@xen-orchestra/rest-api 0.30.0 → 0.30.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -102,8 +102,6 @@ It is sometimes necessary to check ACLs based on the body of the request sent by
102
102
 
103
103
  ##### Example: Resource creation
104
104
 
105
- When creating a resource (which doesn't exist yet), pass the object being created as the target:
106
-
107
105
  ```ts
108
106
  /**
109
107
  * Create a new VDI
@@ -112,10 +110,7 @@ When creating a resource (which doesn't exist yet), pass the object being create
112
110
  * - resource: vdi, action: create
113
111
  */
114
112
  @Post('/')
115
- @Middlewares(acl({resource: 'vdi', action: 'create', object: ({req}) => {
116
- const {srId,...rest} = req.body
117
- return {$SR: srId, ...rest}
118
- }}))
113
+ @Middlewares(acl({resource: 'vdi', action: 'create', object: ({req}) => req.body }))
119
114
  @Response(403)
120
115
  createVdi(@Body() body: VdiConfig) {
121
116
  const {srId, ...rest}
@@ -127,8 +122,6 @@ When creating a resource (which doesn't exist yet), pass the object being create
127
122
 
128
123
  ##### Example: Resource update
129
124
 
130
- When creating a resource (which doesn't exist yet), pass the object being created as the target:
131
-
132
125
  ```ts
133
126
  /**
134
127
  * Update a VM
@@ -22,7 +22,9 @@ export class BaseController extends Controller {
22
22
  const mapper = makeObjectMapper(req, opts?.path);
23
23
  const mappedObjects = [];
24
24
  const user = this.restApi.getCurrentUser();
25
- const userPrivileges = (opts?.privilege !== undefined ? await this.restApi.xoApp.getAclV2UserPrivileges(user.id) : []);
25
+ const userPrivileges = (opts?.privilege !== undefined && user.permission !== 'admin'
26
+ ? await this.restApi.xoApp.getAclV2UserPrivileges(user.id)
27
+ : []);
26
28
  let limit = opts?.limit ?? Infinity;
27
29
  for (const object of objects) {
28
30
  if (limit === 0) {
@@ -180,6 +180,10 @@ export function acl(acls) {
180
180
  if (Object.keys(invalidFields).length > 0) {
181
181
  return next(new ValidateError(invalidFields, 'invalid parameters'));
182
182
  }
183
+ if (user.permission === 'admin') {
184
+ // Administrator users do not need to go further
185
+ return next();
186
+ }
183
187
  let userPrivileges;
184
188
  try {
185
189
  userPrivileges = (await restApi.xoApp.getAclV2UserPrivileges(user.id));
@@ -70,7 +70,9 @@ let TaskController = class TaskController extends XoController {
70
70
  const userId = this.restApi.getCurrentUser().id;
71
71
  const update = async (task) => {
72
72
  const user = await this.restApi.xoApp.getUser(userId);
73
- const userPrivileges = (await this.restApi.xoApp.getAclV2UserPrivileges(user.id));
73
+ const userPrivileges = user.permission === 'admin'
74
+ ? []
75
+ : (await this.restApi.xoApp.getAclV2UserPrivileges(user.id));
74
76
  if (hasPrivilegeOn({ user, userPrivileges, action: 'read', resource: 'task', objects: task }) &&
75
77
  (userFilter === undefined || userFilter(task))) {
76
78
  stream.write(['update', task]);
@@ -78,7 +80,9 @@ let TaskController = class TaskController extends XoController {
78
80
  };
79
81
  const remove = async (task) => {
80
82
  const user = await this.restApi.xoApp.getUser(userId);
81
- const userPrivileges = (await this.restApi.xoApp.getAclV2UserPrivileges(user.id));
83
+ const userPrivileges = user.permission === 'admin'
84
+ ? []
85
+ : (await this.restApi.xoApp.getAclV2UserPrivileges(user.id));
82
86
  if (hasPrivilegeOn({ user, userPrivileges, action: 'read', resource: 'task', objects: task }) &&
83
87
  (userFilter === undefined || userFilter(task))) {
84
88
  stream.write(['remove', { id: task.id }]);
@@ -120,7 +124,7 @@ let TaskController = class TaskController extends XoController {
120
124
  */
121
125
  async deleteTasks() {
122
126
  const user = this.restApi.getCurrentUser();
123
- const userPrivileges = (await this.restApi.xoApp.getAclV2UserPrivileges(user.id));
127
+ const userPrivileges = user.permission === 'admin' ? [] : (await this.restApi.xoApp.getAclV2UserPrivileges(user.id));
124
128
  const deletePromises = [];
125
129
  for await (const task of this.restApi.tasks.list()) {
126
130
  if (hasPrivilegeOn({ user, userPrivileges, resource: 'task', action: 'delete', objects: task })) {
@@ -18395,7 +18395,7 @@
18395
18395
  },
18396
18396
  "info": {
18397
18397
  "title": "@xen-orchestra/rest-api",
18398
- "version": "0.30.0",
18398
+ "version": "0.30.1",
18399
18399
  "description": "REST API to manage your XOA",
18400
18400
  "license": {
18401
18401
  "name": "AGPL-3.0-or-later"
package/package.json CHANGED
@@ -6,7 +6,7 @@
6
6
  "main": "./dist/index.mjs",
7
7
  "name": "@xen-orchestra/rest-api",
8
8
  "homepage": "https://github.com/vatesfr/xen-orchestra/tree/master/@xen-orchestra/rest-api",
9
- "version": "0.30.0",
9
+ "version": "0.30.1",
10
10
  "description": "REST API to manage your XOA",
11
11
  "license": "AGPL-3.0-or-later",
12
12
  "private": false,