orbiting · lukasbuenger · Apr 4, 2018 · Mar 12, 2018 · Mar 13, 2018 · Mar 13, 2018
diff --git a/.env.example b/.env.example
@@ -20,6 +20,11 @@ DATABASE_URL=postgres://patte@localhost:5432/republik
 #  - republik for payment redirect urls
 FRONTEND_BASE_URL=http://localhost:3010
 
+#url to crowdfunding-admin
+# used by
+#  - slack to send link to profiles to SLACK_CHANNEL_ADMIN
+ADMIN_FRONTEND_BASE_URL=http://localhost:3003
+
 # log requsts that take longer than the specified ms
 #REQ_TIMEOUT=2000
 

diff --git a/packages/auth/graphql/resolvers/EventLog.js b/packages/auth/graphql/resolvers/EventLog.js
@@ -0,0 +1,41 @@
+
+module.exports = {
+  type (eventLog, args) {
+    if (
+      eventLog.action === 'INSERT' &&
+      eventLog.oldData === null &&
+      eventLog.newData &&
+      eventLog.newData.sess.token
+    ) {
+      return 'TOKEN_REQUEST'
+    }
+    if (
+      eventLog.action === 'UPDATE' &&
+      eventLog.oldData &&
+      eventLog.newData &&
+      eventLog.oldData.sess.cookie.expires !==
+        eventLog.newData.sess.cookie.expires
+    ) {
+      return 'ROLL_SESSION'
+    }
+    if (
+      eventLog.action === 'UPDATE' &&
+      eventLog.oldData &&
+      eventLog.newData &&
+      eventLog.oldData.sess.token &&
+      eventLog.newData.sess.token === null
+    ) {
+      if (eventLog.newData.sess.passport.user) {
+        return 'AUTHORIZE_SESSION'
+      } else {
+        return 'DENY_SESSION'
+      }
+    }
+    if (
+      eventLog.action === 'DELETE'
+    ) {
+      return 'SIGNOUT_TIMEOUT'
+    }
+    return 'UNKNOWN'
+  }
+}
diff --git a/packages/auth/graphql/resolvers/User.js b/packages/auth/graphql/resolvers/User.js
@@ -35,5 +35,34 @@ module.exports = {
   },
   updatedAt (user, args, { user: me }) {
     return user._raw.updatedAt
+  },
+  async eventLog (user, args, { pgdb, user: me }) {
+    Roles.ensureUserIsMeOrInRoles(user, me, userAccessRoles)
+    return pgdb.query(`
+      SELECT
+        e.*,
+        to_json(s.*) as "activeSession"
+      FROM
+        "eventLog" e
+      LEFT JOIN
+        sessions s
+          ON e."newData" #>> '{sid}' = s.sid
+      WHERE
+        e."newData" #>> '{sess,email}' = :email OR
+        e."oldData" #>> '{sess,email}' = :email OR
+        e."newData" #>> '{sess,passport,user}' = :userId OR
+        e."oldData" #>> '{sess,passport,user}' = :userId
+      ORDER BY
+        e."createdAt" DESC
+    `, {
+      email: user.email,
+      userId: user.userId
+    })
+      .then(result => result
+        .map(e => ({
+          ...e,
+          archivedSession: e.newData || e.oldData
+        }))
+      )
   }
 }
diff --git a/packages/auth/graphql/resolvers/_mutations/addUserToRole.js b/packages/auth/graphql/resolvers/_mutations/addUserToRole.js
@@ -0,0 +1,24 @@
+const t = require('../../../lib/t')
+const {
+  ensureUserHasRole,
+  userHasRole,
+  addUserToRole
+} = require('../../../lib/Roles')
+const logger = console
+
+module.exports = async (_, args, { pgdb, req, signInHooks }) => {
+  ensureUserHasRole(req.user, 'admin')
+  const { userId, role } = args
+  const user = await pgdb.public.users.findOne({id: userId})
+
+  if (!user) {
+    logger.error('user not found', { req: req._log() })
+    throw new Error(t('api/users/404'))
+  }
+
+  if (userHasRole(user, role)) {
+    return user
+  } else {
+    return addUserToRole(userId, role, pgdb)
+  }
+}
diff --git a/packages/auth/graphql/resolvers/_mutations/removeUserFromRole.js b/packages/auth/graphql/resolvers/_mutations/removeUserFromRole.js
@@ -0,0 +1,27 @@
+const t = require('../../../lib/t')
+const {
+  ensureUserHasRole,
+  userHasRole,
+  removeUserFromRole
+} = require('../../../lib/Roles')
+
+const logger = console
+
+module.exports = async (_, args, { pgdb, req, signInHooks }) => {
+  ensureUserHasRole(req.user, 'admin')
+
+  const { userId, role } = args
+
+  const user = await pgdb.public.users.findOne({id: userId})
+
+  if (!user) {
+    logger.error('user not found', { req: req._log() })
+    throw new Error(t('api/users/404'))
+  }
+
+  if (!userHasRole(user, role)) {
+    return user
+  } else {
+    return removeUserFromRole(userId, role, pgdb)
+  }
+}
diff --git a/packages/auth/graphql/schema-types.js b/packages/auth/graphql/schema-types.js
@@ -25,6 +25,7 @@ type User {
   createdAt: DateTime!
   updatedAt: DateTime!
   sessions: [Session!]
+  eventLog: [EventLog!]!
 }
 
