coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update team and collection authorization

Browse Source
This commit is contained in:
Tom Moor
2018-02-18 01:14:51 -08:00
parent 2f81eb5e87
commit e84fb5e6ba
17 changed files with 181 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
server/api/__snapshots__/documents.test.js.snap
View File

@ -63,6 +63,15 @@ Object {
} }
`; `;
exports[`#documents.update should require authentication 1`] = `
Object {
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#documents.viewed should require authentication 1`] = ` exports[`#documents.viewed should require authentication 1`] = `
Object { Object {
"error": "authentication_required", "error": "authentication_required",

33
server/api/__snapshots__/team.test.js.snap
View File

@ -2,29 +2,37 @@
exports[`#team.addAdmin should promote a new admin 1`] = ` exports[`#team.addAdmin should promote a new admin 1`] = `
Object { Object {
"avatarUrl": "http://example.com/avatar.png", "data": Object {
"email": "user1@example.com", "avatarUrl": "http://example.com/avatar.png",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61", "email": "user1@example.com",
"isAdmin": true, "id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"name": "User 1", "isAdmin": true,
"name": "User 1",
"username": "user1",
},
"ok": true, "ok": true,
"status": 200, "status": 200,
"username": "user1",
} }
`; `;
exports[`#team.addAdmin should require admin 1`] = ` exports[`#team.addAdmin should require admin 1`] = `
Object { Object {
"error": "only_available_for_admins", "error": "authorization_error",
"message": "Only available for admins", "message": "Authorization Required",
"ok": false, "ok": false,
"status": 403,
} }
`; `;
exports[`#team.removeAdmin should demote an admin 1`] = ` exports[`#team.removeAdmin should demote an admin 1`] = `
Object { Object {
"avatarUrl": null, "data": Object {
"avatarUrl": "http://example.com/avatar.png",
"email": "user1@example.com",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"isAdmin": false,
"name": "User 1",
"username": "user1",
},
"ok": true, "ok": true,
"status": 200, "status": 200,
} }
@ -32,10 +40,9 @@ Object {
exports[`#team.removeAdmin should require admin 1`] = ` exports[`#team.removeAdmin should require admin 1`] = `
Object { Object {
"error": "only_available_for_admins", "error": "authorization_error",
"message": "Only available for admins", "message": "Authorization Required",
"ok": false, "ok": false,
"status": 403,
} }
`; `;

2
server/api/auth.js
View File

@ -9,7 +9,7 @@ const router = new Router();
router.post('auth.info', auth(), async ctx => { router.post('auth.info', auth(), async ctx => {
const user = ctx.state.user; const user = ctx.state.user;
const team = await Team.findOne({ where: { id: user.teamId } }); const team = await Team.findById(user.teamId);
ctx.body = { ctx.body = {
data: { data: {

