npm - @boarteam/boar-pack-users-backend - Versions diffs - 6.1.0 → 6.2.0 - Mend

@boarteam/boar-pack-users-backend 6.1.0 → 6.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +2 -2
package/src/users/policies/manage-users.policy.ts +10 -0
package/src/users/users-editing.guard.ts +27 -2
package/src/users/users.controller.ts +5 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@boarteam/boar-pack-users-backend",
-  "version": "6.1.0",
+  "version": "6.2.0",
   "description": "NestJS Users module including permissions system, authentication strategies etc",
   "main": "src/index",
   "files": [
@@ -64,5 +64,5 @@
     "yalc:push": "yalc push",
     "gen-types": "SWAGGER=true JWT_SECRET=swagger nest start"
   },
-  "gitHead": "18738ad91a207f2961e7571eddc3b5a5c76430f2"
+  "gitHead": "8dcc9ac7eeadf49314ca1c8dc9ea6c150281adec"
 }

package/src/users/policies/manage-users.policy.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { IPolicyHandler } from "../../casl/policies.guard";
+import { AppAbility } from "../../casl/casl-ability.factory";
+import { Action } from "../../casl/action.enum";
+import { User } from "../entities/user.entity";
+export class ManageUsersPolicy implements IPolicyHandler {
+  handle(ability: AppAbility) {
+    return ability.can(Action.Manage, User);
+  }
+}

package/src/users/users-editing.guard.ts CHANGED Viewed

@@ -9,11 +9,18 @@ import {
 import { Request } from 'express';
 import { getAction } from "@dataui/crud";
 import { isEqual } from 'lodash';
+import { Action, CaslAbilityFactory } from "../casl";
+import { Roles } from "./entities/user.entity";
 @Injectable()
 export class UsersEditingGuard implements CanActivate {
   private readonly logger = new Logger(UsersEditingGuard.name);
+  constructor(
+    private readonly calsAbilityFactory: CaslAbilityFactory,
+  ) {
+  }
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<Request>();
     const user = request.user;
@@ -25,7 +32,16 @@ export class UsersEditingGuard implements CanActivate {
     const editingUserId = request.params['id'];
     switch (getAction(context.getHandler())) {
-      case 'Update-One':
+      case 'Create-One': {
+        const ability = await this.calsAbilityFactory.createForUser(user);
+        if (request.body['role'] === Roles.ADMIN && !ability.can(Action.Manage, 'all')) {
+          this.logger.warn(`User can't create admin`);
+          throw new ForbiddenException(`User can't create admin`);
+        }
+        break;
+      }
+      case 'Update-One': {
         if (editingUserId === user.id) {
           const newRole = request.body['role'];
           if (newRole !== user.role && newRole !== undefined) {
@@ -45,14 +61,23 @@ export class UsersEditingGuard implements CanActivate {
             throw new ForbiddenException(`User can't change his permissions`);
           }
         }
+        const ability = await this.calsAbilityFactory.createForUser(user);
+        if (request.body['role'] === Roles.ADMIN && !ability.can(Action.Manage, 'all')) {
+          this.logger.warn(`User can't change role to admin`);
+          throw new ForbiddenException(`User can't change role to admin`);
+        }
         break;
+      }
-      case 'Delete-One':
+      case 'Delete-One': {
         if (editingUserId === user.id) {
           this.logger.warn(`User can't delete himself`);
           throw new ForbiddenException(`User can't delete himself`);
         }
         break;
+      }
     }
     return true;

package/src/users/users.controller.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import { PermissionDto } from "./dto/permission.dto";
 import { UsersEditingGuard } from "./users-editing.guard";
 import { ViewUsersPolicy } from "./policies/view-users.policy";
 import { Tools } from "@boarteam/boar-pack-common-backend";
+import { ManageUsersPolicy } from "./policies/manage-users.policy";
 @Crud({
   model: {
@@ -44,6 +45,9 @@ import { Tools } from "@boarteam/boar-pack-common-backend";
       interceptors: [
         HashPasswordInterceptor,
       ],
+      decorators: [
+        UseGuards(UsersEditingGuard),
+      ]
     },
     updateOneBase: {
       interceptors: [
@@ -64,7 +68,7 @@ import { Tools } from "@boarteam/boar-pack-common-backend";
     update: UserUpdateDto,
   },
 })
-@CheckPolicies(new ManageAllPolicy())
+@CheckPolicies(new ManageUsersPolicy())
 @UseFilters(Tools.TypeOrmExceptionFilter)
 @ApiTags('Users')
 @ApiExtraModels(PermissionDto)