add groups feature

2025-10-04 18:29:17 +02:00 · 2019-06-12 10:29:07 +02:00 · 2019-06-12 10:29:07 +02:00 · 7f5dc4c152
commit 7f5dc4c152
parent 6fd750dad5
119 changed files with 12416 additions and 402 deletions
--- a/lib/units/api/helpers/securityHandlers.js
+++ b/lib/units/api/helpers/securityHandlers.js
@ -1,7 +1,12 @@
+/**
+* Copyright © 2019 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var dbapi = require('../../../db/api')
 var jwtutil = require('../../../util/jwtutil')
 var urlutil = require('../../../util/urlutil')
 var logger = require('../../../util/logger')
+const apiutil = require('../../../util/apiutil')

 var log = logger.createLogger('api:helpers:securityHandlers')

@ -47,17 +52,27 @@ function accessTokenAuth(req, res, next) {
        if (!data) {
          return res.status(500).json({
            success: false
+          , description: 'Internal Server Error'
          })
        }
+
        dbapi.loadUser(data.email)
          .then(function(user) {
            if (user) {
+              if (user.privilege === apiutil.USER &&
+                  req.swagger.operation.definition.tags.indexOf('admin') > -1) {
+                return res.status(403).json({
+                  success: false
+                , description: 'Forbidden: privileged operation (admin)'
+                })
+              }
              req.user = user
              next()
            }
            else {
              return res.status(500).json({
                success: false
+              , description: 'Internal Server Error'
              })
            }
          })
@ -86,6 +101,7 @@ function accessTokenAuth(req, res, next) {
        else {
          return res.status(500).json({
            success: false
+          , description: 'Internal Server Error'
          })
        }
      })