Ehrenamt/ff-admin-server
2
0
Fork 0
Code Issues 12 Pull requests Projects Releases 27 Packages Wiki Activity Actions

enhance: permission handling

Browse source
This commit is contained in:
Julian Krauser 2025-05-07 09:05:36 +02:00
parent 9dd7686b67
commit 56484020d8
4 changed files with 49 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/controller/authController.ts
View file

@ -41,8 +41,6 @@ export async function login(req: Request, res: Response): Promise<any> {
let { id } = await UserService.getByUsername(username); let { id } = await UserService.getByUsername(username);
let { secret, routine } = await UserService.getUserSecretAndRoutine(id); let { secret, routine } = await UserService.getUserSecretAndRoutine(id);
console.log(secret, passedSecret);
let valid = false; let valid = false;
if (routine == LoginRoutineEnum.totp) { if (routine == LoginRoutineEnum.totp) {
valid = speakeasy.totp.verify({ valid = speakeasy.totp.verify({

37
src/helpers/permissionHelper.ts
View file

@ -17,33 +17,30 @@ export default class PermissionHelper {
permissions: PermissionObject, permissions: PermissionObject,
type: PermissionType | "admin", type: PermissionType | "admin",
section: PermissionSection, section: PermissionSection,
module?: PermissionModule module: PermissionModule
) { ) {
if (type == "admin") return permissions?.admin ?? permissions?.adminByOwner ?? false; if (type == "admin") return permissions?.admin ?? permissions?.adminByOwner ?? false;
if (permissions?.admin || permissions?.adminByOwner) return true; if (permissions?.admin || permissions?.adminByOwner) return true;
if ( if (
(!module &&
permissions[section] != undefined &&
(permissions[section]?.all == "*" || permissions[section]?.all?.includes(type))) ||
permissions[section]?.all == "*" || permissions[section]?.all == "*" ||
permissions[section]?.all?.includes(type) permissions[section]?.all?.includes(type) ||
permissions[section]?.[module] == "*" ||
permissions[section]?.[module]?.includes(type)
) )
return true; return true;
if (module && (permissions[section]?.[module] == "*" || permissions[section]?.[module]?.includes(type)))
return true;
return false; return false;
} }
static canSome( static canSome(
permissions: PermissionObject, permissions: PermissionObject,
checks: Array<{ checks: Array<{
requiredPermissions: PermissionType | "admin"; requiredPermission: PermissionType | "admin";
section: PermissionSection; section: PermissionSection;
module?: PermissionModule; module: PermissionModule;
}> }>
) { ) {
checks.reduce<boolean>((prev, curr) => { checks.reduce<boolean>((prev, curr) => {
return prev || this.can(permissions, curr.requiredPermissions, curr.section, curr.module); return prev || this.can(permissions, curr.requiredPermission, curr.section, curr.module);
}, false); }, false);
} }
@ -66,12 +63,12 @@ export default class PermissionHelper {
static canSomeSection( static canSomeSection(
permissions: PermissionObject, permissions: PermissionObject,
checks: Array<{ checks: Array<{
requiredPermissions: PermissionType | "admin"; requiredPermission: PermissionType | "admin";
section: PermissionSection; section: PermissionSection;
}> }>
): boolean { ): boolean {
return checks.reduce<boolean>((prev, curr) => { return checks.reduce<boolean>((prev, curr) => {
