akhilmeka/permit-api
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated roles, only superAdmin can create an admin

Browse Source
This commit is contained in:
Akhil Meka
2025-04-23 16:29:33 +05:30
parent 804066c97a
commit 38014f7138
5 changed files with 132 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/user/user.controller.ts
View File

@@ -1,12 +1,13 @@
import { FastifyReply, FastifyRequest } from "fastify"; import { FastifyReply, FastifyRequest } from 'fastify';
import { import {
createUser, createUser,
deleteUser, deleteUser,
ErrOpNotValid,
getUser, getUser,
listUsers, listUsers,
updateUser, updateUser,
} from "./user.service"; } from './user.service';
import { CreateUserInput, UpdateUserInput } from "./user.schema"; import { CreateUserInput, UpdateUserInput } from './user.schema';
export async function createUserHandler( export async function createUserHandler(
req: FastifyRequest, req: FastifyRequest,
@@ -18,6 +19,8 @@ export async function createUserHandler(
const user = await createUser(body, req.user); const user = await createUser(body, req.user);
return res.code(201).send(user); return res.code(201).send(user);
} catch (err) { } catch (err) {
if (err instanceof Error && err.message == ErrOpNotValid.message)
return res.code(400).send(err.message);
return err; return err;
} }
} }
@@ -26,14 +29,14 @@ export async function getCurrentUserHandler(
req: FastifyRequest, req: FastifyRequest,
res: FastifyReply res: FastifyReply
) { ) {
if (req.user.type !== "user") { if (req.user.type !== 'user') {
return res.code(400).send(); return res.code(400).send();
} }
try { try {
const user = await getUser(req.user.userId); const user = await getUser(req.user.userId);
if (user == null) if (user == null)
return res.code(404).send({ error: "resource not found" }); return res.code(404).send({ error: 'resource not found' });
return res.code(200).send(user); return res.code(200).send(user);
} catch (err) { } catch (err) {
@@ -47,7 +50,7 @@ export async function getUserHandler(req: FastifyRequest, res: FastifyReply) {
try { try {
const user = await getUser(userId); const user = await getUser(userId);
if (user == null) if (user == null)
return res.code(404).send({ error: "resource not found" }); return res.code(404).send({ error: 'resource not found' });
return res.code(200).send(user); return res.code(200).send(user);
} catch (err) { } catch (err) {
@@ -73,7 +76,7 @@ export async function updateUserHandler(
try { try {
const updatedUser = await updateUser(userId, input); const updatedUser = await updateUser(userId, input);
if (!updateUser) return res.code(404).send({ error: "resource not found" }); if (!updateUser) return res.code(404).send({ error: 'resource not found' });
return res.code(200).send(updatedUser); return res.code(200).send(updatedUser);
} catch (err) { } catch (err) {
@@ -90,7 +93,7 @@ export async function deleteUserHandler(
try { try {
const deleteResult = await deleteUser(userId, req.user.tenantId); const deleteResult = await deleteUser(userId, req.user.tenantId);
if (deleteResult.deletedCount == 0) if (deleteResult.deletedCount == 0)
return res.code(404).send({ error: "resource not found" }); return res.code(404).send({ error: 'resource not found' });
return res.code(204).send(); return res.code(204).send();
} catch (err) { } catch (err) {

27
src/user/user.schema.ts
View File

@@ -1,7 +1,7 @@
import { buildJsonSchemas } from "fastify-zod"; import { buildJsonSchemas } from 'fastify-zod';
import mongoose, { InferSchemaType } from "mongoose"; import mongoose, { InferSchemaType } from 'mongoose';
import { z } from "zod"; import { z } from 'zod';
import { roles } from "../utils/roles"; import { roles } from '../utils/roles';
const userSchema = new mongoose.Schema({ const userSchema = new mongoose.Schema({
tenantId: { tenantId: {
@@ -30,7 +30,7 @@ const userSchema = new mongoose.Schema({
}, },
defaultClient: { defaultClient: {
type: mongoose.Types.ObjectId, type: mongoose.Types.ObjectId,
ref: "organization", ref: 'organization',
}, },
passKeys: [new mongoose.Schema({}, { _id: false, strict: false })], passKeys: [new mongoose.Schema({}, { _id: false, strict: false })],
challenge: new mongoose.Schema( challenge: new mongoose.Schema(
@@ -50,9 +50,10 @@ const userSchema = new mongoose.Schema({
createdAt: Date, createdAt: Date,
createdBy: mongoose.Types.ObjectId, createdBy: mongoose.Types.ObjectId,
lastLogin: Date, lastLogin: Date,
dev: Boolean,
}); });
export const userModel = mongoose.model("user", userSchema); export const userModel = mongoose.model('user', userSchema);
export type User = InferSchemaType<typeof userSchema>; export type User = InferSchemaType<typeof userSchema>;
@@ -61,8 +62,8 @@ const userCore = {
lastName: z.string().max(30), lastName: z.string().max(30),
email: z email: z
.string({ .string({
required_error: "Email is required", required_error: 'Email is required',
invalid_type_error: "Email must be a valid string", invalid_type_error: 'Email must be a valid string',
}) })
.email(), .email(),
avatar: z.string().optional(), avatar: z.string().optional(),
@@ -75,9 +76,9 @@ const createUserInput = z
...userCore, ...userCore,
}) })
.superRefine((data, ctx) => { .superRefine((data, ctx) => {
if (data.role == "builder" && !data.orgId) { if (data.role == 'builder' && !data.orgId) {
ctx.addIssue({ ctx.addIssue({
path: ["orgId"], path: ['orgId'],
message: 'orgId is required when role is "builder"', message: 'orgId is required when role is "builder"',
code: z.ZodIssueCode.custom, code: z.ZodIssueCode.custom,
}); });
@@ -89,8 +90,8 @@ const updateUserInput = z.object({
lastName: z.string().max(30).optional(), lastName: z.string().max(30).optional(),
email: z email: z
.string({ .string({
required_error: "Email is required", required_error: 'Email is required',
invalid_type_error: "Email must be a valid string", invalid_type_error: 'Email must be a valid string',
}) })
.email() .email()
.optional(), .optional(),
@@ -124,5 +125,5 @@ export const { schemas: userSchemas, $ref: $user } = buildJsonSchemas(
updateUserInput, updateUserInput,
userResponse, userResponse,
}, },
{ $id: "user" } { $id: 'user' }
); );

