Merge pull request #567 from curveball/identity-privileges

Adding a specialized privilige for dealing with identities.
curveball · Jan 9, 2025 · a3573b8 · a3573b8
2 parents 045a6e6 + d5132f4
commit a3573b8
Show file tree

Hide file tree

Showing 9 changed files with 52 additions and 27 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,6 +1,13 @@
 Changelog
 =========
 
+0.28.2 (????-??-??)
+-------------------
+
+* Add a new privilege for managing user identities. Before this change it was
+  required to have the 'admin' privilege to do this.
+
+
 0.28.1 (2025-01-08)
 -------------------
 

diff --git a/src/migrations/20250109120700_new_privileges.ts b/src/migrations/20250109120700_new_privileges.ts
@@ -0,0 +1,18 @@
+import { Knex } from 'knex';
+
+const privilege = 'a12n:user:manage-identities';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex('privileges')
+    .insert({privilege, description: 'Full control over a user identities, including adding, deleting, setting and removing verification status.'});
+
+}
+
+export async function down(knex: Knex): Promise<void> {
+
+  await knex('privileges')
+    .delete()
+    .whereIn('privileges', [privilege]);
+
+}
+
diff --git a/src/principal-identity/controller/collection.ts b/src/principal-identity/controller/collection.ts
@@ -12,8 +12,8 @@ class PrincipalIdentityCollection extends Controller {
     const principal = await principalService.findByExternalId(ctx.params.id, 'user');
     const identities = await services.principalIdentity.findByPrincipal(principal);
 
-    if (ctx.auth.equals(principal) && !ctx.privileges.has('admin')) {
-      throw new Forbidden('You can only use this API for yourself, or if you have \'admin\' privileges');
+    if (ctx.auth.equals(principal) && !ctx.privileges.has('a12n:user:manage-identities')) {
+      throw new Forbidden('You can only use this API for yourself, or if you have the \'a12n:user:manage-identities\'privilege');
     }
 
     ctx.response.body = hal.collection(

diff --git a/src/principal-identity/controller/item.ts b/src/principal-identity/controller/item.ts
@@ -14,8 +14,8 @@ class PrincipalIdentityItem extends Controller {
 
     const identity = await services.principalIdentity.findByExternalId(principal,ctx.params.identityId);
 
-    if (ctx.auth.equals(principal) && !ctx.privileges.has('admin')) {
-      throw new Forbidden('You can only use this API for yourself, or if you have \'admin\' privileges');
+    if (ctx.auth.equals(principal) && !ctx.privileges.has('a12n:user:manage-identities')) {
+      throw new Forbidden('You can only use this API for yourself, or if you have the \'a12n:user:manage-identities\'privilege');
     }
 
     ctx.response.body = hal.item(
@@ -33,8 +33,8 @@ class PrincipalIdentityItem extends Controller {
 
     const identity = await services.principalIdentity.findByExternalId(principal,ctx.params.identityId);
 
-    if (ctx.auth.equals(principal) && !ctx.privileges.has('admin')) {
-      throw new Forbidden('You can only use this API for yourself, or if you have \'admin\' privileges');
+    if (ctx.auth.equals(principal) && !ctx.privileges.has('a12n:user:manage-identities')) {
+      throw new Forbidden('You can only use this API for yourself, or if you have the \'a12n:user:manage-identities\'privilege');
     }
 
     const isMfa = !!(+ctx.request.body.isMfa);

diff --git a/src/principal-identity/controller/verify-response.ts b/src/principal-identity/controller/verify-response.ts
@@ -14,8 +14,8 @@ class PrincipalIdentityVerify extends Controller {
 
     const identity = await services.principalIdentity.findByExternalId(principal,ctx.params.identityId);
 
-    if (ctx.auth.equals(principal) && !ctx.privileges.has('admin')) {
-      throw new Forbidden('You can only use this API for yourself, or if you have \'admin\' privileges');
+    if (ctx.auth.equals(principal) && !ctx.privileges.has('a12n:user:manage-identities')) {
+      throw new Forbidden('You can only use this API for yourself, or if you have the \'a12n:user:manage-identities\'privilege');
     }
     ctx.response.body = hal.verifyResponseForm(identity);
 
