more user role stuff

This commit is contained in:
Milo Schwartz 2024-11-09 23:59:19 -05:00
parent bb17d30c9e
commit 231e1d2e2d
No known key found for this signature in database
32 changed files with 897 additions and 138 deletions

View file

@ -51,6 +51,7 @@ export enum ActionsEnum {
// removeUserAction = "removeUserAction",
removeUserResource = "removeUserResource",
removeUserSite = "removeUserSite",
getOrgUser = "getOrgUser",
}
export async function checkUserActionPermission(

View file

@ -12,7 +12,6 @@ export async function verifyAdmin(
) {
const userId = req.user?.userId;
const orgId = req.userOrgId;
let userOrg = req.userOrg;
if (!userId) {
return next(
@ -26,16 +25,16 @@ export async function verifyAdmin(
);
}
if (!userOrg) {
if (!req.userOrg) {
const userOrgRes = await db
.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId!)))
.limit(1);
userOrg = userOrgRes[0];
req.userOrg = userOrgRes[0];
}
if (!userOrg) {
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
@ -47,7 +46,7 @@ export async function verifyAdmin(
const userRole = await db
.select()
.from(roles)
.where(eq(roles.roleId, userOrg.roleId))
.where(eq(roles.roleId, req.userOrg.roleId))
.limit(1);
if (userRole.length === 0 || !userRole[0].isAdmin) {

View file

@ -12,7 +12,6 @@ export async function verifyOrgAccess(
) {
const userId = req.user!.userId;
const orgId = req.params.orgId;
let userOrg = req.userOrg;
if (!userId) {
return next(
@ -27,17 +26,17 @@ export async function verifyOrgAccess(
}
try {
if (!userOrg) {
if (!req.userOrg) {
const userOrgRes = await db
.select()
.from(userOrgs)
.where(
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
);
userOrg = userOrgRes[0];
req.userOrg = userOrgRes[0];
}
if (!userOrg) {
if (!req.userOrg) {
next(
createHttpError(
HttpCode.FORBIDDEN,
@ -46,7 +45,7 @@ export async function verifyOrgAccess(
);
} else {
// User has access, attach the user's role to the request for potential future use
req.userOrgRoleId = userOrg.roleId;
req.userOrgRoleId = req.userOrg.roleId;
req.userOrgId = orgId;
return next();
}

View file

@ -18,7 +18,6 @@ export async function verifyResourceAccess(
const userId = req.user!.userId;
const resourceId =
req.params.resourceId || req.body.resourceId || req.query.resourceId;
let userOrg = req.userOrg;
if (!userId) {
return next(
@ -51,7 +50,7 @@ export async function verifyResourceAccess(
);
}
if (!userOrg) {
if (!req.userOrg) {
const userOrgRole = await db
.select()
.from(userOrgs)
@ -62,10 +61,10 @@ export async function verifyResourceAccess(
)
)
.limit(1);
userOrg = userOrgRole[0];
req.userOrg = userOrgRole[0];
}
if (!userOrg) {
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
@ -74,7 +73,7 @@ export async function verifyResourceAccess(
);
}
const userOrgRoleId = userOrg.roleId;
const userOrgRoleId = req.userOrg.roleId;
req.userOrgRoleId = userOrgRoleId;
req.userOrgId = resource[0].orgId;

View file

@ -15,7 +15,6 @@ export async function verifyRoleAccess(
const roleId = parseInt(
req.params.roleId || req.body.roleId || req.query.roleId
);
let userOrg = req.userOrg;
if (!userId) {
return next(
@ -43,7 +42,7 @@ export async function verifyRoleAccess(
);
}
if (!userOrg) {
if (!req.userOrg) {
const userOrgRole = await db
.select()
.from(userOrgs)
@ -54,10 +53,10 @@ export async function verifyRoleAccess(
)
)
.limit(1);
userOrg = userOrgRole[0];
req.userOrg = userOrgRole[0];
}
if (!userOrg) {
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
@ -66,8 +65,17 @@ export async function verifyRoleAccess(
);
}
req.userOrgRoleId = userOrg.roleId;
req.userOrgId = userOrg.orgId;
if (req.userOrg.orgId !== role[0].orgId) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"Role does not belong to the organization"
)
);
}
req.userOrgRoleId = req.userOrg.roleId;
req.userOrgId = req.userOrg.orgId;
return next();
} catch (error) {