 type SignInResponse {
@@ -38,4 +39,20 @@ type RequestInfo {
   countryFlag: String
   city: String
 }
+
+enum EventLogType {
+  TOKEN_REQUEST
+  ROLL_SESSION
+  AUTHORIZE_SESSION
+  DENY_SESSION
+  SIGNOUT_TIMEOUT
+  UNKNOWN
+}
+
+type EventLog {
+  type: EventLogType
+  archivedSession: Session
+  activeSession: Session
+  createdAt: DateTime!
+}
 `
diff --git a/packages/auth/graphql/schema.js b/packages/auth/graphql/schema.js
@@ -41,5 +41,11 @@ type mutations {
   # if userId is null, the logged in user's sessions get cleared
   # required role to clear other's session: supporter
   clearSessions(userId: ID): Boolean!
+
+  # Add a user to a given role
+  addUserToRole(userId: ID!, role: String!): User!
+
+  # Remove a user from a given role
+  removeUserFromRole(userId: ID!, role: String!): User!
 }
 `
diff --git a/packages/auth/lib/Roles.js b/packages/auth/lib/Roles.js
@@ -22,9 +22,8 @@ const ensureUserHasRole = (user, role) => {
   }
 }
 
-
 const userIsInRoles = (user, roles = []) => {
-  const matches = roles.filter( role =>
+  const matches = roles.filter(role =>
     userHasRole(user, role)
   )
   return matches.length > 0
@@ -35,18 +34,17 @@ const ensureUserIsInRoles = (user, roles) => {
     console.info('signIn', { stack: new Error().stack })
     throw new Error(t('api/signIn'))
   }
-  if(!userIsInRoles(user, roles)) {
+  if (!userIsInRoles(user, roles)) {
     console.info('unauthorized', { stack: new Error().stack })
     throw new Error(t.pluralize('api/unauthorized', {
       count: roles.length,
       role: roles
-        .map( role => `«${role}»`)
+        .map(role => `«${role}»`)
         .join(', ')
     }))
   }
 }
 
-
 const addUserToRole = async (userId, role, pgdb) => {
   await pgdb.query(`
     UPDATE
@@ -63,7 +61,7 @@ const addUserToRole = async (userId, role, pgdb) => {
   return pgdb.public.users.findOne({id: userId})
 }
 
-const removeUserFromRoll = async (userId, role, pgdb) => {
+const removeUserFromRole = async (userId, role, pgdb) => {
   await pgdb.query(`
     UPDATE
       users
@@ -108,5 +106,5 @@ module.exports = {
   userIsMeOrHasProfile,
   ensureUserIsInRoles,
   addUserToRole,
-  removeUserFromRoll
+  removeUserFromRole
 }
diff --git a/packages/auth/lib/translations.json b/packages/auth/lib/translations.json
@@ -8,15 +8,15 @@
     },
     {
       "key": "api/unauthorized",
-      "value": "Nicht genehmigt. Sie müssen die Rolle «{role}» besitzen um die gwünschte Aktion auszuführen."
+      "value": "Nicht genehmigt. Sie müssen die Rolle «{role}» besitzen, um die gewünschte Aktion auszuführen."
     },
     {
       "key": "api/unauthorized/1",
-      "value": "Nicht genehmigt. Sie müssen die Rolle {role} besitzen um die gwünschte Aktion auszuführen."
+      "value": "Nicht genehmigt. Sie müssen die Rolle {role} besitzen, um die gewünschte Aktion auszuführen."
     },
     {
       "key": "api/unauthorized/other",
-      "value": "Nicht genehmigt. Sie müssen mindestens eine der folgenden Rollen {role} besitzen um die gwünschte Aktion auszuführen."
+      "value": "Nicht genehmigt. Sie müssen mindestens eine der folgenden Rollen {role} besitzen, um die gewünschte Aktion auszuführen."
     },
     {
       "key": "api/email/invalid",
@@ -59,4 +59,4 @@
       "value": "Der User konnte leider nicht gefunden werden."
     }
   ]
-}
+}
diff --git a/packages/auth/script/roleUser.js b/packages/auth/script/roleUser.js
@@ -33,7 +33,7 @@ PgDb.connect({connectionString: DATABASE_URL}).then(async (pgdb) => {
 
