fix: no need to restrict api endpoints when ldap auth is applied

2026-01-03 21:10:05 +00:00 · 2022-09-30 14:41:09 +05:00
parent f915c51b07
commit a14266077d
7 changed files with 126 additions and 120 deletions
--- a/api/src/controllers/group.ts
+++ b/api/src/controllers/group.ts
@@ -12,6 +12,7 @@ import {

 import Group, { GroupPayload, PUBLIC_GROUP_NAME } from '../model/Group'
 import User from '../model/User'
+import { AuthProviderType } from '../utils'
 import { UserResponse } from './user'

 export interface GroupResponse {
@@ -147,12 +148,22 @@ export class GroupController {
  @Delete('{groupId}')
  public async deleteGroup(@Path() groupId: number) {
    const group = await Group.findOne({ groupId })
-    if (group) return await group.remove()
-    throw {
-      code: 404,
-      status: 'Not Found',
-      message: 'Group not found.'
+    if (!group)
+      throw {
+        code: 404,
+        status: 'Not Found',
+        message: 'Group not found.'
+      }
+
+    if (group.authProvider !== AuthProviderType.Internal) {
+      throw {
+        code: 405,
+        status: 'Method Not Allowed',
+        message: 'Can not delete group created by an external auth provider.'
+      }
    }
+
+    return await group.remove()
  }
 }

@@ -248,6 +259,13 @@ const updateUsersListInGroup = async (
      message: `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.`
    }

+  if (group.authProvider !== AuthProviderType.Internal)
+    throw {
+      code: 405,
+      status: 'Method Not Allowed',
+      message: `Can't add/remove user to group created by external auth provider.`
+    }
+
  const user = await User.findOne({ id: userId })
  if (!user)
    throw {
@@ -256,6 +274,13 @@ const updateUsersListInGroup = async (
      message: 'User not found.'
    }

+  if (user.authProvider !== AuthProviderType.Internal)
+    throw {
+      code: 405,
+      status: 'Method Not Allowed',
+      message: `Can't add/remove user to group created by external auth provider.`
+    }
+
  const updatedGroup =
    action === 'addUser'
      ? await group.addUser(user)
--- a/api/src/controllers/user.ts
+++ b/api/src/controllers/user.ts
@@ -17,7 +17,12 @@ import {
 import { desktopUser } from '../middlewares'

 import User, { UserPayload } from '../model/User'
-import { getUserAutoExec, updateUserAutoExec, ModeType } from '../utils'
+import {
+  getUserAutoExec,
+  updateUserAutoExec,
+  ModeType,
+  AuthProviderType
+} from '../utils'
 import { GroupResponse } from './group'

 export interface UserResponse {
@@ -211,7 +216,11 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {

  // Checking if user is already in the database
  const usernameExist = await User.findOne({ username })
-  if (usernameExist) throw new Error('Username already exists.')
+  if (usernameExist)
+    throw {
+      code: 409,
+      message: 'Username already exists.'
+    }

  // Hash passwords
  const hashPassword = User.hashPassword(password)
@@ -255,7 +264,11 @@ const getUser = async (
    'groupId name description -_id'
  )) as unknown as UserDetailsResponse

-  if (!user) throw new Error('User is not found.')
+  if (!user)
+    throw {
+      code: 404,
+      message: 'User is not found.'
+    }

  return {
    id: user.id,
@@ -284,6 +297,19 @@ const updateUser = async (

  const params: any = { displayName, isAdmin, isActive, autoExec }

+  const user = await User.findOne(findBy)
+
+  if (
+    user?.authProvider !== AuthProviderType.Internal &&
+    (username !== user?.username || displayName !== user?.displayName)
+  ) {
+    throw {
+      code: 405,
+      message:
+        'Can not update username and display name of user that is created by an external auth provider.'
+    }
+  }
+
  if (username) {
    // Checking if user is already in the database
    const usernameExist = await User.findOne({ username })
@@ -292,7 +318,10 @@ const updateUser = async (
        (findBy.id && usernameExist.id != findBy.id) ||
        (findBy.username && usernameExist.username != findBy.username)
      )
-        throw new Error('Username already exists.')
+        throw {
+          code: 409,
+          message: 'Username already exists.'
+        }
    }
    params.username = username
  }
@@ -305,7 +334,10 @@ const updateUser = async (
  const updatedUser = await User.findOneAndUpdate(findBy, params, { new: true })

  if (!updatedUser)
-    throw new Error(`Unable to find user with ${findBy.id || findBy.username}`)
+    throw {
+      code: 404,
+      message: `Unable to find user with ${findBy.id || findBy.username}`
+    }

  return {
    id: updatedUser.id,
@@ -332,11 +364,19 @@ const deleteUser = async (
  { password }: { password?: string }
 ) => {
  const user = await User.findOne(findBy)
-  if (!user) throw new Error('User is not found.')
+  if (!user)
+    throw {
+      code: 404,
+      message: 'User is not found.'
+    }

  if (!isAdmin) {
    const validPass = user.comparePassword(password!)
-    if (!validPass) throw new Error('Invalid password.')
+    if (!validPass)
+      throw {
+        code: 401,
+        message: 'Invalid password.'
+      }
  }

  await User.deleteOne(findBy)
--- a/api/src/controllers/web.ts
+++ b/api/src/controllers/web.ts
@@ -86,7 +86,7 @@ const login = async (
  if (!user) throw new Error('Username is not found.')

  if (
-    process.env.AUTH_MECHANISM === AuthProviderType.LDAP &&
+    process.env.AUTH_PROVIDERS === AuthProviderType.LDAP &&
    user.authProvider === AuthProviderType.LDAP
  ) {
    const ldapClient = await LDAPClient.init()