From c0d9a1fca77b9207091ecbfb8cc48bd5072b9b60 Mon Sep 17 00:00:00 2001 From: Taha Yassine Kraiem Date: Tue, 4 Apr 2023 13:44:05 +0100 Subject: [PATCH] feat(chalice): EE role check on member update feat(chalice): EE removed member's email update --- api/chalicelib/core/users.py | 6 +-- ee/api/chalicelib/core/users.py | 70 +++++++++++++++++++++------------ 2 files changed, 47 insertions(+), 29 deletions(-) diff --git a/api/chalicelib/core/users.py b/api/chalicelib/core/users.py index f87273a0e..766a562be 100644 --- a/api/chalicelib/core/users.py +++ b/api/chalicelib/core/users.py @@ -300,7 +300,7 @@ def edit_member(user_id_to_update, tenant_id, changes: schemas.EditMemberSchema, if not admin["superAdmin"] and not admin["admin"]: return {"errors": ["unauthorized"]} if admin["admin"] and user["superAdmin"]: - return {"errors": ["only a superAdmin can edit his own details"]} + return {"errors": ["only the owner can edit his own details"]} else: if user["superAdmin"]: changes.admin = None @@ -646,6 +646,4 @@ def get_user_role(tenant_id, user_id): LIMIT 1""", {"user_id": user_id}) ) - u = helper.dict_to_camel_case(cur.fetchone()) - - return u + return helper.dict_to_camel_case(cur.fetchone()) diff --git a/ee/api/chalicelib/core/users.py b/ee/api/chalicelib/core/users.py index ff357113f..c1a0b7534 100644 --- a/ee/api/chalicelib/core/users.py +++ b/ee/api/chalicelib/core/users.py @@ -128,7 +128,7 @@ def reset_member(tenant_id, editor_id, user_id_to_update): return {"data": {"invitationLink": generate_new_invitation(user_id_to_update)}} -def update(tenant_id, user_id, changes): +def update(tenant_id, user_id, changes, output=True): AUTH_KEYS = ["password", "invitationToken", "invitedAt", "changePwdExpireAt", "changePwdToken"] if len(changes.keys()) == 0: return None @@ -197,7 +197,8 @@ def update(tenant_id, user_id, changes): AND roles.role_id=users.role_id) AS role_name;""", {"tenant_id": tenant_id, "user_id": user_id, **changes}) ) - + if not output: + return None return get(user_id=user_id, tenant_id=tenant_id) @@ -344,33 +345,29 @@ def edit(user_id_to_update, tenant_id, changes: schemas_ee.EditUserSchema, edito return {"data": user} -def edit_member(user_id_to_update, tenant_id, changes: schemas_ee.EditUserSchema, editor_id): +def edit_member(user_id_to_update, tenant_id, changes: schemas_ee.EditMemberSchema, editor_id): user = get_member(user_id=user_id_to_update, tenant_id=tenant_id) - if editor_id != user_id_to_update or changes.admin is not None and changes.admin != user["admin"]: - admin = get(tenant_id=tenant_id, user_id=editor_id) + _changes = {} + if editor_id != user_id_to_update: + admin = get_user_role(tenant_id=tenant_id, user_id=editor_id) if not admin["superAdmin"] and not admin["admin"]: return {"errors": ["unauthorized"]} - _changes = {} - if editor_id == user_id_to_update: - if changes.admin is not None: - if user["superAdmin"]: - changes.admin = None - elif changes.admin != user["admin"]: - return {"errors": ["cannot change your own role"]} - if changes.roleId is not None: - if user["superAdmin"]: + if admin["admin"] and user["superAdmin"]: + return {"errors": ["only the owner can edit his own details"]} + else: + if user["superAdmin"]: + changes.admin = None + elif changes.admin != user["admin"]: + return {"errors": ["cannot change your own admin privileges"]} + if changes.roleId: + if user["superAdmin"] and changes.roleId != user["roleId"]: changes.roleId = None - elif changes.roleId != user["roleId"]: + return {"errors": ["owner's role cannot be changed"]} + + if changes.roleId != user["roleId"]: return {"errors": ["cannot change your own role"]} - if changes.email is not None and changes.email != user["email"]: - if email_exists(changes.email): - return {"errors": ["email already exists."]} - if get_deleted_user_by_email(changes.email) is not None: - return {"errors": ["email previously deleted."]} - _changes["email"] = changes.email - - if changes.name is not None and len(changes.name) > 0: + if changes.name and len(changes.name) > 0: _changes["name"] = changes.name if changes.admin is not None: @@ -380,8 +377,8 @@ def edit_member(user_id_to_update, tenant_id, changes: schemas_ee.EditUserSchema _changes["roleId"] = changes.roleId if len(_changes.keys()) > 0: - update(tenant_id=tenant_id, user_id=user_id_to_update, changes=_changes) - return {"data": get_member(tenant_id=tenant_id, user_id=user_id_to_update)} + update(tenant_id=tenant_id, user_id=user_id_to_update, changes=_changes, output=False) + return {"data": get_member(user_id=user_id_to_update, tenant_id=tenant_id)} return {"data": user} @@ -853,3 +850,26 @@ def __hard_delete_user(user_id): WHERE users.user_id = %(user_id)s AND users.deleted_at IS NOT NULL ;""", {"user_id": user_id}) cur.execute(query) + + +def get_user_role(tenant_id, user_id): + with pg_client.PostgresClient() as cur: + cur.execute( + cur.mogrify( + f"""SELECT + users.user_id, + users.email, + users.role, + users.name, + users.created_at, + (CASE WHEN users.role = 'owner' THEN TRUE ELSE FALSE END) AS super_admin, + (CASE WHEN users.role = 'admin' THEN TRUE ELSE FALSE END) AS admin, + (CASE WHEN users.role = 'member' THEN TRUE ELSE FALSE END) AS member + FROM public.users + WHERE users.deleted_at IS NULL + AND users.user_id=%(user_id)s + AND users.tenant_id=%(tenant_id)s + LIMIT 1""", + {"tenant_id": tenant_id, "user_id": user_id}) + ) + return helper.dict_to_camel_case(cur.fetchone())