   let newUser
   if (process.argv[4]) {
-    newUser = await Roles.removeUserFromRoll(user.id, role, pgdb)
+    newUser = await Roles.removeUserFromRole(user.id, role, pgdb)
   } else {
     newUser = await Roles.addUserToRole(user.id, role, pgdb)
   }

diff --git a/packages/auth/script/roleUsers.js b/packages/auth/script/roleUsers.js
@@ -65,7 +65,7 @@ PgDb.connect({connectionString: DATABASE_URL}).then(async (pgdb) => {
             )
           } else {
             promises.push(
-              Roles.removeUserFromRoll(existingUser.id, role, transaction)
+              Roles.removeUserFromRole(existingUser.id, role, transaction)
             )
           }
         }

diff --git a/servers/publikator/lib/translations.json b/servers/publikator/lib/translations.json
@@ -8,7 +8,7 @@
     },
     {
       "key": "api/unauthorized",
-      "value": "Nicht genehmigt. Sie müssen die Rolle «{role}» besitzen um die gwünschte Aktion auszuführen."
+      "value": "Nicht genehmigt. Sie müssen die Rolle «{role}» besitzen, um die gewünschte Aktion auszuführen."
     },
     {
       "key": "api/email/invalid",
@@ -59,4 +59,4 @@
       "value": "1 weiteres Foto"
     }
   ]
-}
+}
diff --git a/servers/republik/.env.example b/servers/republik/.env.example
@@ -41,6 +41,8 @@ MAILCHIMP_INTEREST_MEMBER_BENEFACTOR=
 #SLACK_API_TOKEN=
 #SLACK_CHANNEL_COMMENTS=
 #SLACK_CHANNEL_GREETING=
+#SLACK_CHANNEL_ADMIN=
+#SLACK_CHANNEL_FINANCE=
 
 # Sheet IDs for gsheets powered pages
 #GSHEETS={"someSheetId": "faqs","someSheetId": "updates","someSheetId": "events"}

diff --git a/servers/republik/__tests__/auth.js b/servers/republik/__tests__/auth.js
@@ -92,6 +92,15 @@ const Supporter = {
   verified: true
 }
 
+const Admin = {
+  id: 'a0000000-0000-0000-0001-000000000004',
+  firstName: 'willhelm tell',
+  lastName: 'admin',
+  email: 'willhelmtell_admin@project-r.construction',
+  roles: ['admin'],
+  verified: true
+}
+
 const Anonymous = {
   firstName: null,
   lastName: null,
@@ -105,6 +114,7 @@ module.exports = {
     Supporter,
     Unverified,
     Anonymous,
-    Member
+    Member,
+    Admin
   }
 }
diff --git a/servers/republik/__tests__/crowdfundings/addUserToRole.test.js b/servers/republik/__tests__/crowdfundings/addUserToRole.test.js
@@ -0,0 +1,60 @@
+const test = require('tape-async')
+const { connectIfNeeded, apolloFetch, pgDatabase } = require('../helpers.js')
+const { signIn, signOut, Users } = require('../auth.js')
+
+const ADD_USER_TO_ROLE = `
+  mutation addUserToRole($userId: ID!, $role: String!) {
+    user: addUserToRole(userId: $userId, role: $role) {
+      id
+      roles
+    }
+  }
+`
+
+const addUserToRole = async ({ userId, role }) => {
+  return apolloFetch({
+    query: ADD_USER_TO_ROLE,
+    variables: {
+      userId, role
+    }
+  })
+}
+
+const prepare = async (options) => {
+  await connectIfNeeded()
+  await pgDatabase().public.users.truncate({ cascade: true })
+}
+
+test('addUserToRole: Users.Admin adds role to Users.Supporter', async (t) => {
+  await prepare()
+  await pgDatabase().public.users.insert(Users.Supporter)
+  await signIn({ user: Users.Admin })
+
+  const result = await addUserToRole({
+    userId: Users.Supporter.id,
+    role: 'editor'
+  })
+  const user = await pgDatabase().public.users.findOne({ id: Users.Supporter.id })
+  t.deepEqual(user.roles, ['supporter', 'editor'], 'the db user object has the new role `editor`')
+  t.deepEqual(result.data.user.roles, ['supporter', 'editor'], 'the graphq result includes the new role `editor`')
+
+  await signOut()
+  t.end()
+})
+
+test('addUserToRole: Users.Supporter adds role to Users.Member', async (t) => {
+  await prepare()
+  await pgDatabase().public.users.insert(Users.Member)
+  await signIn({ user: Users.Supporter })
+
+  const result = await addUserToRole({
+    userId: Users.Member.id,
+    role: 'editor'
+  })
+  const user = await pgDatabase().public.users.findOne({ id: Users.Member.id })
+  t.deepEqual(user.roles, ['member'], 'the db user object is unchanged')
+  t.ok(result.errors, 'rejects calls from non-admins')
+
+  await signOut()
+  t.end()
+})