wip: collection updates

Author: Julusian

meteor/server/api/rest/v1/index.ts

@@ -8,7 +8,6 @@ import { ClientAPI } from '@sofie-automation/meteor-lib/dist/api/client'
 import { MethodContextAPI } from '../../methodContext'
 import { logger } from '../../../logging'
 import { CURRENT_SYSTEM_VERSION } from '../../../migration/currentSystemVersion'
-import { Credentials } from '../../../security/lib/credentials'
 import { triggerWriteAccess } from '../../../security/lib/securityVerify'
 import { makeMeteorConnectionFromKoa } from '../koa'
 import { registerRoutes as registerBlueprintsRoutes } from './blueprints'
@@ -45,10 +44,6 @@ class APIContext implements ServerAPIContext {
 			},
 		}
 	}
-
-	public getCredentials(): Credentials {
-		return { userId: null }
-	}
 }
 
 export const koaRouter = new KoaRouter()

meteor/server/api/rest/v1/types.ts

@@ -1,7 +1,6 @@
 import { UserErrorMessage } from '@sofie-automation/corelib/dist/error'
 import { Meteor } from 'meteor/meteor'
 import { ClientAPI } from '@sofie-automation/meteor-lib/dist/api/client'
-import { Credentials } from '../../../security/lib/credentials'
 import { MethodContextAPI } from '../../methodContext'
 
 export type APIRegisterHook<T> = <Params, Body, Response>(
@@ -24,5 +23,4 @@ export interface APIFactory<T> {
 
 export interface ServerAPIContext {
 	getMethodContext(connection: Meteor.Connection): MethodContextAPI
-	getCredentials(): Credentials
 }

meteor/server/collections/collection.ts

@@ -23,14 +23,14 @@ import {
 } from '@sofie-automation/meteor-lib/dist/collections/lib'
 
 export interface MongoAllowRules<DBInterface> {
-	insert?: (userId: UserId | null, doc: DBInterface) => Promise<boolean> | boolean
+	// insert?: (userId: UserId | null, doc: DBInterface) => Promise<boolean> | boolean
 	update?: (
 		userId: UserId | null,
 		doc: DBInterface,
 		fieldNames: FieldNames<DBInterface>,
 		modifier: MongoModifier<DBInterface>
 	) => Promise<boolean> | boolean
-	remove?: (userId: UserId | null, doc: DBInterface) => Promise<boolean> | boolean
+	// remove?: (userId: UserId | null, doc: DBInterface) => Promise<boolean> | boolean
 }
 
 /**
@@ -107,15 +107,15 @@ function setupCollectionAllowRules<DBInterface extends { _id: ProtectedString<an
 	args: MongoAllowRules<DBInterface> | false
 ) {
 	if (args) {
-		const { insert: origInsert, update: origUpdate, remove: origRemove } = args
+		const { /* insert: origInsert,*/ update: origUpdate /*remove: origRemove*/ } = args
 
 		const options: Parameters<Mongo.Collection<DBInterface>['allow']>[0] = {
-			insert: origInsert ? (userId, doc) => waitForPromise(origInsert(protectString(userId), doc)) : () => false,
+			insert: () => false,
 			update: origUpdate
 				? (userId, doc, fieldNames, modifier) =>
 						waitForPromise(origUpdate(protectString(userId), doc, fieldNames as any, modifier))
 				: () => false,
-			remove: origRemove ? (userId, doc) => waitForPromise(origRemove(protectString(userId), doc)) : () => false,
+			remove: () => false,
 		}
 
 		collection.allow(options)

meteor/server/collections/index.ts

@@ -32,22 +32,18 @@ import { stringifyError } from '@sofie-automation/shared-lib/dist/lib/stringifyE
 import { createAsyncOnlyMongoCollection, createAsyncOnlyReadOnlyMongoCollection } from './collection'
 import { ObserveChangesForHash } from './lib'
 import { logger } from '../logging'
-import { resolveCredentials } from '../security/lib/credentials'
-import { logNotAllowed, allowOnlyFields, rejectFields } from '../security/lib/lib'
-import {
-	allowAccessToCoreSystem,
-	allowAccessToOrganization,
-	allowAccessToShowStyleBase,
-	allowAccessToStudio,
-} from '../security/lib/security'
+import { allowOnlyFields, rejectFields } from '../security/lib/lib'
 import type { DBNotificationObj } from '@sofie-automation/corelib/dist/dataModel/Notifications'
+import { checkUserIdHasOneOfPermissions } from '../security/auth'
 
