adapt-authoring-roles 0.0.1

package/.eslintignore

@@ -0,0 +1 @@
+node_modules

package/.eslintrc

@@ -0,0 +1,14 @@
+{
+  "env": {
+      "browser": false,
+      "node": true,
+      "commonjs": false,
+      "es2020": true
+  },
+  "extends": [
+      "standard"
+  ],
+  "parserOptions": {
+      "ecmaVersion": 2020
+  }
+}

package/.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,55 @@
+name: Bug Report
+description: File a bug report
+labels: ["bug"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: textarea
+    id: description
+    attributes:
+      label: What happened?
+      description: Please describe the issue
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behaviour
+      description: Tell us what should have happened
+  - type: textarea
+    id: repro-steps
+    attributes:
+      label: Steps to reproduce
+      description: Tell us how to reproduce the issue
+    validations:
+      required: true
+  - type: input
+    id: aat-version
+    attributes:
+      label: Authoring tool version
+      description: What version of the Adapt authoring tool are you running?
+    validations:
+      required: true
+  - type: input
+    id: fw-version
+    attributes:
+      label: Framework version
+      description: What version of the Adapt framework are you running?
+  - type: dropdown
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+      multiple: true
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: sh

package/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

package/.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,22 @@
+name: Feature request
+description: Request a new feature
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to request a new feature in the Adapt authoring tool! The Adapt team will consider all new feature requests, but unfortunately cannot commit to every one.
+  - type: textarea
+    id: description
+    attributes:
+      label: Feature description
+      description: Please describe your feature request
+    validations:
+      required: true
+  - type: checkboxes
+    id: contribute
+    attributes:
+      label: Can you work on this feature?
+      description: If you are able to commit your own time to work on this feature, it will greatly increase the liklihood of it being implemented by the core dev team. Otherwise, it will be triaged and prioritised alongside the core team's current priorities.
+      options:
+        - label: I can contribute

package/.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"

package/.github/pull_request_template.md

@@ -0,0 +1,25 @@
+[//]: # (Please title your PR according to eslint commit conventions)
+[//]: # (See https://github.com/conventional-changelog/conventional-changelog/tree/master/packages/conventional-changelog-eslint#eslint-convention for details)
+
+[//]: # (Add a link to the original issue)
+
+[//]: # (Delete as appropriate)
+### Fix
+* A sentence describing each fix
+
+### Update
+* A sentence describing each udpate
+
+### New
+* A sentence describing each new feature
+
+### Breaking
+* A sentence describing each breaking change
+
+[//]: # (List appropriate steps for testing if needed)
+### Testing
+1. Steps for testing
+
+[//]: # (Mention any other dependencies)
+
+

package/.github/workflows/labelled_prs.yml

@@ -0,0 +1,16 @@
+name: Add labelled PRs to project
+
+on:
+  pull_request:
+    types: [ labeled ]
+
+jobs:
+  add-to-project:
+    if: ${{ github.event.label.name == 'dependencies' }}
+    name: Add to main project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v0.1.0
+        with:
+          project-url: https://github.com/orgs/adapt-security/projects/5
+          github-token: ${{ secrets.PROJECTS_SECRET }}

package/.github/workflows/new.yml

@@ -0,0 +1,19 @@
+name: Add to main project
+
+on:
+  issues:
+    types:
+      - opened
+  pull_request:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add to main project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v0.1.0
+        with:
+          project-url: https://github.com/orgs/adapt-security/projects/5
+          github-token: ${{ secrets.PROJECTS_SECRET }}