43
server/api/collections.js
View File

@ -1,13 +1,14 @@
// @flow // @flow
import Router from 'koa-router'; import Router from 'koa-router';
import httpErrors from 'http-errors'; import httpErrors from 'http-errors';
import _ from 'lodash';
import auth from './middlewares/authentication'; import auth from './middlewares/authentication';
import pagination from './middlewares/pagination'; import pagination from './middlewares/pagination';
import { presentCollection } from '../presenters'; import { presentCollection } from '../presenters';
import { Collection } from '../models'; import { Collection } from '../models';
import policy from '../policies';
const { authorize } = policy;
const router = new Router(); const router = new Router();
router.post('collections.create', auth(), async ctx => { router.post('collections.create', auth(), async ctx => {
@ -32,6 +33,18 @@ router.post('collections.create', auth(), async ctx => {
}; };
}); });
router.post('collections.info', auth(), async ctx => {
const { id } = ctx.body;
ctx.assertPresent(id, 'id is required');
const collection = await Collection.scope('withRecentDocuments').findById(id);
authorize(ctx.state.user, 'read', collection);
ctx.body = {
data: await presentCollection(ctx, collection),
};
});
router.post('collections.update', auth(), async ctx => { router.post('collections.update', auth(), async ctx => {
const { id, name, color } = ctx.body; const { id, name, color } = ctx.body;
ctx.assertPresent(name, 'name is required'); ctx.assertPresent(name, 'name is required');
@ -39,6 +52,8 @@ router.post('collections.update', auth(), async ctx => {
ctx.assertHexColor(color, 'Invalid hex value (please use format #FFFFFF)'); ctx.assertHexColor(color, 'Invalid hex value (please use format #FFFFFF)');
const collection = await Collection.findById(id); const collection = await Collection.findById(id);
authorize(ctx.state.user, 'update', collection);
collection.name = name; collection.name = name;
collection.color = color; collection.color = color;
await collection.save(); await collection.save();
@ -48,25 +63,6 @@ router.post('collections.update', auth(), async ctx => {
}; };
}); });
router.post('collections.info', auth(), async ctx => {
const { id } = ctx.body;
ctx.assertPresent(id, 'id is required');
const user = ctx.state.user;
const collection = await Collection.scope('withRecentDocuments').findOne({
where: {
id,
teamId: user.teamId,
},
});
if (!collection) throw httpErrors.NotFound();
ctx.body = {
data: await presentCollection(ctx, collection),
};
});
router.post('collections.list', auth(), pagination(), async ctx => { router.post('collections.list', auth(), pagination(), async ctx => {
const user = ctx.state.user; const user = ctx.state.user;
const collections = await Collection.findAll({ const collections = await Collection.findAll({
@ -94,15 +90,12 @@ router.post('collections.delete', auth(), async ctx => {
const { id } = ctx.body; const { id } = ctx.body;
ctx.assertPresent(id, 'id is required'); ctx.assertPresent(id, 'id is required');
const user = ctx.state.user;
const collection = await Collection.findById(id); const collection = await Collection.findById(id);
authorize(ctx.state.user, 'delete', collection);
const total = await Collection.count(); const total = await Collection.count();
if (total === 1) throw httpErrors.BadRequest('Cannot delete last collection'); if (total === 1) throw httpErrors.BadRequest('Cannot delete last collection');
if (!collection || collection.teamId !== user.teamId)
throw httpErrors.BadRequest();
try { try {
await collection.destroy(); await collection.destroy();
} catch (e) { } catch (e) {

35
server/api/collections.test.js
View File

@ -2,6 +2,7 @@
import TestServer from 'fetch-test-server'; import TestServer from 'fetch-test-server';
import app from '..'; import app from '..';
import { flushdb, seed } from '../test/support'; import { flushdb, seed } from '../test/support';
import { buildUser } from '../test/factories';
import Collection from '../models/Collection'; import Collection from '../models/Collection';
const server = new TestServer(app.callback()); const server = new TestServer(app.callback());
@ -31,14 +32,6 @@ describe('#collections.list', async () => {
}); });
describe('#collections.info', async () => { describe('#collections.info', async () => {
it('should require authentication', async () => {
const res = await server.post('/api/collections.info');
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should return collection', async () => { it('should return collection', async () => {
const { user, collection } = await seed(); const { user, collection } = await seed();
const res = await server.post('/api/collections.info', { const res = await server.post('/api/collections.info', {
@ -49,6 +42,23 @@ describe('#collections.info', async () => {
expect(res.status).toEqual(200); expect(res.status).toEqual(200);
expect(body.data.id).toEqual(collection.id); expect(body.data.id).toEqual(collection.id);
}); });
it('should require authentication', async () => {
const res = await server.post('/api/collections.info');
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
it('should require authorization', async () => {
const { collection } = await seed();
const user = await buildUser();
const res = await server.post('/api/collections.info', {
body: { token: user.getJwtToken(), id: collection.id },
});
expect(res.status).toEqual(404);
});
}); });
describe('#collections.create', async () => { describe('#collections.create', async () => {
@ -82,6 +92,15 @@ describe('#collections.delete', async () => {
expect(body).toMatchSnapshot(); expect(body).toMatchSnapshot();
}); });
it('should require authorization', async () => {
const { collection } = await seed();
const user = await buildUser();
const res = await server.post('/api/collections.delete', {
body: { token: user.getJwtToken(), id: collection.id },
});
expect(res.status).toEqual(403);
});
it('should not delete last collection', async () => { it('should not delete last collection', async () => {
const { user, collection } = await seed(); const { user, collection } = await seed();
const res = await server.post('/api/collections.delete', { const res = await server.post('/api/collections.delete', {

