Skip to content

Commit 2019134

Browse files
MipronimoMipronimo
committed
Refactor access control checks to use 'Leitungsteam' group instead of year-based group names
1 parent 4c99867 commit 2019134

13 files changed

+28
-50
lines changed

src/controllers/group.controller.js

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,7 @@ import { findAllParticipators } from './participator.controller.js'
1010

1111
async function isAllowed(req) {
1212
const executingUser = req.kauth.grant.access_token.content.sub
13-
const year = (await settingModel.findByPk('currentYear')).value
14-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
13+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
1514
const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'participator'}}))?.allowed
1615
return allowed
1716
}
@@ -92,8 +91,7 @@ export async function update(req, res) {
9291
res.status(400).send('bad request')
9392
return;
9493
}
95-
const year = (await settingModel.findByPk('currentYear')).value
96-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
94+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
9795
const group = await groupModel.findByPk(req.params.id)
9896
if (group) {
9997
if (!isLT) {
@@ -116,8 +114,7 @@ export async function deleteOne(req, res) {
116114
res.status(400).send('bad request')
117115
return;
118116
}
119-
const year = (await settingModel.findByPk('currentYear')).value
120-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
117+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
121118
const group = await groupModel.findByPk(req.params.id)
122119
if (group) {
123120
if (!isLT) {

src/controllers/groupUser.controller.js

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,7 @@ import settingModel from '../models/setting.model.js'
44

55
async function isAllowed(req) {
66
const executingUser = req.kauth.grant.access_token.content.sub
7-
const year = (await settingModel.findByPk('currentYear')).value
8-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
7+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
98
const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'participator'}}))?.allowed
109
return allowed
1110
}

src/controllers/mail.controller.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ export function listDomains() {
6969
export async function findAllMailinglists(req, res) {
7070
const lists = (await mg.lists.list()).items
7171
const year = (await settingModel.findByPk('currentYear')).value
72-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
72+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
7373
if (isLT) {
7474
res.status(200).send(lists)
7575
return;
@@ -101,7 +101,7 @@ export async function sendMail(req, res) {
101101
return;
102102
}
103103
const year = (await settingModel.findByPk('currentYear')).value
104-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
104+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
105105
const addresses = req.body.addresses
106106
if (!isLT) {
107107
const mailPermissions = await userPermissionModel.findAll({

src/controllers/participator.controller.js

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,8 +9,7 @@ import preferenceModel from '../models/preference.model.js';
99
const questionMapper = await getPretixMapper();
1010
async function isAllowed(req) {
1111
const executingUser = req.kauth.grant.access_token.content.sub
12-
const year = (await settingModel.findByPk('currentYear')).value
13-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
12+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
1413
const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'participator'}}))?.allowed
1514
return allowed
1615
}

src/controllers/post.controller.js

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,7 @@ export async function update(req, res) {
3939
res.status(400).send('bad request')
4040
return;
4141
}
42-
const year = (await settingModel.findByPk('currentYear')).value
43-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
42+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
4443
const post = await postModel.findByPk(req.params.id)
4544
if (post) {
4645
if (req.kauth.grant.access_token.content.sub !== post.createdBy && !isLT) {
@@ -59,8 +58,7 @@ export async function deleteOne(req, res) {
5958
res.status(400).send('bad request')
6059
return;
6160
}
62-
const year = (await settingModel.findByPk('currentYear')).value
63-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
61+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
6462
const post = await postModel.findByPk(req.params.id)
6563
if (post) {
6664
if (req.kauth.grant.access_token.content.sub !== post.createdBy && !isLT) {

src/controllers/preference.controller.js

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,7 @@ import settingModel from '../models/setting.model.js'
44

55
async function isAllowed(req) {
66
const executingUser = req.kauth.grant.access_token.content.sub
7-
const year = (await settingModel.findByPk('currentYear')).value
8-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
7+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
98
const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'participator'}}))?.allowed
109
return allowed
1110
}

src/controllers/supporterYear.controller.js

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,7 @@ import { ValidationError } from 'sequelize';
77
import { addToSupportMailinglist, sendMailToUser } from "./mail.controller.js";
88