package/adapt-authoring.json

@@ -0,0 +1,5 @@
+{
+  "documentation": {
+    "enable": true
+  }
+}

package/conf/config.schema.json

@@ -0,0 +1,84 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "object",
+  "properties": {
+    "roleDefinitions": {
+      "description": "List of defined roles to be loaded on app start",
+      "type": "array",
+      "items": {
+        "type": "object",
+        "properties": {
+          "shortName": {
+            "description": "Short name for the role",
+            "type": "string"
+          },
+          "displayName": {
+            "description": "Human-readable representation of the role",
+            "type": "string"
+          },
+          "extends": {
+            "description": "The parent role that this role should inherit scopes from",
+            "type": "string"
+          },
+          "scopes": {
+            "description": "Scopes relevant to this role",
+            "type": "array",
+            "items": { "type": "string" }
+          }
+        },
+        "required": ["shortName", "displayName", "scopes"]
+      },
+      "default": [
+        {
+		      "shortName": "authuser",
+		      "displayName": "Authenticated user",
+		      "scopes": [
+		        "clear:session",
+		        "read:config",
+		        "read:lang",
+		        "read:me",
+		        "write:me",
+		        "disavow:auth"
+		      ]
+		    },
+		    {
+		      "shortName": "contentcreator",
+		      "displayName": "Content creator",
+		      "extends": "authuser",
+		      "scopes": [
+		        "export:adapt",
+		        "import:adapt",
+		        "preview:adapt",
+		        "publish:adapt",
+		        "read:assets",
+		        "write:assets",
+		        "read:content",
+		        "write:content",
+		        "read:contentplugins",
+		        "read:roles",
+		        "read:schema",
+		        "read:tags",
+		        "write:tags",
+		        "read:users"
+		      ]
+		    },
+		    {
+		      "shortName": "superuser",
+		      "displayName": "Super user",
+		      "scopes": ["*:*"]
+		    }
+      ]
+    },
+    "defaultRoles": {
+      "description": "The roles which are applied by default to new users (expects role shortname)",
+      "type": "array",
+      "items": { "type": "string" },
+      "default": ["authuser"]
+    },
+    "defaultRolesForAuthTypes": {
+      "description": "Same as defaultRoles, but allows different roles to be specified for different auth types",
+      "type": "object",
+      "default": {}
+    }
+  }
+}

package/index.js

@@ -0,0 +1,5 @@
+/**
+ * User role functionality
+ * @namespace roles
+ */
+export { default } from './lib/RolesModule.js'

