2023-06-27 06:02:24 -04:00
|
|
|
const {
|
|
|
|
registerCapability,
|
|
|
|
registerPolicy,
|
|
|
|
} = require('../Authorization/PermissionsManager')
|
|
|
|
const SubscriptionLocator = require('./SubscriptionLocator')
|
|
|
|
|
|
|
|
// This file defines the capabilities and policies that are used to
|
|
|
|
// determine what managed users can and cannot do.
|
|
|
|
|
|
|
|
// Register the capability for a user to delete their own account.
|
|
|
|
registerCapability('delete-own-account', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to add a secondary email to their account.
|
|
|
|
registerCapability('add-secondary-email', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to sign in with Google to their account
|
|
|
|
registerCapability('link-google-sso', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to link other third party SSO to their account
|
|
|
|
registerCapability('link-other-third-party-sso', { default: true })
|
|
|
|
|
|
|
|
// Register the capability for a user to leave a managed group subscription.
|
2023-07-05 05:13:12 -04:00
|
|
|
registerCapability('leave-managing-group-subscription', { default: true })
|
2023-06-27 06:02:24 -04:00
|
|
|
|
|
|
|
// Register the capability for a user to start a subscription.
|
|
|
|
registerCapability('start-subscription', { default: true })
|
|
|
|
|
|
|
|
// Register a policy to prevent a user deleting their own account.
|
|
|
|
registerPolicy('userCannotDeleteOwnAccount', {
|
|
|
|
'delete-own-account': false,
|
|
|
|
})
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having secondary email addresses on their account.
|
|
|
|
registerPolicy(
|
2023-07-05 05:13:12 -04:00
|
|
|
'userCannotAddSecondaryEmail',
|
2023-06-27 06:02:24 -04:00
|
|
|
{
|
|
|
|
'add-secondary-email': false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
validator: async user => {
|
|
|
|
// return true if the user does not have any secondary emails
|
|
|
|
return user.emails.length === 1
|
|
|
|
},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// Register a policy to prevent a user leaving the group subscription they are managed by.
|
|
|
|
registerPolicy('userCannotLeaveManagingGroupSubscription', {
|
2023-07-05 05:13:12 -04:00
|
|
|
'leave-managing-group-subscription': false,
|
2023-06-27 06:02:24 -04:00
|
|
|
})
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having third-party SSO linked to their account.
|
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveGoogleSSO',
|
|
|
|
{ 'link-google-sso': false },
|
|
|
|
{
|
|
|
|
// return true if the user does not have Google SSO linked
|
|
|
|
validator: async user =>
|
|
|
|
!user.thirdPartyIdentifiers?.some(
|
|
|
|
identifier => identifier.providerId === 'google'
|
|
|
|
),
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having third-party SSO linked to their account.
|
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveOtherThirdPartySSO',
|
|
|
|
{ 'link-other-third-party-sso': false },
|
|
|
|
{
|
|
|
|
// return true if the user does not have any other third party SSO linked
|
|
|
|
validator: async user =>
|
|
|
|
!user.thirdPartyIdentifiers?.some(
|
|
|
|
identifier => identifier.providerId !== 'google'
|
|
|
|
),
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
|
|
|
// Register a policy to prevent a user having an active personal subscription.
|
|
|
|
registerPolicy(
|
|
|
|
'userCannotHaveSubscription',
|
2023-07-05 05:13:12 -04:00
|
|
|
{ 'start-subscription': false },
|
2023-06-27 06:02:24 -04:00
|
|
|
{
|
|
|
|
validator: async user => {
|
|
|
|
return !(await SubscriptionLocator.promises.getUserIndividualSubscription(
|
|
|
|
user
|
|
|
|
))
|
|
|
|
},
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2023-06-26 03:43:56 -04:00
|
|
|
/**
|
|
|
|
* Returns the default group policy for managed users.
|
|
|
|
* Managed users are users who are part of a group subscription, and are
|
|
|
|
* managed by the group policy. Managed users have limited functionality.
|
|
|
|
* This method returns an object with boolean values for each policy that
|
|
|
|
* indicates whether the policy is enforced or not.
|
|
|
|
*
|
|
|
|
* @returns {Object} An object with boolean values for each policy that indicates whether it is enforced or not.
|
|
|
|
* @function
|
|
|
|
*/
|
|
|
|
function getDefaultPolicy() {
|
|
|
|
return {
|
|
|
|
userCannotDeleteOwnAccount: true,
|
2023-07-05 05:13:12 -04:00
|
|
|
userCannotAddSecondaryEmail: true,
|
2023-06-26 03:43:56 -04:00
|
|
|
userCannotHaveSubscription: true,
|
|
|
|
userCannotLeaveManagingGroupSubscription: true,
|
2023-06-27 06:02:24 -04:00
|
|
|
userCannotHaveGoogleSSO: false, // we want to allow google SSO by default
|
|
|
|
userCannotHaveOtherThirdPartySSO: true,
|
2023-06-26 03:43:56 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
getDefaultPolicy,
|
|
|
|
}
|