8
server/api/documents.test.js
View File

@ -81,7 +81,7 @@ describe('#documents.revision', async () => {
id: document.id, id: document.id,
}, },
}); });
expect(res.status).toEqual(404); expect(res.status).toEqual(403);
}); });
}); });
@ -219,7 +219,7 @@ describe('#documents.star', async () => {
const res = await server.post('/api/documents.star', { const res = await server.post('/api/documents.star', {
body: { token: user.getJwtToken(), id: document.id }, body: { token: user.getJwtToken(), id: document.id },
}); });
expect(res.status).toEqual(404); expect(res.status).toEqual(403);
}); });
}); });
@ -251,7 +251,7 @@ describe('#documents.unstar', async () => {
const res = await server.post('/api/documents.unstar', { const res = await server.post('/api/documents.unstar', {
body: { token: user.getJwtToken(), id: document.id }, body: { token: user.getJwtToken(), id: document.id },
}); });
expect(res.status).toEqual(404); expect(res.status).toEqual(403);
}); });
}); });
@ -442,6 +442,6 @@ describe('#documents.update', async () => {
const res = await server.post('/api/documents.update', { const res = await server.post('/api/documents.update', {
body: { token: user.getJwtToken(), id: document.id, text: 'Updated' }, body: { token: user.getJwtToken(), id: document.id, text: 'Updated' },
}); });
expect(res.status).toEqual(404); expect(res.status).toEqual(403);
}); });
}); });

9
server/api/index.js
View File

@ -39,8 +39,13 @@ api.use(async (ctx, next) => {
} }
if (message.match('Authorization error')) { if (message.match('Authorization error')) {
ctx.status = 404; if (ctx.path.match('info')) {
message = 'Not Found'; ctx.status = 404;
message = 'Not Found';
} else {
ctx.status = 403;
message = 'Authorization Required';
}
} }
if (ctx.status === 500) { if (ctx.status === 500) {

5
server/api/middlewares/authentication.js
View File

@ -7,7 +7,6 @@ import { User, ApiKey } from '../../models';
type AuthOptions = { type AuthOptions = {
require?: boolean, require?: boolean,
adminOnly?: boolean,
}; };
export default function auth(options: AuthOptions = {}) { export default function auth(options: AuthOptions = {}) {
@ -96,10 +95,6 @@ export default function auth(options: AuthOptions = {}) {
} }
} }
if (options.adminOnly && !user.isAdmin) {
throw httpErrors.Forbidden('Only available for admins');
}
ctx.state.token = token; ctx.state.token = token;
ctx.state.user = user; ctx.state.user = user;
// $FlowFixMe // $FlowFixMe

39
server/api/middlewares/authentication.test.js
View File

@ -91,45 +91,6 @@ describe('Authentication middleware', async () => {
}); });
}); });
describe('adminOnly', () => {
it('should work if user is an admin', async () => {
const state = {};
const { user } = await seed();
const authMiddleware = auth({ adminOnly: true });
user.isAdmin = true;
await user.save();
await authMiddleware(
{
request: {
get: jest.fn(() => `Bearer ${user.getJwtToken()}`),
},
state,
cache: {},
},
jest.fn()
);
expect(state.user.id).toEqual(user.id);
});
it('should raise 403 if user is not an admin', async () => {
const { user } = await seed();
const authMiddleware = auth({ adminOnly: true });
user.idAdmin = true;
await user.save();
try {
await authMiddleware({
request: {
get: jest.fn(() => `Bearer ${user.getJwtToken()}`),
},
});
} catch (e) {
expect(e.message).toBe('Only available for admins');
}
});
});
it('should return error message if no auth token is available', async () => { it('should return error message if no auth token is available', async () => {
const state = {}; const state = {};
const authMiddleware = auth(); const authMiddleware = auth();

