2023-06-27 06:02:24 -04:00
|
|
|
const {
|
|
|
|
registerCapability,
|
|
|
|
registerPolicy,
|
|
|
|
} = require('../Authorization/PermissionsManager')
|
2023-07-11 05:31:07 -04:00
|
|
|
const { getUsersSubscription, getGroupSubscriptionsMemberOf } =
|
|
|
|
require('./SubscriptionLocator').promises
|
2023-07-19 10:05:27 -04:00
|
|
|
const { subscriptionIsCanceledOrExpired } = require('./RecurlyClient')
|
2023-06-27 06:02:24 -04:00
|
|
|
|
|
|
|
// This file defines the capabilities and policies that are used to
|
|
|
|
// determine what managed users can and cannot do.
|
|
|
|
|
|
|
|
// Register the capability for a user to delete their own account.
|
|
|
|
registerCapability('delete-own-account', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to add a secondary email to their account.
|
|
|
|
registerCapability('add-secondary-email', { default: true })
|
|
|
|
|
2023-07-10 04:40:45 -04:00
|
|
|
// Register the capability for a user to add an affiliation to their account.
|
|
|
|
registerCapability('add-affiliation', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to endorse an email address.
|
|
|
|
registerCapability('endorse-email', { default: true })
|
|
|
|
|
2023-06-27 06:02:24 -04:00
|
|
|
// Register the capability for a user to sign in with Google to their account
|
|
|
|
registerCapability('link-google-sso', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to link other third party SSO to their account
|
|
|
|
registerCapability('link-other-third-party-sso', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to leave a managed group subscription.
|
2023-07-10 04:40:45 -04:00
|
|
|
registerCapability('leave-group-subscription', { default: true })
|
2023-06-27 06:02:24 -04:00
|
|
|
|
|
|
|
// Register the capability for a user to start a subscription.
|
|
|
|
registerCapability('start-subscription', { default: true })
|
|
|
|
|
2023-07-10 04:40:45 -04:00
|
|
|
// Register the capability for a user to join a subscription.
|
|
|
|
registerCapability('join-subscription', { default: true })
|
|
|
|
|
2023-07-19 10:05:27 -04:00
|
|
|
// Register the capability for a user to reactivate a subscription.
|
|
|
|
registerCapability('reactivate-subscription', { default: true })
|
|
|
|
|
2023-06-27 06:02:24 -04:00
|
|
|
// Register a policy to prevent a user deleting their own account.
|
|
|
|
registerPolicy('userCannotDeleteOwnAccount', {
|
|
|
|
'delete-own-account': false,
|
|
|
|
})
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having secondary email addresses on their account.
|
|
|
|
registerPolicy(
|
2023-07-10 04:40:45 -04:00
|
|
|
'userCannotHaveSecondaryEmail',
|
2023-06-27 06:02:24 -04:00
|
|
|
{
|
|
|
|
'add-secondary-email': false,
|
2023-07-10 04:40:45 -04:00
|
|
|
'add-affiliation': false,
|
|
|
|
'endorse-email': false,
|
2023-06-27 06:02:24 -04:00
|
|
|
},
|
|
|
|
{
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user }) => {
|
2023-06-27 06:02:24 -04:00
|
|
|
// return true if the user does not have any secondary emails
|
|
|
|
return user.emails.length === 1
|
|
|
|
},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// Register a policy to prevent a user leaving the group subscription they are managed by.
|
|
|
|
registerPolicy('userCannotLeaveManagingGroupSubscription', {
|
2023-07-10 04:40:45 -04:00
|
|
|
'leave-group-subscription': false,
|
2023-06-27 06:02:24 -04:00
|
|
|
})
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having third-party SSO linked to their account.
|
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveGoogleSSO',
|
|
|
|
{ 'link-google-sso': false },
|
|
|
|
{
|
|
|
|
// return true if the user does not have Google SSO linked
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user }) =>
|
2023-06-27 06:02:24 -04:00
|
|
|
!user.thirdPartyIdentifiers?.some(
|
|
|
|
identifier => identifier.providerId === 'google'
|
|
|
|
),
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having third-party SSO linked to their account.