@@ -29,8 +29,8 @@ class PrincipalIdentityVerify extends Controller {
 
     const identity = await services.principalIdentity.findByExternalId(principal,ctx.params.identityId);
 
-    if (ctx.auth.equals(principal) && !ctx.privileges.has('admin')) {
-      throw new Forbidden('You can only use this API for yourself, or if you have \'admin\' privileges');
+    if (ctx.auth.equals(principal) && !ctx.privileges.has('a12n:user:manage-identities')) {
+      throw new Forbidden('You can only use this API for yourself, or if you have the \'a12n:user:manage-identities\'privilege');
     }
 
     try {

diff --git a/src/principal-identity/controller/verify.ts b/src/principal-identity/controller/verify.ts
@@ -12,8 +12,8 @@ class PrincipalIdentityVerify extends Controller {
 
     const identity = await services.principalIdentity.findByExternalId(principal,ctx.params.identityId);
 
-    if (ctx.auth.equals(principal) && !ctx.privileges.has('admin')) {
-      throw new Forbidden('You can only use this API for yourself, or if you have \'admin\' privileges');
+    if (ctx.auth.equals(principal) && !ctx.privileges.has('a12n:user:manage-identities')) {
+      throw new Forbidden('You can only use this API for yourself, or if you have the \'a12n:user:manage-identities\'privilege');
     }
 
     await services.principalIdentity.sendVerificationRequest(identity, ctx.ip()!);

diff --git a/src/privilege/types.ts b/src/privilege/types.ts
@@ -23,4 +23,5 @@ export type InternalPrivilege =
   | 'a12n:one-time-token:generate'
   | 'a12n:one-time-token:exchange'
   | 'a12n:user:change-password'
+  | 'a12n:user:manage-identities'
   | 'a12n:access-token:generate';
diff --git a/src/user/controller/item.ts b/src/user/controller/item.ts
@@ -59,8 +59,6 @@ class UserController extends Controller {
     ctx.status = 204;
 
   }
-
-
 }
 
 export default new UserController();
diff --git a/src/user/formats/hal.ts b/src/user/formats/hal.ts
@@ -82,6 +82,12 @@ export function item(user: User, privileges: PrivilegeMap, hasControl: boolean,
     };
 
   }
+  if (hasControl || currentUserPrivileges.has('a12n:user:manage-identities', user.href)) {
+    hal._links['identity-collection'] = {
+      href: `${user.href}/identity`,
+      title: 'List of identities the user is associated with'
+    };
+  }
 
   if (hasControl) {
     hal.hasPassword = hasPassword;
@@ -98,9 +104,14 @@ export function item(user: User, privileges: PrivilegeMap, hasControl: boolean,
       href: `${user.href}/app-permission`,
       title: 'App Permissions',
     };
-    hal._links['identity-collection'] = {
-      href: `${user.href}/identity`,
-      title: 'List of identities the user is associated with'
+    hal._links['edit-form'] = {
+      href: `${user.href}/edit`,
+      title: `Edit ${user.nickname}`
+    };
+
+    hal._links['privileges'] = {
+      href: `${user.href}/edit/privileges`,
+      title: 'Change privilege policy',
     };
   }
   if (currentUserPrivileges.has('a12n:user:change-password', user.href)) {
@@ -111,16 +122,6 @@ export function item(user: User, privileges: PrivilegeMap, hasControl: boolean,
         allow: ['PUT'],
       }
     };
-
-    hal._links['edit-form'] = {
-      href: `${user.href}/edit`,
-      title: `Edit ${user.nickname}`
-    };
-
-    hal._links['privileges'] = {
-      href: `${user.href}/edit/privileges`,
-      title: 'Change privilege policy',
-    };
   }
 
   return hal;
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,8 +59,6 @@ class UserController extends Controller { @@
         ctx.status = 204;
       }
     }
     export default new UserController();