View file

@ -57,19 +57,22 @@ export async function verifySiteAccess(
);
}
// Get user's role ID in the organization
const userOrgRole = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, site[0].orgId)
if (!req.userOrg) {
// Get user's role ID in the organization
const userOrgRole = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, site[0].orgId)
)
)
)
.limit(1);
.limit(1);
req.userOrg = userOrgRole[0];
}
if (userOrgRole.length === 0) {
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
@ -78,7 +81,7 @@ export async function verifySiteAccess(
);
}
const userOrgRoleId = userOrgRole[0].roleId;
const userOrgRoleId = req.userOrg.roleId;
req.userOrgRoleId = userOrgRoleId;
req.userOrgId = site[0].orgId;

View file

@ -12,7 +12,6 @@ export async function verifyTargetAccess(
) {
const userId = req.user!.userId;
const targetId = parseInt(req.params.targetId);
let userOrg = req.userOrg;
if (!userId) {
return next(
@ -36,7 +35,7 @@ export async function verifyTargetAccess(
return next(
createHttpError(
HttpCode.NOT_FOUND,
`target with ID ${targetId} not found`
`Target with ID ${targetId} not found`
)
);
}
@ -47,7 +46,7 @@ export async function verifyTargetAccess(
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`target with ID ${targetId} does not have a resource ID`
`Target with ID ${targetId} does not have a resource ID`
)
);
}
@ -77,7 +76,7 @@ export async function verifyTargetAccess(
);
}
if (!userOrg) {
if (!req.userOrg) {
const res = await db
.select()
.from(userOrgs)
@ -87,10 +86,10 @@ export async function verifyTargetAccess(
eq(userOrgs.orgId, resource[0].orgId)
)
);
userOrg = res[0];
req.userOrg = res[0];
}
if (!userOrg) {
if (!req.userOrg) {
next(
createHttpError(
HttpCode.FORBIDDEN,
@ -98,7 +97,7 @@ export async function verifyTargetAccess(
)
);
} else {
req.userOrgRoleId = userOrg.roleId;
req.userOrgRoleId = req.userOrg.roleId;
req.userOrgId = resource[0].orgId!;
next();
}

View file

@ -13,8 +13,6 @@ export async function verifyUserAccess(
const userId = req.user!.userId;
const reqUserId = req.params.userId || req.body.userId || req.query.userId;
let userOrg = req.userOrg;
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
@ -26,7 +24,7 @@ export async function verifyUserAccess(
}
try {
if (!userOrg) {
if (!req.userOrg) {
const res = await db
.select()
.from(userOrgs)
@ -37,10 +35,10 @@ export async function verifyUserAccess(
)
)
.limit(1);
userOrg = res[0];
req.userOrg = res[0];
}
if (userOrg) {
if (req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,

View file

@ -12,7 +12,6 @@ export async function verifyUserIsOrgOwner(
) {
const userId = req.user!.userId;
const orgId = req.params.orgId;
let userOrg = req.userOrg;
if (!userId) {
return next(
@ -30,17 +29,17 @@ export async function verifyUserIsOrgOwner(
}
try {
if (!userOrg) {
if (!req.userOrg) {
const res = await db
.select()
.from(userOrgs)
.where(
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
);
userOrg = res[0];
req.userOrg = res[0];
}
if (!userOrg) {
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
@ -49,7 +48,7 @@ export async function verifyUserIsOrgOwner(
);
}
if (!userOrg.isOwner) {
if (!req.userOrg.isOwner) {
return next(
createHttpError(
HttpCode.FORBIDDEN,

