Add rudimentary user management to dashboard

2025-05-10 12:25:02 +00:00 · 2021-09-05 16:42:35 +03:00 · 2021-09-05 16:42:35 +03:00 · 3b09d2d679
commit 3b09d2d679
parent 48c4b3578d
12 changed files with 395 additions and 81 deletions
--- a/backend/src/api/auth.ts
+++ b/backend/src/api/auth.ts
@ -149,7 +149,7 @@ export function initAuth(app: express.Express) {
      return res.json({ valid: false });
    }

-    res.json({ valid: true });
+    res.json({ valid: true, userId });
  });
  app.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {
    await apiLogins.expireApiKey(req.user!.apiKey);
--- a/backend/src/api/guilds.ts
+++ b/backend/src/api/guilds.ts
@ -3,15 +3,21 @@ import express, { Request, Response } from "express";
 import { YAMLException } from "js-yaml";
 import { validateGuildConfig } from "../configValidator";
 import { AllowedGuilds } from "../data/AllowedGuilds";
-import { ApiPermissionAssignments } from "../data/ApiPermissionAssignments";
+import { ApiPermissionAssignments, ApiPermissionTypes } from "../data/ApiPermissionAssignments";
 import { Configs } from "../data/Configs";
 import { apiTokenAuthHandlers } from "./auth";
 import { hasGuildPermission, requireGuildPermission } from "./permissions";
 import { clientError, ok, serverError, unauthorized } from "./responses";
 import { loadYamlSafely } from "../utils/loadYamlSafely";
 import { ObjectAliasError } from "../utils/validateNoObjectAliases";
+import { isSnowflake } from "../utils";
+import moment from "moment-timezone";
+import { ApiAuditLog } from "../data/ApiAuditLog";
+import { AuditLogEventTypes } from "../data/apiAuditLogTypes";
+import { Queue } from "../Queue";

 const apiPermissionAssignments = new ApiPermissionAssignments();
+const auditLog = new ApiAuditLog();

 export function initGuildsAPI(app: express.Express) {
  const allowedGuilds = new AllowedGuilds();
@ -25,6 +31,14 @@ export function initGuildsAPI(app: express.Express) {
    res.json(guilds);
  });

+  guildRouter.get(
+    "/my-permissions", // a
+    async (req: Request, res: Response) => {
+      const permissions = await apiPermissionAssignments.getByUserId(req.user!.userId);
+      res.json(permissions);
+    },
+  );
+
  guildRouter.get("/:guildId", async (req: Request, res: Response) => {
    if (!(await hasGuildPermission(req.user!.userId, req.params.guildId, ApiPermissions.ViewGuild))) {
      return unauthorized(res);
@ -101,5 +115,65 @@ export function initGuildsAPI(app: express.Express) {
    },
  );

