Skip to content

Commit

Permalink
Make sure to remove reset password data when listing user (#330)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pmeijer
pmeijer authored Jun 18, 2024
1 parent a2047ee commit fa4614b
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 49 deletions.
91 changes: 48 additions & 43 deletions src/server/middleware/auth/defaultauthorizer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,29 +29,36 @@ function DefaultAuthorizer(mainLogger, gmeConfig) {
var ops = ['read', 'write', 'delete'];
return self.collection.findOne({
_id: userId,
disabled: {$ne: true}
disabled: { $ne: true }
}, _getProjection('siteAdmin', 'orgs', 'projects.' + projectId))
.then(function (userData) {
if (!userData) {
return Q.reject(new Error('no such user [' + userId + ']'));
}
userData.orgs = userData.orgs || [];

if (userData.siteAdmin) {
return [{}, [true, true, true]];
} else {
return [userData.projects[projectId] || {},
Q.all(ops.map(function (op) {
var query;
if ((userData.projects[projectId] || {})[op]) {
return 1;
}
query = {_id: {$in: userData.orgs}, disabled: {$ne: true}};
query['projects.' + projectId + '.' + op] = true;
return self.collection.findOne(query, {_id: 1});
}))];
}

userData.orgs = userData.orgs || [];
return [userData.projects[projectId] || {},
Q.all(ops.map(function (op) {
// Check if the user is in any org that has project access.
var query;
if ((userData.projects[projectId] || {})[op]) {
return 1; // user has the right
}

if (userData.orgs.length === 0) {
return 0; // no orgs to check
}

query = { _id: { $in: userData.orgs }, disabled: { $ne: true } };
query['projects.' + projectId + '.' + op] = true;
return self.collection.findOne(query, { _id: 1 });
}))];
}).spread(function (user, rwd) {
// merge them together
var ret = {};
ops.forEach(function (op, i) {
ret[op] = (user[op] || rwd[i]) ? true : false;
Expand All @@ -62,7 +69,7 @@ function DefaultAuthorizer(mainLogger, gmeConfig) {
}

function removeProjectRightsForAll(projectId, callback) {
var update = {$unset: {}};
var update = { $unset: {} };
update.$unset['projects.' + projectId] = '';
return self.collection.updateMany({}, update)
.nodeify(callback);
Expand All @@ -77,8 +84,8 @@ function DefaultAuthorizer(mainLogger, gmeConfig) {
function getUser(userId, callback) {
return self.collection.findOne({
_id: userId,
type: {$ne: GME_AUTH_CONSTANTS.ORGANIZATION},
disabled: {$ne: true}
type: { $ne: GME_AUTH_CONSTANTS.ORGANIZATION },
disabled: { $ne: true }
})
.then(function (userData) {
if (!userData) {
Expand All @@ -95,8 +102,8 @@ function DefaultAuthorizer(mainLogger, gmeConfig) {
}

function getAdminsInOrganization(orgId, callback) {
return self.collection.findOne({_id: orgId, type: GME_AUTH_CONSTANTS.ORGANIZATION, disabled: {$ne: true}},
{admins: 1})
return self.collection.findOne({ _id: orgId, type: GME_AUTH_CONSTANTS.ORGANIZATION, disabled: { $ne: true } },
{ admins: 1 })
.then(function (org) {
if (!org) {
return Q.reject(new Error('no such organization [' + orgId + ']'));
Expand All @@ -119,17 +126,17 @@ function DefaultAuthorizer(mainLogger, gmeConfig) {
var update;

if (type === 'set') {
update = {$set: {}};
update = { $set: {} };
update.$set['projects.' + projectId] = rights;
} else if (type === 'delete') {
update = {$unset: {}};
update = { $unset: {} };
update.$unset['projects.' + projectId] = '';
} else {
return Q.reject(new Error('unknown type ' + type))
.nodeify(callback);
}

return self.collection.updateOne({_id: userOrOrgId, disabled: {$ne: true}}, update)
return self.collection.updateOne({ _id: userOrOrgId, disabled: { $ne: true } }, update)
.then(function (result) {
if (result.matchedCount !== 1) {
return Q.reject(new Error('no such user or org [' + userOrOrgId + ']'));
Expand All @@ -145,31 +152,29 @@ function DefaultAuthorizer(mainLogger, gmeConfig) {
} else if (params.entityType === AuthorizerBase.ENTITY_TYPES.USER) {
return getUser(userId)
.then(function (user) {
var rights = {
read: true,
write: false,
delete: false
};
const readOnly = { read: true, write: false, delete: false };
const readWrite = { read: true, write: true, delete: false };

if (user.siteAdmin) {
rights.write = true;
rights.delete = true;
return rights;
} else if (!user.canCreate) {
return rights;
} else if (userId === entityId) {
rights.write = true;
return rights;
} else {
return getAdminsInOrganization(entityId)
.then(function (admins) {
if (admins.indexOf(userId) > -1) {
rights.write = true;
}

return rights;
});
return { read: true, write: true, delete: true };
}

if (userId === entityId) {
return readWrite;
}

if (!user.canCreate) {
return readOnly;
}

return getAdminsInOrganization(entityId)
.then(function (admins) {
if (admins.indexOf(userId) > -1) {
return readWrite;
}

return readOnly;
});
})
.nodeify(callback);
}
Expand Down
14 changes: 8 additions & 6 deletions src/server/middleware/auth/gmeauth.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -486,7 +486,7 @@ function GMEAuth(session, gmeConfig) {
/**
*
* @param {string} userId
* @param {object] [query]
* @param {object} [query]
* @param {function} [callback]
* @returns {*}
*/
Expand Down Expand Up @@ -860,6 +860,8 @@ function GMEAuth(session, gmeConfig) {
var i;
for (i = 0; i < userDataArray.length; i += 1) {
delete userDataArray[i].passwordHash;
delete userDataArray[i].resetHash;
delete userDataArray[i].lastReset;
userDataArray[i].data = userDataArray[i].data || {};
userDataArray[i].settings = userDataArray[i].settings || {};
}
Expand Down Expand Up @@ -1011,9 +1013,9 @@ function GMEAuth(session, gmeConfig) {
admins: [],
info: info || {}
})
.then(function (res) {
.then(function () {
self.dispatchEvent(CONSTANTS.ORGANIZATION_CREATED, { orgId: orgId });
return res;
return getOrganization(orgId);
})
.catch(function (err) {
if (err.code === 11000) {
Expand Down Expand Up @@ -1044,7 +1046,7 @@ function GMEAuth(session, gmeConfig) {
/**
*
* @param {string} orgId
* @param {object] info
* @param {object} info
* @param {function} [callback]
* @returns {*}
*/
Expand All @@ -1071,7 +1073,7 @@ function GMEAuth(session, gmeConfig) {
/**
*
* @param {string} orgId
* @param {object] [query]
* @param {object} [query]
* @param {function} [callback]
* @returns {*}
*/
Expand Down Expand Up @@ -1191,7 +1193,7 @@ function GMEAuth(session, gmeConfig) {

/**
*
* @param userId
* @param {string} userId
* @param {string} orgId
* @param {function} [callback]
* @returns {*}
Expand Down

0 comments on commit fa4614b

Please sign in to comment.