(
         @Req() req: AuthenticatedRequest,
         @Param("id") id: string