 export * from './bucket'
 export * from './packages-media'
 export * from './rundown'
 
 export const Blueprints = createAsyncOnlyMongoCollection<Blueprint>(CollectionName.Blueprints, {
-	update(_userId, doc, fields, _modifier) {
+	update(userId, doc, fields, _modifier) {
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Blueprints, 'configure')) return false
+
 		return allowOnlyFields(doc, fields, ['name', 'disableVersionChecks'])
 	},
 })
@@ -57,9 +53,7 @@ registerIndex(Blueprints, {
 
 export const CoreSystem = createAsyncOnlyMongoCollection<ICoreSystem>(CollectionName.CoreSystem, {
 	async update(userId, doc, fields, _modifier) {
-		const cred = await resolveCredentials({ userId: userId })
-		const access = await allowAccessToCoreSystem(cred)
-		if (!access.update) return logNotAllowed('CoreSystem', access.reason)
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.CoreSystem, 'configure')) return false
 
 		return allowOnlyFields(doc, fields, [
 			'support',
@@ -119,8 +113,8 @@ registerIndex(Notifications, {
 
 export const Organizations = createAsyncOnlyMongoCollection<DBOrganization>(CollectionName.Organizations, {
 	async update(userId, doc, fields, _modifier) {
-		const access = await allowAccessToOrganization({ userId: userId }, doc._id)
-		if (!access.update) return logNotAllowed('Organization', access.reason)
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Organizations, 'configure')) return false
+
 		return allowOnlyFields(doc, fields, ['userRoles'])
 	},
 })
@@ -134,7 +128,9 @@ registerIndex(PeripheralDeviceCommands, {
 })
 
 export const PeripheralDevices = createAsyncOnlyMongoCollection<PeripheralDevice>(CollectionName.PeripheralDevices, {
-	update(_userId, doc, fields, _modifier) {
+	update(userId, doc, fields, _modifier) {
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.PeripheralDevices, 'configure')) return false
+
 		return rejectFields(doc, fields, [
 			'type',
 			'parentDeviceId',
@@ -163,8 +159,8 @@ registerIndex(PeripheralDevices, {
 
 export const RundownLayouts = createAsyncOnlyMongoCollection<RundownLayoutBase>(CollectionName.RundownLayouts, {
 	async update(userId, doc, fields) {
-		const access = await allowAccessToShowStyleBase({ userId: userId }, doc.showStyleBaseId)
-		if (!access.update) return logNotAllowed('ShowStyleBase', access.reason)
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.RundownLayouts, 'configure')) return false
+
 		return rejectFields(doc, fields, ['_id', 'showStyleBaseId'])
 	},
 })
@@ -180,8 +176,8 @@ registerIndex(RundownLayouts, {
 
 export const ShowStyleBases = createAsyncOnlyMongoCollection<DBShowStyleBase>(CollectionName.ShowStyleBases, {
 	async update(userId, doc, fields) {
-		const access = await allowAccessToShowStyleBase({ userId: userId }, doc._id)
-		if (!access.update) return logNotAllowed('ShowStyleBase', access.reason)
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.ShowStyleBases, 'configure')) return false
+
 		return rejectFields(doc, fields, ['_id'])
 	},
 })
@@ -191,8 +187,7 @@ registerIndex(ShowStyleBases, {
 
 export const ShowStyleVariants = createAsyncOnlyMongoCollection<DBShowStyleVariant>(CollectionName.ShowStyleVariants, {
 	async update(userId, doc, fields) {
-		const access = await allowAccessToShowStyleBase({ userId: userId }, doc.showStyleBaseId)
-		if (!access.update) return logNotAllowed('ShowStyleBase', access.reason)
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.ShowStyleVariants, 'configure')) return false
 
 		return rejectFields(doc, fields, ['showStyleBaseId'])
 	},
@@ -203,7 +198,9 @@ registerIndex(ShowStyleVariants, {
 })
 
