2023-06-27 06:02:24 -04:00
|
|
|
const {
|
|
|
|
registerCapability,
|
|
|
|
registerPolicy,
|
|
|
|
} = require('../Authorization/PermissionsManager')
|
2023-07-11 05:31:07 -04:00
|
|
|
const { getUsersSubscription, getGroupSubscriptionsMemberOf } =
|
|
|
|
require('./SubscriptionLocator').promises
|
2023-06-27 06:02:24 -04:00
|
|
|
|
|
|
|
// This file defines the capabilities and policies that are used to
|
|
|
|
// determine what managed users can and cannot do.
|
|
|
|
|
|
|
|
// Register the capability for a user to delete their own account.
|
|
|
|
registerCapability('delete-own-account', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to add a secondary email to their account.
|
|
|
|
registerCapability('add-secondary-email', { default: true })
|
|
|
|
|
2023-07-10 04:40:45 -04:00
|
|
|
// Register the capability for a user to add an affiliation to their account.
|
|
|
|
registerCapability('add-affiliation', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to endorse an email address.
|
|
|
|
registerCapability('endorse-email', { default: true })
|
|
|
|
|
2023-06-27 06:02:24 -04:00
|
|
|
// Register the capability for a user to sign in with Google to their account
|
|
|
|
registerCapability('link-google-sso', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to link other third party SSO to their account
|
|
|
|
registerCapability('link-other-third-party-sso', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to leave a managed group subscription.
|
2023-07-10 04:40:45 -04:00
|
|
|
registerCapability('leave-group-subscription', { default: true })
|
2023-06-27 06:02:24 -04:00
|
|
|
|
|
|
|
// Register the capability for a user to start a subscription.
|
|
|
|
registerCapability('start-subscription', { default: true })
|
|
|
|
|
2023-07-10 04:40:45 -04:00
|
|
|
// Register the capability for a user to join a subscription.
|
|
|
|
registerCapability('join-subscription', { default: true })
|
|
|
|
|
2023-06-27 06:02:24 -04:00
|
|
|
// Register a policy to prevent a user deleting their own account.
|
|
|
|
registerPolicy('userCannotDeleteOwnAccount', {
|
|
|
|
'delete-own-account': false,
|
|
|
|
})
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having secondary email addresses on their account.
|
|
|
|
registerPolicy(
|
2023-07-10 04:40:45 -04:00
|
|
|
'userCannotHaveSecondaryEmail',
|
2023-06-27 06:02:24 -04:00
|
|
|
{
|
|
|
|
'add-secondary-email': false,
|
2023-07-10 04:40:45 -04:00
|
|
|
'add-affiliation': false,
|
|
|
|
'endorse-email': false,
|
2023-06-27 06:02:24 -04:00
|
|
|
},
|
|
|
|
{
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user }) => {
|
2023-06-27 06:02:24 -04:00
|
|
|
// return true if the user does not have any secondary emails
|
|
|
|
return user.emails.length === 1
|
|
|
|
},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// Register a policy to prevent a user leaving the group subscription they are managed by.
|
|
|
|
registerPolicy('userCannotLeaveManagingGroupSubscription', {
|
2023-07-10 04:40:45 -04:00
|
|
|
'leave-group-subscription': false,
|
2023-06-27 06:02:24 -04:00
|
|
|
})
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having third-party SSO linked to their account.
|
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveGoogleSSO',
|
|
|
|
{ 'link-google-sso': false },
|
|
|
|
{
|
|
|
|
// return true if the user does not have Google SSO linked
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user }) =>
|
2023-06-27 06:02:24 -04:00
|
|
|
!user.thirdPartyIdentifiers?.some(
|
|
|
|
identifier => identifier.providerId === 'google'
|
|
|
|
),
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having third-party SSO linked to their account.
|
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveOtherThirdPartySSO',
|
|
|
|
{ 'link-other-third-party-sso': false },
|
|
|
|
{
|
|
|
|
// return true if the user does not have any other third party SSO linked
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user }) =>
|
2023-06-27 06:02:24 -04:00
|
|
|
!user.thirdPartyIdentifiers?.some(
|
|
|
|
identifier => identifier.providerId !== 'google'
|
|
|
|
),
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-07-11 05:31:07 -04:00
|
|
|
// Register a policy to prevent a user having an active subscription or
|
|
|
|
// being a member of another group subscription.
|
2023-06-27 06:02:24 -04:00
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveSubscription',
|
2023-07-10 04:40:45 -04:00
|
|
|
{ 'start-subscription': false, 'join-subscription': false },
|
2023-06-27 06:02:24 -04:00
|
|
|
{
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user, subscription }) => {
|
|
|
|
const usersSubscription = await getUsersSubscription(user)
|
|
|
|
const userHasSubscription = Boolean(usersSubscription)
|
|
|
|
const userMemberOfSubscriptions = await getGroupSubscriptionsMemberOf(
|
2023-06-27 06:02:24 -04:00
|
|
|
user
|
2023-07-11 05:31:07 -04:00
|
|
|
)
|
|
|
|
// filter out the subscription of the managed group itself
|
|
|
|
// the user will always be a member of this subscription
|
|
|
|
const isMemberOfOtherSubscriptions = userMemberOfSubscriptions.some(
|
|
|
|
sub => sub._id.toString() !== subscription._id.toString()
|
|
|
|
)
|
|
|
|
return !userHasSubscription && !isMemberOfOtherSubscriptions
|
2023-06-27 06:02:24 -04:00
|
|
|
},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-06-26 03:43:56 -04:00
|
|
|
/**
|
|
|
|
* Returns the default group policy for managed users.
|
|
|
|
* Managed users are users who are part of a group subscription, and are
|
|
|
|
* managed by the group policy. Managed users have limited functionality.
|
|
|
|
* This method returns an object with boolean values for each policy that
|
|
|
|
* indicates whether the policy is enforced or not.
|
|
|
|
*
|
|
|
|
* @returns {Object} An object with boolean values for each policy that indicates whether it is enforced or not.
|
|
|
|
* @function
|
|
|
|
*/
|
|
|
|
function getDefaultPolicy() {
|
|
|
|
return {
|
|
|
|
userCannotDeleteOwnAccount: true,
|
2023-07-10 04:40:45 -04:00
|
|
|
userCannotHaveSecondaryEmail: true,
|
2023-06-26 03:43:56 -04:00
|
|
|
userCannotHaveSubscription: true,
|
|
|
|
userCannotLeaveManagingGroupSubscription: true,
|
2023-06-27 06:02:24 -04:00
|
|
|
userCannotHaveGoogleSSO: false, // we want to allow google SSO by default
|
|
|
|
userCannotHaveOtherThirdPartySSO: true,
|
2023-06-26 03:43:56 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
getDefaultPolicy,
|
|
|
|
}
|