package/lib/RolesModule.js

@@ -0,0 +1,132 @@
+import AbstractApiModule from 'adapt-authoring-api'
+/**
+ * Module which handles user roles
+ * @memberof roles
+ * @extends {AbstractApiModule}
+ */
+class RolesModule extends AbstractApiModule {
+  /** @override */
+  async init () {
+    await super.init()
+    try {
+      await this.initConfigRoles()
+
+      const hasRoles = this.getConfig('defaultRolesForAuthTypes').length || this.getConfig('defaultRoles').length
+      if (hasRoles) await this.initDefaultRoles()
+    } catch (e) {
+      this.log('error', e)
+    }
+    const [authlocal, users] = await this.app.waitForModule('auth-local', 'users')
+    authlocal.registerHook.tap(this.onUpdateRoles.bind(this))
+    users.requestHook.tap(this.onUpdateRoles.bind(this))
+  }
+
+  /**
+   * Adds any role definitions from the current config file to the database
+   * @return {Promise}
+   */
+  async initConfigRoles () {
+    const mongodb = await this.app.waitForModule('mongodb')
+    return Promise.allSettled(this.getConfig('roleDefinitions').map(async r => {
+      const [doc] = await this.find({ shortName: r.shortName })
+      if (doc) {
+        try {
+          await mongodb.replace(this.collectionName, { _id: doc._id }, r)
+          this.log('debug', 'REPLACE', this.schemaName, r.shortName)
+        } catch (e) {
+          if (e.code !== 11000) this.log('warn', `failed to update '${r.shortName}' role, ${e.message}`)
+        }
+        return
+      }
+      try {
+        await this.insert(r)
+        this.log('debug', 'INSERT', this.schemaName, r.shortName)
+      } catch (e) {
+        if (e.code !== 11000) this.log('warn', `failed to add '${r.shortName}' role, ${e.message}`)
+      }
+    }))
+  }
+
+  /**
+   * Adds the specified default roles during new user creation
+   * @return {Promise}
+   */
+  async shortNamesToIds (roles) {
+    return Promise.all(roles.map(async r => {
+      let role = this.roleCache[r]
+      if (!role) {
+        [role] = await this.find({ shortName: r })
+        this.roleCache[r] = role
+      }
+      return role._id.toString()
+    }))
+  }
+
+  /**
+   * Returns the list of scopes for the given role
+   * @param {String | ObjectId} _id The _id of the role
+   * @returns {Array<String>} Array of scopes
+   */
+  async getScopesForRole (_id) {
+    const allRoles = await this.find()
+    const scopes = []
+    let role = allRoles.find(r => r._id.toString() === _id.toString())
+    do {
+      scopes.push(...role.scopes)
+      role = allRoles.find(r => r.shortName === role.extends)
+    } while (role)
+    return scopes
+  }
+
+  /**
+   * Handles setting defined default roles when new users are added
+   * @return {Promise}
+   */
+  async initDefaultRoles () {
+    /**
+     * Local store of roles
+     * @type {Object}
+     */
+    this.roleCache = {}
+
+    const rolesforAll = await this.shortNamesToIds(this.getConfig('defaultRoles'))
+    const rolesForAuth = Object.entries(this.getConfig('defaultRolesForAuthTypes')).reduce((m, [k, v]) => {
+      return { [m[k]]: this.shortNamesToIds(v) }
+    }, {})
+    const users = await this.app.waitForModule('users')
+    users.preInsertHook.tap(data => {
+      if (!data.roles || !data.roles.length) {
+        data.roles = rolesForAuth[data.authType] || rolesforAll || []
+      }
+    })
+  }
+
+  /** @override */
+  async setValues () {
+    /** @ignore */ this.root = 'roles'
+    /** @ignore */ this.schemaName = 'role'
+    /** @ignore */ this.collectionName = 'roles'
+    this.useDefaultRouteConfig()
+  }
+
+  /**
+   * Handler for requests which attempt to update roles
+   * @param {external:ExpressRequest} req
+   * @returns {Promise}
+   */
+  async onUpdateRoles (req) {
+    if (!req.body.roles || req.method === 'GET' || req.method === 'DELETE') {
+      return
+    }
+    if (!req.auth.isSuper && !req.auth.scopes.includes('assign:roles')) {
+      this.log('error', 'User does not have the correct permissions to assign user roles')
+      throw this.app.errors.UNAUTHORISED
+    }
+    if (req.method !== 'POST') {
+      const auth = await this.app.waitForModule('auth')
+      await auth.authentication.disavowUser({ userId: req.params._id || req.body._id })
+    }
+  }
+}
+
+export default RolesModule

package/package.json

@@ -0,0 +1,18 @@
+{
+  "name": "adapt-authoring-roles",
+  "version": "0.0.1",
+  "description": "Module for managing user roles",
+  "homepage": "https://github.com/adapt-security/adapt-authoring-roles",
+  "license": "GPL-3.0",
+  "type": "module",
+  "main": "index.js",
+  "repository": "github:adapt-security/adapt-authoring-roles",
+  "peerDependencies": {
+    "adapt-authoring-api": "github:adapt-security/adapt-authoring-api",
+    "adapt-authoring-core": "github:adapt-security/adapt-authoring-core"
+  },
+  "devDependencies": {
+    "eslint": "^9.12.0",
+    "standard": "^17.1.0"
+  }
+}

package/schema/role.schema.json

@@ -0,0 +1,26 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$anchor": "role",
+  "description": "A user role",
+  "type": "object",
+  "properties": {
+    "shortName": {
+      "description": "Short name for the role",
+      "type": "string"
+    },
+    "displayName": {
+      "description": "Human-readable representation of the role",
+      "type": "string"
+    },
+    "extends": {
+      "description": "The parent role that this role should inherit scopes from",
+      "type": "string"
+    },
+    "scopes": {
+      "description": "Scopes relevant to this role",
+      "type": "array",
+      "items": { "type": "string" }
+    }
+  },
+  "required": ["shortName", "displayName", "scopes"]
+}

package/schema/userroles.schema.json

@@ -0,0 +1,21 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$anchor": "userroles",
+  "description": "Extra user properties for specifying roles",
+  "$patch": {
+    "source": { "$ref": "user" },
+    "with": {
+      "properties": {
+        "roles": {
+          "description": "Roles assigned to this user",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "isObjectId": true
+          },
+          "default": []
+        }
+      }
+    }
+  }
+}