return prev || this.can(permissions, curr.requiredPermissions, curr.section); return prev || this.canSection(permissions, curr.requiredPermission, curr.section);
}, false); }, false);
} }
@ -83,7 +80,7 @@ export default class PermissionHelper {
static passCheckMiddleware( static passCheckMiddleware(
requiredPermissions: PermissionType | "admin", requiredPermissions: PermissionType | "admin",
section: PermissionSection, section: PermissionSection,
module?: PermissionModule module: PermissionModule
): (req: Request, res: Response, next: Function) => void { ): (req: Request, res: Response, next: Function) => void {
return (req: Request, res: Response, next: Function) => { return (req: Request, res: Response, next: Function) => {
const permissions = req.permissions; const permissions = req.permissions;
@ -99,9 +96,9 @@ export default class PermissionHelper {
static passCheckSomeMiddleware( static passCheckSomeMiddleware(
checks: Array<{ checks: Array<{
requiredPermissions: PermissionType | "admin"; requiredPermission: PermissionType | "admin";
section: PermissionSection; section: PermissionSection;
module?: PermissionModule; module: PermissionModule;
}> }>
): (req: Request, res: Response, next: Function) => void { ): (req: Request, res: Response, next: Function) => void {
return (req: Request, res: Response, next: Function) => { return (req: Request, res: Response, next: Function) => {
@ -111,9 +108,7 @@ export default class PermissionHelper {
if (isOwner || this.canSome(permissions, checks)) { if (isOwner || this.canSome(permissions, checks)) {
next(); next();
} else { } else {
let permissionsToPass = checks.reduce<string>((prev, curr) => { let permissionsToPass = checks.map((c) => `${c.section}.${c.module}.${c.requiredPermission}`).join(" or ");
return prev + (prev != " or " ? "" : "") + `${curr.section}.${curr.module}.${curr.requiredPermissions}`;
}, "");
throw new ForbiddenRequestException(`missing permission for ${permissionsToPass}`); throw new ForbiddenRequestException(`missing permission for ${permissionsToPass}`);
} }
}; };
@ -136,7 +131,7 @@ export default class PermissionHelper {
} }
static sectionPassCheckSomeMiddleware( static sectionPassCheckSomeMiddleware(
checks: Array<{ requiredPermissions: PermissionType | "admin"; section: PermissionSection }> checks: Array<{ requiredPermission: PermissionType | "admin"; section: PermissionSection }>
): (req: Request, res: Response, next: Function) => void { ): (req: Request, res: Response, next: Function) => void {
return (req: Request, res: Response, next: Function) => { return (req: Request, res: Response, next: Function) => {
const permissions = req.permissions; const permissions = req.permissions;
@ -145,9 +140,7 @@ export default class PermissionHelper {
if (isOwner || this.canSomeSection(permissions, checks)) { if (isOwner || this.canSomeSection(permissions, checks)) {
next(); next();
} else { } else {
let permissionsToPass = checks.reduce<string>((prev, curr) => { let permissionsToPass = checks.map((c) => `${c.section}.${c.requiredPermission}`).join(" or ");
return prev + (prev != " or " ? "" : "") + `${curr.section}.${curr.requiredPermissions}`;
}, "");
throw new ForbiddenRequestException(`missing permission for ${permissionsToPass}`); throw new ForbiddenRequestException(`missing permission for ${permissionsToPass}`);
} }
}; };