|
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveOtherThirdPartySSO',
|
|
|
|
{ 'link-other-third-party-sso': false },
|
|
|
|
{
|
|
|
|
// return true if the user does not have any other third party SSO linked
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user }) =>
|
2023-06-27 06:02:24 -04:00
|
|
|
!user.thirdPartyIdentifiers?.some(
|
|
|
|
identifier => identifier.providerId !== 'google'
|
|
|
|
),
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-07-11 05:31:07 -04:00
|
|
|
// Register a policy to prevent a user having an active subscription or
|
|
|
|
// being a member of another group subscription.
|
2023-06-27 06:02:24 -04:00
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveSubscription',
|
2023-07-19 10:05:27 -04:00
|
|
|
{
|
|
|
|
'start-subscription': false,
|
|
|
|
'join-subscription': false,
|
|
|
|
'reactivate-subscription': false,
|
|
|
|
},
|
2023-06-27 06:02:24 -04:00
|
|
|
{
|
2023-07-11 05:31:07 -04:00
|
|
|
validator: async ({ user, subscription }) => {
|
|
|
|
const usersSubscription = await getUsersSubscription(user)
|
2023-07-19 10:05:27 -04:00
|
|
|
|
|
|
|
// The user can be enrolled if:
|
|
|
|
// 1. they do not have a subscription and are not a member of another subscription (apart from the managed group subscription)
|
|
|
|
// 2. they have a subscription and it is canceled or expired
|
|
|
|
// 3. they have a subscription and it is the subscription they are trying to join as a managed user
|
|
|
|
// The last case is to allow the admin to join their own subscription as a managed user
|
|
|
|
|
|
|
|
const userHasSubscription =
|
|
|
|
Boolean(usersSubscription) &&
|
|
|
|
!subscriptionIsCanceledOrExpired(usersSubscription)
|
|
|
|
|
|
|
|
const userIsThisGroupAdmin =
|
|
|
|
Boolean(usersSubscription) &&
|
|
|
|
usersSubscription._id.toString() === subscription._id.toString()
|
|
|
|
|
2023-07-11 05:31:07 -04:00
|
|
|
const userMemberOfSubscriptions = await getGroupSubscriptionsMemberOf(
|
2023-06-27 06:02:24 -04:00
|
|
|
user
|
2023-07-11 05:31:07 -04:00
|
|
|
)
|
2023-07-19 10:05:27 -04:00
|
|
|
|
2023-07-11 05:31:07 -04:00
|
|
|
const isMemberOfOtherSubscriptions = userMemberOfSubscriptions.some(
|
2023-07-19 10:05:27 -04:00
|
|
|
sub => {
|
|
|
|
// ignore the subscription of the managed group itself
|
|
|
|
if (sub._id.toString() === subscription._id.toString()) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
// ignore the user's own subscription
|
|
|
|
if (
|
|
|
|
usersSubscription &&
|
|
|
|
sub._id.toString() === usersSubscription._id.toString()
|
|
|
|
) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
return (
|
|
|
|
(!userHasSubscription || userIsThisGroupAdmin) &&
|
|
|
|
!isMemberOfOtherSubscriptions
|
2023-07-11 05:31:07 -04:00
|
|
|
)
|
2023-06-27 06:02:24 -04:00
|
|
|
},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-06-26 03:43:56 -04:00
|
|
|
/**
|
|
|
|
* Returns the default group policy for managed users.
|
|
|
|
* Managed users are users who are part of a group subscription, and are
|
|
|
|
* managed by the group policy. Managed users have limited functionality.
|
|
|
|
* This method returns an object with boolean values for each policy that
|
|
|
|
* indicates whether the policy is enforced or not.
|
|
|
|
*
|
|
|
|
* @returns {Object} An object with boolean values for each policy that indicates whether it is enforced or not.
|
|
|
|
* @function
|
|
|
|
*/
|
|
|
|
function getDefaultPolicy() {
|
|
|
|
return {
|
|
|
|
userCannotDeleteOwnAccount: true,
|
2023-07-10 04:40:45 -04:00
|
|
|
userCannotHaveSecondaryEmail: true,
|
2023-06-26 03:43:56 -04:00
|
|
|
userCannotHaveSubscription: true,
|
|
|
|
userCannotLeaveManagingGroupSubscription: true,
|
2023-06-27 06:02:24 -04:00
|
|
|
userCannotHaveGoogleSSO: false, // we want to allow google SSO by default
|
|
|
|
userCannotHaveOtherThirdPartySSO: true,
|
2023-06-26 03:43:56 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
getDefaultPolicy,
|
|
|
|
}
|