 export const Snapshots = createAsyncOnlyMongoCollection<SnapshotItem>(CollectionName.Snapshots, {
-	update(_userId, doc, fields, _modifier) {
+	update(userId, doc, fields, _modifier) {
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Snapshots, 'configure')) return false
+
 		return allowOnlyFields(doc, fields, ['comment'])
 	},
 })
@@ -216,8 +213,8 @@ registerIndex(Snapshots, {
 
 export const Studios = createAsyncOnlyMongoCollection<DBStudio>(CollectionName.Studios, {
 	async update(userId, doc, fields, _modifier) {
-		const access = await allowAccessToStudio({ userId: userId }, doc._id)
-		if (!access.update) return logNotAllowed('Studio', access.reason)
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.Studios, 'configure')) return false
+
 		return rejectFields(doc, fields, ['_id'])
 	},
 })
@@ -245,17 +242,9 @@ export const TranslationsBundles = createAsyncOnlyMongoCollection<TranslationsBu
 
 export const TriggeredActions = createAsyncOnlyMongoCollection<DBTriggeredActions>(CollectionName.TriggeredActions, {
 	async update(userId, doc, fields) {
-		const cred = await resolveCredentials({ userId: userId })
-
-		if (doc.showStyleBaseId) {
-			const access = await allowAccessToShowStyleBase(cred, doc.showStyleBaseId)
-			if (!access.update) return logNotAllowed('ShowStyleBase', access.reason)
-			return rejectFields(doc, fields, ['_id'])
-		} else {
-			const access = await allowAccessToCoreSystem(cred)
-			if (!access.update) return logNotAllowed('CoreSystem', access.reason)
-			return rejectFields(doc, fields, ['_id'])
-		}
+		if (!checkUserIdHasOneOfPermissions(userId, CollectionName.TriggeredActions, 'configure')) return false
+
+		return rejectFields(doc, fields, ['_id'])
 	},
 })
 registerIndex(TriggeredActions, {

meteor/server/publications/lib.ts

@@ -1,21 +1,10 @@
 import { Meteor, Subscription } from 'meteor/meteor'
 import { AllPubSubCollections, AllPubSubTypes } from '@sofie-automation/meteor-lib/dist/api/pubsub'
 import { extractFunctionSignature } from '../lib'
-import { MongoQuery } from '@sofie-automation/corelib/dist/mongo'
-import { ResolvedCredentials, resolveCredentials } from '../security/lib/credentials'
-import { Settings } from '../Settings'
-import { PeripheralDevice } from '@sofie-automation/corelib/dist/dataModel/PeripheralDevice'
 import { MongoCursor } from '@sofie-automation/meteor-lib/dist/collections/lib'
-import {
-	OrganizationId,
-	PeripheralDeviceId,
-	ShowStyleBaseId,
-	UserId,
-} from '@sofie-automation/corelib/dist/dataModel/Ids'
+import { UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
 import { protectStringObject } from '../lib/tempLib'
 import { waitForPromise } from '../lib/lib'
-import { DBShowStyleBase } from '@sofie-automation/corelib/dist/dataModel/ShowStyleBase'
-import { PeripheralDevices, ShowStyleBases } from '../collections'
 import { MetricsGauge } from '@sofie-automation/corelib/dist/prometheus'
 