54
server/api/team.js
View File

@ -2,13 +2,15 @@
import Router from 'koa-router'; import Router from 'koa-router';
import httpErrors from 'http-errors'; import httpErrors from 'http-errors';
import User from '../models/User';
import Team from '../models/Team'; import Team from '../models/Team';
import User from '../models/User';
import auth from './middlewares/authentication'; import auth from './middlewares/authentication';
import pagination from './middlewares/pagination'; import pagination from './middlewares/pagination';
import { presentUser } from '../presenters'; import { presentUser } from '../presenters';
import policy from '../policies';
const { authorize } = policy;
const router = new Router(); const router = new Router();
router.post('team.users', auth(), pagination(), async ctx => { router.post('team.users', auth(), pagination(), async ctx => {
@ -31,41 +33,41 @@ router.post('team.users', auth(), pagination(), async ctx => {
}; };
}); });
router.post('team.addAdmin', auth({ adminOnly: true }), async ctx => { router.post('team.addAdmin', auth(), async ctx => {
const { user } = ctx.body; const userId = ctx.body.user;
const admin = ctx.state.user; const teamId = ctx.state.user.teamId;
ctx.assertPresent(user, 'id is required'); ctx.assertPresent(userId, 'id is required');
const team = await Team.findById(admin.teamId); const user = await User.findById(userId);
const promotedUser = await User.findOne({ authorize(ctx.state.user, 'promote', user);
where: { id: user, teamId: admin.teamId },
});
if (!promotedUser) throw httpErrors.NotFound(); const team = await Team.findById(teamId);
await team.addAdmin(user);
await team.addAdmin(promotedUser); ctx.body = {
data: presentUser(ctx, user, { includeDetails: true }),
ctx.body = presentUser(ctx, promotedUser, { includeDetails: true }); };
}); });
router.post('team.removeAdmin', auth({ adminOnly: true }), async ctx => { router.post('team.removeAdmin', auth(), async ctx => {
const { user } = ctx.body; const userId = ctx.body.user;
const admin = ctx.state.user; const teamId = ctx.state.user.teamId;
ctx.assertPresent(user, 'id is required'); ctx.assertPresent(userId, 'id is required');
const team = await Team.findById(admin.teamId); const user = await User.findById(userId);
const demotedUser = await User.findOne({ authorize(ctx.state.user, 'demote', user);
where: { id: user, teamId: admin.teamId },
});
if (!demotedUser) throw httpErrors.NotFound(); const team = await Team.findById(teamId);
try { try {
await team.removeAdmin(demotedUser); await team.removeAdmin(user);
ctx.body = presentUser(ctx, user, { includeDetails: true }); } catch (err) {
} catch (e) { throw httpErrors.BadRequest(err.message);
throw httpErrors.BadRequest(e.message);
} }
ctx.body = {
data: presentUser(ctx, user, { includeDetails: true }),
};
}); });
export default router; export default router;

