dashboard/api: add support for Zeppelin staff members; add ViewGuild permission; code cleanup

2020-05-23 16:22:03 +03:00 · 2020-05-23 16:22:03 +03:00 · d03d729438
commit d03d729438
parent 7e60950900
13 changed files with 175 additions and 75 deletions
--- a/backend/src/api/permissions.ts
+++ b/backend/src/api/permissions.ts
@ -0,0 +1,33 @@
+import { ApiPermissions, hasPermission, permissionArrToSet } from "@shared/apiPermissions";
+import { isStaff } from "../staff";
+import { ApiPermissionAssignments } from "../data/ApiPermissionAssignments";
+import { Request, Response } from "express";
+import { unauthorized } from "./responses";
+
+const apiPermissionAssignments = new ApiPermissionAssignments();
+
+export const hasGuildPermission = async (userId: string, guildId: string, permission: ApiPermissions) => {
+  if (isStaff(userId)) {
+    return true;
+  }
+
+  const permAssignment = await apiPermissionAssignments.getByGuildAndUserId(guildId, userId);
+  if (!permAssignment) {
+    return false;
+  }
+
+  return hasPermission(permissionArrToSet(permAssignment.permissions), permission);
+};
+
+/**
+ * Requires `guildId` in req.params
+ */
+export function requireGuildPermission(permission: ApiPermissions) {
+  return async (req: Request, res: Response, next) => {
+    if (!(await hasGuildPermission(req.user.userId, req.params.guildId, permission))) {
+      return unauthorized(res);
+    }
+
+    next();
+  };
+}