34
src/user/user.service.ts
View File

@@ -1,37 +1,43 @@
import mongoose from "mongoose"; import mongoose from 'mongoose';
import { generateId, generateToken } from "../utils/id"; import { generateId, generateToken } from '../utils/id';
import { CreateUserInput, UpdateUserInput, userModel } from "./user.schema"; import { CreateUserInput, UpdateUserInput, userModel } from './user.schema';
import { sendMail } from "../utils/mail"; import { sendMail } from '../utils/mail';
import { AuthenticatedUser } from "../auth"; import { AuthenticatedUser } from '../auth';
export const ErrOpNotValid = new Error('operation is not valid');
export async function createUser( export async function createUser(
input: CreateUserInput, input: CreateUserInput,
user: AuthenticatedUser user: AuthenticatedUser
) { ) {
if (input.role == 'admin' && user.role != 'superAdmin') {
throw ErrOpNotValid;
}
const token = await generateToken(); const token = await generateToken();
const newUser = await userModel.create({ const newUser = await userModel.create({
tenantId: user.tenantId, tenantId: user.tenantId,
pid: generateId(), pid: generateId(),
name: input.firstName + " " + input.lastName, name: input.firstName + ' ' + input.lastName,
createdAt: new Date(), createdAt: new Date(),
createdBy: user.userId, createdBy: user.userId,
token: { token: {
value: token, value: token,
expiry: new Date(Date.now() + 3600 * 48 * 1000), expiry: new Date(Date.now() + 3600 * 48 * 1000),
}, },
status: "invited", status: 'invited',
...input, ...input,
}); });
const sent = await sendMail( const sent = await sendMail(
input.email, input.email,
"You have been invited to Quicker Permtis.", 'You have been invited to Quicker Permtis.',
`Click <a href="${ `Click <a href="${
process.env.SERVER_DOMAIN + process.env.SERVER_DOMAIN +
"/auth/webauthn/register?token=" + '/auth/webauthn/register?token=' +
token + token +
"&email=" + '&email=' +
newUser.email newUser.email
}">here</a> to register.` }">here</a> to register.`
); );
@@ -50,7 +56,7 @@ export async function getUser(userId: string) {
} }
export async function getUserByToken(token: string) { export async function getUserByToken(token: string) {
return await userModel.findOne({ "token.value": token }); return await userModel.findOne({ 'token.value': token });
} }
export async function getUserByEmail(email: string) { export async function getUserByEmail(email: string) {
@@ -59,9 +65,9 @@ export async function getUserByEmail(email: string) {
export async function listUsers(tenantId: string) { export async function listUsers(tenantId: string) {
return await userModel return await userModel
.find({ $and: [{ tenantId: tenantId }, { role: { $ne: "tester" } }] }) .find({ $and: [{ tenantId: tenantId }, { dev: false }] })
.select( .select(
"_id pid orgId firstName lastName name email role avatar status createdAt createdBy lastLogin" '_id pid orgId firstName lastName name email role avatar status createdAt createdBy lastLogin'
); );
} }
@@ -71,7 +77,7 @@ export async function updateUser(userId: string, input: UpdateUserInput) {
new: true, new: true,
}) })
.select( .select(
"_id pid orgId firstName lastName name email role avatar status createdAt createdBy lastLogin" '_id pid orgId firstName lastName name email role avatar status createdAt createdBy lastLogin'
); );
} }