+  const permissionManagementQueue = new Queue();
+  guildRouter.post(
+    "/:guildId/set-target-permissions",
+    requireGuildPermission(ApiPermissions.ManageAccess),
+    async (req: Request, res: Response) => {
+      await permissionManagementQueue.add(async () => {
+        const { type, targetId, permissions, expiresAt } = req.body;
+
+        if (type !== ApiPermissionTypes.User) {
+          return clientError(res, "Invalid type");
+        }
+        if (!isSnowflake(targetId)) {
+          return clientError(res, "Invalid targetId");
+        }
+        const validPermissions = new Set(Object.values(ApiPermissions));
+        validPermissions.delete(ApiPermissions.Owner);
+        if (!Array.isArray(permissions) || permissions.some(p => !validPermissions.has(p))) {
+          return clientError(res, "Invalid permissions");
+        }
+        if (expiresAt != null && !moment.utc(expiresAt).isValid()) {
+          return clientError(res, "Invalid expiresAt");
+        }
+
+        const existingAssignment = await apiPermissionAssignments.getByGuildAndUserId(req.params.guildId, targetId);
+        if (existingAssignment && existingAssignment.permissions.includes(ApiPermissions.Owner)) {
+          return clientError(res, "Can't change owner permissions");
+        }
+
+        if (permissions.length === 0) {
+          await apiPermissionAssignments.removeUser(req.params.guildId, targetId);
+          await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.REMOVE_API_PERMISSION, {
+            type: ApiPermissionTypes.User,
+            target_id: targetId,
+          });
+        } else {
+          const existing = await apiPermissionAssignments.getByGuildAndUserId(req.params.guildId, targetId);
+          if (existing) {
+            await apiPermissionAssignments.updateUserPermissions(req.params.guildId, targetId, permissions);
+            await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.EDIT_API_PERMISSION, {
+              type: ApiPermissionTypes.User,
+              target_id: targetId,
+              permissions,
+              expires_at: existing.expires_at,
+            });
+          } else {
+            await apiPermissionAssignments.addUser(req.params.guildId, targetId, permissions, expiresAt);
+            await auditLog.addEntry(req.params.guildId, req.user!.userId, AuditLogEventTypes.ADD_API_PERMISSION, {
+              type: ApiPermissionTypes.User,
+              target_id: targetId,
+              permissions,
+              expires_at: expiresAt,
+            });
+          }
+        }
+
+        ok(res);
+      });
+    },
+  );
+
  app.use("/guilds", guildRouter);
 }
--- a/backend/src/data/ApiPermissionAssignments.ts
+++ b/backend/src/data/ApiPermissionAssignments.ts
@ -48,12 +48,13 @@ export class ApiPermissionAssignments extends BaseRepository {
    });
  }

-  addUser(guildId, userId, permissions: ApiPermissions[]) {
+  addUser(guildId, userId, permissions: ApiPermissions[], expiresAt: string | null = null) {
    return this.apiPermissions.insert({
      guild_id: guildId,
      type: ApiPermissionTypes.User,
      target_id: userId,
      permissions,
+      expires_at: expiresAt,
    });
  }

@ -61,6 +62,19 @@ export class ApiPermissionAssignments extends BaseRepository {
    return this.apiPermissions.delete({ guild_id: guildId, type: ApiPermissionTypes.User, target_id: userId });
  }

+  async updateUserPermissions(guildId: string, userId: string, permissions: ApiPermissions[]): Promise<void> {
+    await this.apiPermissions.update(
+      {
+        guild_id: guildId,
+        type: ApiPermissionTypes.User,
+        target_id: userId,
+      },
+      {
+        permissions,
+      },
+    );
+  }
+
  async clearExpiredPermissions() {
    await this.apiPermissions
      .createQueryBuilder()
--- a/backend/src/data/entities/ApiPermissionAssignment.ts
+++ b/backend/src/data/entities/ApiPermissionAssignment.ts
@ -8,7 +8,7 @@ export class ApiPermissionAssignment {
  @PrimaryColumn()
  guild_id: string;

-  @Column({ type: "string" })
+  @Column({ type: String })
  @PrimaryColumn()
  type: ApiPermissionTypes;

@ -19,8 +19,8 @@ export class ApiPermissionAssignment {
  @Column("simple-array")
  permissions: string[];

-  @Column()
-  expires_at: string;
+  @Column({ type: String, nullable: true })
+  expires_at: string | null;

  @ManyToOne(
    type => ApiUserInfo,
--- a/backend/src/migrations/1630837386329-AddExpiresAtToApiPermissions.ts
+++ b/backend/src/migrations/1630837386329-AddExpiresAtToApiPermissions.ts
@ -5,7 +5,7 @@ export class AddExpiresAtToApiPermissions1630837386329 implements MigrationInter
    await queryRunner.addColumns("api_permissions", [
      new TableColumn({
        name: "expires_at",
-        type: "boolean",
+        type: "datetime",
        isNullable: true,
        default: null,
      }),