View file

@ -19,7 +19,6 @@ import {
verifyResourceAccess,
verifyTargetAccess,
verifyRoleAccess,
verifyAdmin,
verifyUserInRole,
verifyUserAccess,
} from "./auth";
@ -195,7 +194,6 @@ authenticated.delete(
authenticated.put(
"/org/:orgId/role",
verifyOrgAccess,
verifyAdmin,
verifyUserHasAction(ActionsEnum.createRole),
role.createRole
);
@ -215,17 +213,22 @@ authenticated.get(
// authenticated.post(
// "/role/:roleId",
// verifyRoleAccess,
// verifyAdmin,
// verifyUserHasAction(ActionsEnum.updateRole),
// role.updateRole
// );
// authenticated.delete(
// "/role/:roleId",
// verifyRoleAccess,
// verifyAdmin,
// verifyUserHasAction(ActionsEnum.deleteRole),
// role.deleteRole
// );
authenticated.delete(
"/role/:roleId",
verifyRoleAccess,
verifyUserHasAction(ActionsEnum.deleteRole),
role.deleteRole
);
authenticated.post(
"/role/:roleId/add/:userId",
verifyRoleAccess,
verifyUserAccess,
verifyUserHasAction(ActionsEnum.addUserRole),
user.addUserRole
);
// authenticated.put(
// "/role/:roleId/site",
@ -280,7 +283,6 @@ authenticated.get(
// "/role/:roleId/action",
// verifyRoleAccess,
// verifyUserInRole,
// verifyAdmin,
// verifyUserHasAction(ActionsEnum.removeRoleAction),
// role.removeRoleAction
// );
@ -288,13 +290,13 @@ authenticated.get(
// "/role/:roleId/actions",
// verifyRoleAccess,
// verifyUserInRole,
// verifyAdmin,
// verifyUserHasAction(ActionsEnum.listRoleActions),
// role.listRoleActions
// );
unauthenticated.get("/user", verifySessionMiddleware, user.getUser);
authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);
authenticated.get(
"/org/:orgId/users",
verifyOrgAccess,
@ -341,7 +343,6 @@ authenticated.delete(
// "/org/:orgId/user/:userId/action",
// verifyOrgAccess,
// verifyUserAccess,
// verifyAdmin,
// verifyUserHasAction(ActionsEnum.addRoleAction),
// role.addRoleAction
// );
@ -349,7 +350,6 @@ authenticated.delete(
// "/org/:orgId/user/:userId/action",
// verifyOrgAccess,
// verifyUserAccess,
// verifyAdmin,
// verifyUserHasAction(ActionsEnum.removeRoleAction),
// role.removeRoleAction
// );

View file

@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { eq } from "drizzle-orm";
import { orgs, userOrgs } from "@server/db/schema";
import { orgs, roleActions, roles, userOrgs } from "@server/db/schema";
import response from "@server/utils/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
@ -10,6 +10,7 @@ import logger from "@server/logger";
import { createAdminRole } from "@server/db/ensureActions";
import config from "@server/config";
import { fromError } from "zod-validation-error";
import { defaultRoleAllowedActions } from "../role";
const createOrgSchema = z.object({
orgId: z.string(),
@ -96,6 +97,26 @@ export async function createOrg(
})
.execute();
const memberRole = await db
.insert(roles)
.values({
name: "Member",
description: "Members can only view resources",
orgId,
})
.returning();
await db
.insert(roleActions)
.values(
defaultRoleAllowedActions.map((action) => ({
roleId: memberRole[0].roleId,
actionId: action,
orgId,
}))
)
.execute();
return response(res, {
data: newOrg[0],
success: true,

View file

@ -19,6 +19,14 @@ const createRoleSchema = z.object({
description: z.string().optional(),
});
export const defaultRoleAllowedActions: ActionsEnum[] = [
ActionsEnum.getOrg,
ActionsEnum.getResource,
ActionsEnum.listResources,
];
export type CreateRoleBody = z.infer<typeof createRoleSchema>;
export type CreateRoleResponse = Role;
export async function createRole(
@ -78,17 +86,10 @@ export async function createRole(
})
.returning();
// default allowed actions for a non admin role
const allowedActions: ActionsEnum[] = [
ActionsEnum.getOrg,
ActionsEnum.getResource,
ActionsEnum.listResources,
];
await db
.insert(roleActions)
.values(
allowedActions.map((action) => ({
defaultRoleAllowedActions.map((action) => ({
roleId: newRole[0].roleId,
actionId: action,
orgId,

View file

@ -9,19 +9,20 @@ import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
const addUserRoleSchema = z.object({
const addUserRoleParamsSchema = z.object({
userId: z.string(),
roleId: z.number().int().positive(),
orgId: z.string(),
});
export type AddUserRoleResponse = z.infer<typeof addUserRoleParamsSchema>;
export async function addUserRole(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedBody = addUserRoleSchema.safeParse(req.body);
const parsedBody = addUserRoleParamsSchema.safeParse(req.body);
if (!parsedBody.success) {
return next(
createHttpError(
@ -31,7 +32,42 @@ export async function addUserRole(
);
}
const { userId, roleId, orgId } = parsedBody.data;
const { userId, roleId } = parsedBody.data;
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"You do not have access to this organization"
)
);
}
const orgId = req.userOrg.orgId;
const existingUser = await db
.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.limit(1);
if (existingUser.length === 0) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
"User not found or does not belong to the specified organization"
)
);
}
if (existingUser[0].isOwner) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"Cannot change the role of the owner of the organization"
)
);
}
const roleExists = await db
.select()
@ -59,7 +95,7 @@ export async function addUserRole(
success: true,
error: false,
message: "Role added to user successfully",
status: HttpCode.CREATED,
status: HttpCode.OK,
});
} catch (error) {
logger.error(error);