12
src/utils/errors.ts
View File

@@ -1,5 +1,5 @@
import { FastifyReply, FastifyRequest } from "fastify"; import { FastifyReply, FastifyRequest } from 'fastify';
import mongoose from "mongoose"; import mongoose from 'mongoose';
export function errorHandler( export function errorHandler(
error: any, error: any,
@@ -12,7 +12,7 @@ export function errorHandler(
if (error.validation) { if (error.validation) {
const errMsg = { const errMsg = {
type: "validation_error", type: 'validation_error',
path: error.validation[0].instancePath, path: error.validation[0].instancePath,
context: error.validationContext, context: error.validationContext,
msg: error.validation[0].message, msg: error.validation[0].message,
@@ -25,9 +25,9 @@ export function errorHandler(
if (error instanceof mongoose.mongo.MongoServerError) { if (error instanceof mongoose.mongo.MongoServerError) {
if (error.code === 11000) { if (error.code === 11000) {
return res.code(400).send({ return res.code(400).send({
type: "duplicate_key", type: 'duplicate_key',
context: "body", context: 'body',
msg: "value already exists", msg: 'value already exists',
params: error.keyValue, params: error.keyValue,
}); });
} }

200
src/utils/roles.ts
View File

@@ -1,141 +1,103 @@
import { Claim } from "./claims"; import { Claim } from './claims';
export const rules: Record< export const rules: Record<
string, string,
{ claims: Claim[]; hiddenFields: Record<string, Array<string>> } { claims: Claim[]; hiddenFields: Record<string, Array<string>> }
> = { > = {
tester: { superAdmin: {
claims: [ claims: [
"user:read", 'user:read',
"user:write", 'user:write',
"org:read", 'user:delete',
"org:write", 'org:read',
"org:delete", 'org:write',
"permit:read", 'org:delete',
"permit:write", 'permit:read',
"permit:delete", 'permit:write',
"file:upload", 'permit:delete',
"file:download", 'file:upload',
"file:delete", 'file:download',
"rts:read", 'file:delete',
"rts:write", 'rts:read',
"rts:delete", 'rts:write',
"task:read", 'rts:delete',
"task:write", 'task:read',
"task:delete", 'task:write',
"notification:read", 'task:delete',
"notification:write", 'notification:read',
"notification:delete", 'notification:write',
"config:read", 'notification:delete',
"config:write", 'config:read',
"mail:all", 'config:write',
"view:read", 'mail:all',
"view:write", 'view:read',
"view:delete", 'view:write',
"token:read", 'view:delete',
"token:write",
"token:delete",
], ],
hiddenFields: { hiddenFields: {
orgs: ["__v"], orgs: ['__v'],
permits: ["__v"], permits: ['__v'],
rts: ["__v"], rts: ['__v'],
tasks: ["__v"], tasks: ['__v'],
users: ["__v"], users: ['__v'],
}, },
}, },
admin: { admin: {
claims: [ claims: [
"user:read", 'user:read',
"user:write", 'user:write',
"org:read", 'org:read',
"org:write", 'permit:read',
"org:delete", 'file:upload',
"permit:read", 'file:download',
"permit:write", 'file:delete',
"permit:delete", 'rts:read',
"file:upload", 'rts:write',
"file:download", 'rts:delete',
"file:delete", 'task:read',
"rts:read", 'task:write',
"rts:write", 'task:delete',
"rts:delete", 'notification:read',
"task:read", 'notification:delete',
"task:write", 'config:read',
"task:delete", 'config:write',
"notification:read", 'mail:all',
"notification:write", 'view:read',
"notification:delete", 'view:write',
"config:read", 'view:delete',
"config:write",
"mail:all",
"view:read",
"view:write",
"view:delete",
], ],
hiddenFields: { hiddenFields: {
orgs: ["__v"], orgs: ['__v', 'isClient', 'name'],
permits: ["__v"], permits: ['__v'],
rts: ["__v"], rts: ['__v'],
tasks: ["__v"], tasks: ['__v'],
users: ["__v"], users: ['__v'],
}, },
}, },
builder: { team: {
claims: [ claims: [
"permit:read", 'org:read',
"file:upload", 'permit:read',
"file:download", 'file:upload',
"org:read", 'file:download',
"config:read", 'rts:read',
'rts:write',
'task:read',
'task:write',
'notification:read',
'notification:delete',
'config:read',
'mail:all',
'view:read',
'view:write',
'view:delete',
], ],
hiddenFields: { hiddenFields: {
orgs: ["__v", "isClient", "name"], orgs: ['__v', 'isClient', 'name'],
permits: ["__v"], permits: ['__v'],
rts: ["__v"], rts: ['__v'],
tasks: ["__v"], tasks: ['__v'],
users: ["__v"], users: ['__v'],
},
},
staff: {
claims: [
"org:read",
"org:write",
"org:delete",
"permit:read",
"permit:write",
"permit:delete",
"file:upload",
"file:download",
"file:delete",
],
hiddenFields: {
orgs: [],
permits: [],
rts: [],
tasks: [],
users: [],
},
},
supervisor: {
claims: [
"user:read",
"org:read",
"org:write",
"org:delete",
"permit:read",
"permit:write",
"permit:delete",
"file:upload",
"file:download",
"file:delete",
],
hiddenFields: {
orgs: [],
permits: [],
rts: [],
tasks: [],
users: [],
}, },
}, },
}; };