Skip to content
This repository has been archived by the owner on Apr 19, 2023. It is now read-only.

Commit

Permalink
♻️ Use new authorization can in group, auth
Browse files Browse the repository at this point in the history
  • Loading branch information
@AnandChowdhary
AnandChowdhary committed Sep 2, 2020
1 parent 9301944 commit 02799be
Show file tree
Hide file tree
Showing 3 changed files with 901 additions and 656 deletions.
8 changes: 7 additions & 1 deletion src/_staart/helpers/authorization.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ export const BaseScopesUser = {
export const BaseScopesGroup = {
INFO: "groups/info",
API_KEYS: "groups/api-keys",
API_KEY_LOGS: "groups/api-key-logs",
BILLING: "groups/billing",
DOMAINS: "groups/domains",
INVOICES: "groups/invoices",
Expand All @@ -35,6 +36,7 @@ export const BaseScopesGroup = {
SUBSCRIPTIONS: "groups/subscriptions",
TRANSACTIONS: "groups/transactions",
WEBHOOKS: "groups/webhooks",
SECURITY: "groups/security",
};
export const BaseScopesAdmin = {
GROUPS: "admin/groups",
Expand Down Expand Up @@ -62,9 +64,13 @@ const getPolicyForUser = async (userId: number) => {
const groupMemberships = await prisma.memberships.findMany({
where: { groupId: membership.groupId },
});
policy += `p, user-${userId}, group-${membership.groupId}, ${Acts.DELETE}\n`;
groupMemberships.forEach((groupMembership) => {
if (groupMembership.role !== "OWNER")
policy += `p, user-${userId}, membership-${groupMembership.id}, ${Acts.READ}\n`;
if (groupMembership.role !== "OWNER") {
policy += `p, user-${userId}, membership-${groupMembership.id}, ${Acts.WRITE}\n`;
policy += `p, user-${userId}, membership-${groupMembership.id}, ${Acts.DELETE}\n`;
}
});
}
Object.values(ScopesGroup).forEach((scope) => {
Expand Down
8 changes: 3 additions & 5 deletions src/_staart/rest/auth.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ import {
} from "@staart/errors";
import { compare, hash } from "@staart/text";
import { authenticator } from "otplib";
import { ALLOW_DISPOSABLE_EMAILS } from "../../config";
import { can } from "../helpers/authorization";
import { ALLOW_DISPOSABLE_EMAILS, ScopesAdmin } from "../../config";
import { can, Acts } from "../helpers/authorization";
import { deleteItemFromCache } from "../helpers/cache";
import {
checkInvalidatedToken,
Expand Down Expand Up @@ -296,9 +296,7 @@ export const impersonate = async (
impersonateUserId: number,
locals: Locals | any
) => {
if (
!(await can(tokenUserId, UserScopes.IMPERSONATE, "user", impersonateUserId))
)
if (!(await can(tokenUserId, Acts.WRITE, ScopesAdmin.USERS)))
throw new Error(INSUFFICIENT_PERMISSION);

const user = await getUserById(impersonateUserId);
Expand Down
Loading

0 comments on commit 02799be

Please sign in to comment.