kuzzle 2.54.3 → 2.55.0

package/dist/lib/api/controllers/securityController.d.ts

@@ -307,6 +307,14 @@ export default class SecurityController extends NativeController {
      * @returns {Promise<Object>}
      */
     createFirstAdmin(request: KuzzleRequest): Promise<import("../../types/core/auth/formatProcessing.type").Serialized<import("../../model/security/user").User>>;
+    /**
+     * Restricted rights are applied to the `anonymous` and `default` roles
+     * (by default, these roles don't have any restriction).
+     *
+     * The default permissions can be found in the default configuration
+     * and can be modified in the `kuzzlerc`.
+     */
+    restrictDefaultRights(request: KuzzleRequest): Promise<void>;
     /**
      * Deletes multiple profiles
      *

package/dist/lib/api/controllers/securityController.js

@@ -70,6 +70,7 @@ class SecurityController extends baseController_1.NativeController {
             "createApiKey",
             "createCredentials",
             "createFirstAdmin",
+            "restrictDefaultRights",
             "createOrReplaceProfile",
             "createOrReplaceRole",
             "createProfile",
@@ -791,16 +792,28 @@ class SecurityController extends baseController_1.NativeController {
             humanReadableId,
         });
         if (reset) {
-            for (const type of ["role", "profile"]) {
-                await bluebird_1.default.map(Object.entries(global.kuzzle.config.security.standard[`${type}s`]), ([name, value]) => this.ask(`core:security:${type}:createOrReplace`, name, value, {
-                    refresh: "wait_for",
-                    userId,
-                }));
-            }
+            await this.restrictDefaultRights(request);
         }
         this.logger.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} applied action "${request.input.action}".`);
         return user;
     }
+    /**
+     * Restricted rights are applied to the `anonymous` and `default` roles
+     * (by default, these roles don't have any restriction).
+     *
+     * The default permissions can be found in the default configuration
+     * and can be modified in the `kuzzlerc`.
+     */
+    async restrictDefaultRights(request) {
+        const userId = request.getKuid();
+        for (const type of ["role", "profile"]) {
+            await bluebird_1.default.map(Object.entries(global.kuzzle.config.security.standard[`${type}s`]), ([name, value]) => this.ask(`core:security:${type}:createOrReplace`, name, value, {
+                refresh: "wait_for",
+                userId,
+            }));
+        }
+        this.logger.info(`[SECURITY] ${SecurityController.userOrSdk(userId)} restricted rights of the default roles.`);
+    }
     /**
      * Deletes multiple profiles
      *

package/dist/lib/api/httpRoutes.js

@@ -804,6 +804,12 @@ const routes = [
         controller: "security",
         action: "createFirstAdmin",
     },
+    {
+        verb: "post",
+        path: "/_restrictDefaultRights",
+        controller: "security",
+        action: "restrictDefaultRights",
+    },
     {
         verb: "post",
         path: "/credentials/:strategy/:_id/_create",

package/dist/package.json

@@ -1,7 +1,7 @@
 {
     "name": "kuzzle",
     "author": "The Kuzzle Team <support@kuzzle.io>",
-    "version": "2.54.3",
+    "version": "2.55.0",
     "description": "Kuzzle is an open-source solution that handles all the data management through a secured API, with a large choice of protocols.",
     "scripts": {
         "build": "rm -Rf ./dist && tsc && node ./bin/copy-binaries.js",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "kuzzle",
   "author": "The Kuzzle Team <support@kuzzle.io>",
-  "version": "2.54.3",
+  "version": "2.55.0",
   "description": "Kuzzle is an open-source solution that handles all the data management through a secured API, with a large choice of protocols.",
   "scripts": {
     "build": "rm -Rf ./dist && tsc && node ./bin/copy-binaries.js",