99
export async function findAll(req, res) {
10-
const year = req.query.year || (await settingModel.findByPk('currentYear')).value
11-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
10+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
1211
if (!isLT) {
1312
res.status(403).send()
1413
return;
@@ -31,8 +30,7 @@ export async function findOne(req, res) {
3130
res.status(400).send('bad request')
3231
return;
3332
}
34-
const year = (await settingModel.findByPk('currentYear')).value
35-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
33+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
3634
if (!isLT) {
3735
res.status(403).send()
3836
return;
@@ -77,7 +75,7 @@ export async function create(req, res) {
7775

7876
export async function update(req, res) {
7977
const year = (await settingModel.findByPk('currentYear')).value
80-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
78+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
8179

8280
if (!isLT) {
8381
res.status(403).send()

src/controllers/thread.controller.js

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,7 @@ export async function update(req, res) {
3939
res.status(400).send('bad request')
4040
return;
4141
}
42-
const year = (await settingModel.findByPk('currentYear')).value
43-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
42+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
4443
const thread = await threadModel.findByPk(req.params.id)
4544
const posts = await postModel.findAll({where: {threadId: req.params.id}})
4645
if (thread) {
@@ -60,8 +59,7 @@ export async function deleteOne(req, res) {
6059
res.status(400).send('bad request')
6160
return;
6261
}
63-
const year = (await settingModel.findByPk('currentYear')).value
64-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
62+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
6563
const thread = await threadModel.findByPk(req.params.id)
6664
if (thread) {
6765
const posts = await postModel.findAll({where: {threadId: req.params.id}})

src/controllers/user.controller.js

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ import { ValidationError } from 'sequelize';
77
export async function findAll(req, res) {
88
const year = req.query.year || (await settingModel.findByPk('currentYear')).value
99
const isTeam = req.kauth.grant.access_token.content.groups?.includes(year + '_Team')
10-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
10+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
1111
let findAllConfig = {}
1212
let userWhere = req.query
1313
let userYearWhere = {}
@@ -56,7 +56,7 @@ export async function findOne(req, res) {
5656
}
5757
const year = (await settingModel.findByPk('currentYear')).value
5858
const isTeam = req.kauth.grant.access_token.content.groups?.includes(year + '_Team')
59-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
59+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
6060
const self = req.kauth.grant.access_token.content.sub === req.params.uuid
6161
let attributes = []
6262
if (!isTeam && !self) {
@@ -89,8 +89,7 @@ export async function createOrUpdate(req, res) {
8989
return;
9090
}
9191
const self = req.kauth.grant.access_token.content.sub === req.params.uuid
92-
const year = (await settingModel.findByPk('currentYear')).value
93-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
92+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
9493
if (!self && !isLT) {
9594
res.status(403).send()
9695
return;

src/controllers/userDocument.controller.js

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,7 @@ const documentTypes = [
1313

1414
export async function findAll(req, res) {
1515
const executingUser = req.kauth.grant.access_token.content.sub
16-
const year = req.query.year || (await settingModel.findByPk('currentYear')).value
17-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
16+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
1817
const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'userDocument'}})).allowed
1918
if (!allowed) {
2019
res.status(403).send()
@@ -35,8 +34,7 @@ export async function findOne(req, res) {
3534
}
3635
const executingUser = req.kauth.grant.access_token.content.sub
3736
const isSelf = executingUser === req.params.uuid
38-
const year = (await settingModel.findByPk('currentYear')).value
39-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
37+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
4038
const allowed = isLT || isSelf || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'userDocument'}})).allowed
4139
if (!allowed) {
4240
res.status(403).send()
@@ -52,8 +50,7 @@ export async function findOne(req, res) {
5250

5351
export async function createOrUpdate(req, res) {
5452
const executingUser = req.kauth.grant.access_token.content.sub
55-
const year = (await settingModel.findByPk('currentYear')).value
56-
const isLT = req.kauth.grant.access_token.content.groups?.includes(year + '_LT')
53+
const isLT = req.kauth.grant.access_token.content.groups?.includes('Leitungsteam')
5754
const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'userDocument'}})).allowed
5855
if (!allowed) {
5956
res.status(403).send()

0 commit comments

Comments
 (0)