View file

@ -0,0 +1,120 @@
import { Request, Response, NextFunction } from "express";
import { z } from "zod";
import { db } from "@server/db";
import { roles, userOrgs, users } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import response from "@server/utils/response";
import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
import { fromError } from "zod-validation-error";
import { ActionsEnum, checkUserActionPermission } from "@server/auth/actions";
async function queryUser(orgId: string, userId: string) {
const [user] = await db
.select({
orgId: userOrgs.orgId,
userId: users.userId,
email: users.email,
roleId: userOrgs.roleId,
roleName: roles.name,
isOwner: userOrgs.isOwner,
isAdmin: roles.isAdmin,
})
.from(userOrgs)
.leftJoin(roles, eq(userOrgs.roleId, roles.roleId))
.leftJoin(users, eq(userOrgs.userId, users.userId))
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.limit(1);
return user;
}
export type GetOrgUserResponse = NonNullable<
Awaited<ReturnType<typeof queryUser>>
>;
const getOrgUserParamsSchema = z.object({
userId: z.string(),
orgId: z.string(),
});
export async function getOrgUser(
req: Request,
res: Response,
next: NextFunction
): Promise<any> {
try {
const parsedParams = getOrgUserParamsSchema.safeParse(req.params);
if (!parsedParams.success) {
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedParams.error).toString()
)
);
}
const { orgId, userId } = parsedParams.data;
if (!req.userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"You do not have access to this organization"
)
);
}
let user;
user = await queryUser(orgId, userId);
if (!user) {
const [fullUser] = await db
.select()
.from(users)
.where(eq(users.email, userId))
.limit(1);
if (fullUser) {
user = await queryUser(orgId, fullUser.userId);
}
}
if (!user) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`User with ID ${userId} not found in org`
)
);
}
if (user.userId !== req.userOrg.userId) {
const hasPermission = await checkUserActionPermission(
ActionsEnum.getOrgUser,
req
);
if (!hasPermission) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have permission perform this action"
)
);
}
}
return response<GetOrgUserResponse>(res, {
data: user,
success: true,
error: false,
message: "User retrieved successfully",
status: HttpCode.OK,
});
} catch (error) {
logger.error(error);
return next(
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

View file

@ -8,11 +8,23 @@ import HttpCode from "@server/types/HttpCode";
import createHttpError from "http-errors";
import logger from "@server/logger";
export type GetUserResponse = {
email: string;
twoFactorEnabled: boolean;
emailVerified: boolean;
};
async function queryUser(userId: string) {
const [user] = await db
.select({
userId: users.userId,
email: users.email,
twoFactorEnabled: users.twoFactorEnabled,
emailVerified: users.emailVerified,
})
.from(users)
.where(eq(users.userId, userId))
.limit(1);
return user;
}
export type GetUserResponse = NonNullable<
Awaited<ReturnType<typeof queryUser>>
>;
export async function getUser(
req: Request,
@ -28,13 +40,9 @@ export async function getUser(
);
}
const user = await db
.select()
.from(users)
.where(eq(users.userId, userId))
.limit(1);
const user = await queryUser(userId);
if (user.length === 0) {
if (!user) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
@ -44,11 +52,7 @@ export async function getUser(
}
return response<GetUserResponse>(res, {
data: {
email: user[0].email,
twoFactorEnabled: user[0].twoFactorEnabled,
emailVerified: user[0].emailVerified,
},
data: user,
success: true,
error: false,
message: "User retrieved successfully",
@ -57,10 +61,7 @@ export async function getUser(
} catch (error) {
logger.error(error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"An error occurred..."
)
createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
);
}
}

View file

@ -1,6 +1,7 @@
export * from "./getUser";
export * from "./removeUserOrg";
export * from "./listUsers";
export * from "./setUserRole";
export * from "./addUserRole";
export * from "./inviteUser";
export * from "./acceptInvite";
export * from "./acceptInvite";
export * from "./getOrgUser";

View file

@ -0,0 +1,2 @@
export type ArrayElement<ArrayType extends readonly unknown[]> =
ArrayType extends readonly (infer ElementType)[] ? ElementType : never;