62
src/routes/admin/index.ts
View file

@ -33,64 +33,64 @@ var router = express.Router({ mergeParams: true });
router.use( router.use(
"/award", "/award",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "award" }, { requiredPermission: "read", section: "configuration", module: "award" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
]), ]),
award award
); );
router.use( router.use(
"/communicationtype", "/communicationtype",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "communication_type" }, { requiredPermission: "read", section: "configuration", module: "communication_type" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
]), ]),
communicationType communicationType
); );
router.use( router.use(
"/executiveposition", "/executiveposition",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "executive_position" }, { requiredPermission: "read", section: "configuration", module: "executive_position" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
]), ]),
executivePosition executivePosition
); );
router.use( router.use(
"/membershipstatus", "/membershipstatus",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "membership_status" }, { requiredPermission: "read", section: "configuration", module: "membership_status" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
]), ]),
membershipStatus membershipStatus
); );
router.use( router.use(
"/qualification", "/qualification",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "qualification" }, { requiredPermission: "read", section: "configuration", module: "qualification" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
]), ]),
qualification qualification
); );
router.use( router.use(
"/salutation", "/salutation",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "salutation" }, { requiredPermission: "read", section: "configuration", module: "salutation" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
]), ]),
salutation salutation
); );
router.use( router.use(
"/calendartype", "/calendartype",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "calendar_type" }, { requiredPermission: "read", section: "configuration", module: "calendar_type" },
{ requiredPermissions: "read", section: "club", module: "calendar" }, { requiredPermission: "read", section: "club", module: "calendar" },
]), ]),
calendarType calendarType
); );
router.use( router.use(
"/querystore", "/querystore",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "query_store" }, { requiredPermission: "read", section: "configuration", module: "query_store" },
{ requiredPermissions: "read", section: "club", module: "listprint" }, { requiredPermission: "read", section: "club", module: "listprint" },
]), ]),
queryStore queryStore
); );
@ -98,16 +98,16 @@ router.use("/template", PermissionHelper.passCheckMiddleware("read", "configurat
router.use( router.use(
"/templateusage", "/templateusage",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "template_usage" }, { requiredPermission: "read", section: "configuration", module: "template_usage" },
{ requiredPermissions: "read", section: "configuration", module: "template" }, { requiredPermission: "read", section: "configuration", module: "template" },
]), ]),
templateUsage templateUsage
); );
router.use( router.use(
"/newsletterconfig", "/newsletterconfig",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "configuration", module: "newsletter_config" }, { requiredPermission: "read", section: "configuration", module: "newsletter_config" },
{ requiredPermissions: "read", section: "configuration", module: "communication_type" }, { requiredPermission: "read", section: "configuration", module: "communication_type" },
]), ]),
newsletterConfig newsletterConfig
); );
@ -116,8 +116,8 @@ router.use("/member", PermissionHelper.passCheckMiddleware("read", "club", "memb
router.use( router.use(
"/protocol", "/protocol",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "club", module: "protocol" }, { requiredPermission: "read", section: "club", module: "protocol" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
]), ]),
protocol protocol
); );
@ -125,19 +125,19 @@ router.use("/calendar", PermissionHelper.passCheckMiddleware("read", "club", "ca
router.use( router.use(
"/querybuilder", "/querybuilder",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "club", module: "query" }, { requiredPermission: "read", section: "club", module: "query" },
{ requiredPermissions: "read", section: "configuration", module: "query_store" }, { requiredPermission: "read", section: "configuration", module: "query_store" },
]), ]),
queryBuilder queryBuilder
); );
router.use( router.use(
"/newsletter", "/newsletter",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "club", module: "newsletter" }, { requiredPermission: "read", section: "club", module: "newsletter" },
{ requiredPermissions: "read", section: "club", module: "member" }, { requiredPermission: "read", section: "club", module: "member" },
{ requiredPermissions: "read", section: "club", module: "calendar" }, { requiredPermission: "read", section: "club", module: "calendar" },
{ requiredPermissions: "read", section: "club", module: "query" }, { requiredPermission: "read", section: "club", module: "query" },
{ requiredPermissions: "read", section: "configuration", module: "query_store" }, { requiredPermission: "read", section: "configuration", module: "query_store" },
]), ]),
newsletter newsletter
); );
@ -147,8 +147,8 @@ router.use("/role", PermissionHelper.passCheckMiddleware("read", "management", "
router.use( router.use(
"/user", "/user",
PermissionHelper.passCheckSomeMiddleware([ PermissionHelper.passCheckSomeMiddleware([
{ requiredPermissions: "read", section: "management", module: "user" }, { requiredPermission: "read", section: "management", module: "user" },
{ requiredPermissions: "read", section: "management", module: "role" }, { requiredPermission: "read", section: "management", module: "role" },
]), ]),
user user
); );

4
src/type/permissionTypes.ts
View file

@ -98,5 +98,7 @@ export const sectionsAndModules: SectionsAndModulesObject = {
"newsletter_config", "newsletter_config",
], ],
management: ["user", "role", "webapi", "backup", "setting"], management: ["user", "role", "webapi", "backup", "setting"],
additional: [], additional: [
//{ key: "val", name: "name", type: "number", emptyIfAdmin: true },
],
}; };