9
server/api/team.test.js
View File

@ -40,10 +40,7 @@ describe('#team.addAdmin', async () => {
const { admin, user } = await seed(); const { admin, user } = await seed();
const res = await server.post('/api/team.addAdmin', { const res = await server.post('/api/team.addAdmin', {
body: { body: { token: admin.getJwtToken(), user: user.id },
token: admin.getJwtToken(),
user: user.id,
},
}); });
const body = await res.json(); const body = await res.json();
@ -54,7 +51,7 @@ describe('#team.addAdmin', async () => {
it('should require admin', async () => { it('should require admin', async () => {
const { user } = await seed(); const { user } = await seed();
const res = await server.post('/api/team.addAdmin', { const res = await server.post('/api/team.addAdmin', {
body: { token: user.getJwtToken() }, body: { token: user.getJwtToken(), user: user.id },
}); });
const body = await res.json(); const body = await res.json();
@ -98,7 +95,7 @@ describe('#team.removeAdmin', async () => {
it('should require admin', async () => { it('should require admin', async () => {
const { user } = await seed(); const { user } = await seed();
const res = await server.post('/api/team.addAdmin', { const res = await server.post('/api/team.addAdmin', {
body: { token: user.getJwtToken() }, body: { token: user.getJwtToken(), user: user.id },
}); });
const body = await res.json(); const body = await res.json();

6
server/models/Team.js
View File

@ -42,13 +42,13 @@ Team.prototype.createFirstCollection = async function(userId) {
}; };
Team.prototype.addAdmin = async function(user: User) { Team.prototype.addAdmin = async function(user: User) {
return await user.update({ isAdmin: true }); return user.update({ isAdmin: true });
}; };
Team.prototype.removeAdmin = async function(user: User) { Team.prototype.removeAdmin = async function(user: User) {
const res = await User.findAndCountAll({ const res = await User.findAndCountAll({
where: { where: {
teamId: user.teamId, teamId: this.id,
isAdmin: true, isAdmin: true,
id: { id: {
[Op.ne]: user.id, [Op.ne]: user.id,
@ -57,7 +57,7 @@ Team.prototype.removeAdmin = async function(user: User) {
limit: 1, limit: 1,
}); });
if (res.count >= 1) { if (res.count >= 1) {
return await user.update({ isAdmin: false }); return user.update({ isAdmin: false });
} else { } else {
throw new Error('At least one admin is required'); throw new Error('At least one admin is required');
} }

25
server/policies/collection.js Normal file
View File

@ -0,0 +1,25 @@
// @flow
import policy from './policy';
import Collection from '../models/Collection';
import User from '../models/User';
const { allow } = policy;
allow(User, 'create', Collection);
allow(
User,
['read', 'update'],
Collection,
(user, collection) => collection && user.teamId === collection.teamId
);
allow(
User,
'delete',
Collection,
(user, collection) =>
collection &&
user.teamId === collection.teamId &&
(user.id === collection.creatorId || user.isAdmin)
);

6
server/policies/document.js
View File

@ -5,9 +5,11 @@ import User from '../models/User';
const { allow } = policy; const { allow } = policy;
allow(User, 'create', Document);
allow( allow(
User, User,
['create', 'read', 'update', 'delete'], ['read', 'update', 'delete'],
Document, Document,
(user, doc) => user.teamId === doc.teamId (user, document) => user.teamId === document.teamId
); );

2
server/policies/index.js
View File

@ -1,5 +1,7 @@
// @flow // @flow
import policy from './policy'; import policy from './policy';
import './document'; import './document';
import './collection';
import './user';
export default policy; export default policy;

29
server/policies/user.js Normal file
View File

@ -0,0 +1,29 @@
// @flow
import policy from './policy';
import User from '../models/User';
const { allow } = policy;
allow(
User,
'read',
User,
(actor, user) => user && user.teamId === actor.teamId
);
allow(
User,
['update', 'delete'],
User,
(actor, user) =>
user &&
user.teamId === actor.teamId &&
(user.id === actor.id || actor.isAdmin)
);
allow(
User,
['promote', 'demote'],
User,
(actor, user) => user && user.teamId === actor.teamId && actor.isAdmin
);

2
services/slack/index.js
View File

@ -3,7 +3,7 @@ import type { Event } from '../../server/events';
const Slack = { const Slack = {
on: (event: Event) => { on: (event: Event) => {
console.log(`Slack service received ${event.name}, id: ${event.model.id}`); // console.log(`Slack service received ${event.name}, id: ${event.model.id}`);
}, },
}; };