 export const MeteorPublicationSignatures: { [key: string]: string[] } = {}
@@ -80,87 +69,3 @@ export function meteorPublish<K extends keyof AllPubSubTypes>(
 ): void {
 	meteorPublishUnsafe(name, callback)
 }
-
-export namespace AutoFillSelector {
-	/** Autofill an empty selector {} with organizationId of the current user */
-	export async function organizationId<T extends { organizationId?: OrganizationId | null | undefined }>(
-		userId: UserId | null,
-		selector: MongoQuery<T>,
-		token: string | undefined
-	): Promise<{
-		cred: ResolvedCredentials | null
-		selector: MongoQuery<T>
-	}> {
-		if (!selector) throw new Meteor.Error(400, 'selector argument missing')
-
-		let cred: ResolvedCredentials | null = null
-		if (Settings.enableUserAccounts) {
-			if (!selector.organizationId) {
-				cred = await resolveCredentials({ userId: userId, token })
-				if (cred.organizationId) selector.organizationId = cred.organizationId as any
-				// TODO - should this block all access if cred.organizationId is not set
-			}
-		}
-		return { cred, selector }
-	}
-	/** Autofill an empty selector {} with deviceId of the current user's peripheralDevices */
-	export async function deviceId<T extends { deviceId: PeripheralDeviceId }>(
-		userId: UserId | null,
-		selector: MongoQuery<T>,
-		token: string | undefined
-	): Promise<{
-		cred: ResolvedCredentials | null
-		selector: MongoQuery<T>
-	}> {
-		if (!selector) throw new Meteor.Error(400, 'selector argument missing')
-
-		let cred: ResolvedCredentials | null = null
-		if (Settings.enableUserAccounts) {
-			if (!selector.deviceId) {
-				cred = await resolveCredentials({ userId: userId, token })
-				if (cred.organizationId) {
-					const devices = (await PeripheralDevices.findFetchAsync(
-						{
-							organizationId: cred.organizationId,
-						},
-						{ projection: { _id: 1 } }
-					)) as Array<Pick<PeripheralDevice, '_id'>>
-
-					selector.deviceId = { $in: devices.map((d) => d._id) } as any
-				}
-				// TODO - should this block all access if cred.organizationId is not set
-			}
-		}
-		return { cred, selector }
-	}
-	/** Autofill an empty selector {} with showStyleBaseId of the current user's showStyleBases */
-	export async function showStyleBaseId<T extends { showStyleBaseId?: ShowStyleBaseId | null }>(
-		userId: UserId | null,
-		selector: MongoQuery<T>,
-		token: string | undefined
-	): Promise<{
-		cred: ResolvedCredentials | null
-		selector: MongoQuery<T>
-	}> {
-		if (!selector) throw new Meteor.Error(400, 'selector argument missing')
-
-		let cred: ResolvedCredentials | null = null
-		if (Settings.enableUserAccounts) {
-			if (!selector.showStyleBaseId) {
-				cred = await resolveCredentials({ userId: userId, token })
-				if (cred.organizationId) {
-					const showStyleBases = (await ShowStyleBases.findFetchAsync(
-						{
-							organizationId: cred.organizationId,
-						},
-						{ projection: { _id: 1 } }
-					)) as Array<Pick<DBShowStyleBase, '_id'>>
-
-					selector.showStyleBaseId = { $in: showStyleBases.map((d) => d._id) } as any
-				}
-				// TODO - should this block all access if cred.organizationId is not set
-			}
-		}
-		return { cred, selector }
-	}
-}

meteor/server/security/_security.ts

@@ -7,6 +7,10 @@ import { Settings } from '../Settings'
 import { Meteor } from 'meteor/meteor'
 import Koa from 'koa'
 import { triggerWriteAccess } from './lib/securityVerify'
+import { UserId } from '@sofie-automation/corelib/dist/dataModel/Ids'
+import { unprotectString } from '../lib/tempLib'
+import { logger } from '../logging'
+import { CollectionName } from '@sofie-automation/corelib/dist/dataModel/Collections'
 
 export type RequestCredentials = Meteor.Connection | Koa.ParameterizedContext
 
@@ -61,3 +65,24 @@ export function assertConnectionHasOneOfPermissions(
 	// Nothing matched
 	throw new Meteor.Error(403, 'Not authorized')
 }
+
+export function checkUserIdHasOneOfPermissions(
+	userId: UserId | null,
+	collectionName: CollectionName,
+	...allowedPermissions: Array<keyof UserPermissions>
+): boolean {
+	if (allowedPermissions.length === 0) throw new Meteor.Error(403, 'No permissions specified')
+
+	triggerWriteAccess()
+
+	if (!userId) throw new Meteor.Error(403, 'UserId is null')
+
+	const permissions = parseUserPermissions(unprotectString(userId))
+	for (const permission of allowedPermissions) {
+		if (permissions[permission]) return true
+	}
+
+	// Nothing matched
+	logger.warn(`Not allowed access to ${collectionName}`)
+	return false
+}