chore(release): 0.29.0 [skip ci]

# [0.29.0](https://github.com/sasjs/server/compare/v0.28.7...v0.29.0) (2023-02-06) ### Features * Add /SASjsApi endpoint in permissions ([b3402ea](b3402ea80a))
Merge pull request #338 from sasjs/issue-224
2025-12-10 19:34:34 +00:00 · 2023-02-06 13:07:06 +00:00 · 2023-02-06 13:02:49 +00:00 · 2023-02-06 15:29:24 +05:00 · 2023-02-03 13:48:40 +00:00 · 2023-02-03 13:44:46 +00:00
6 changed files with 75 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,17 @@
+# [0.29.0](https://github.com/sasjs/server/compare/v0.28.7...v0.29.0) (2023-02-06)
+
+
+### Features
+
+* Add /SASjsApi endpoint in permissions ([b3402ea](https://github.com/sasjs/server/commit/b3402ea80afb8802eee8b8b6cbbbcc29903424bc))
+
+## [0.28.7](https://github.com/sasjs/server/compare/v0.28.6...v0.28.7) (2023-02-03)
+
+
+### Bug Fixes
+
+* add user to all users group on user creation ([2bae52e](https://github.com/sasjs/server/commit/2bae52e307327d7ee4a94b19d843abdc0ccec9d1))
+
 ## [0.28.6](https://github.com/sasjs/server/compare/v0.28.5...v0.28.6) (2023-01-26)


--- a/api/src/controllers/auth.ts
+++ b/api/src/controllers/auth.ts
@@ -159,7 +159,7 @@ const updatePassword = async (
 ) => {
  const { currentPassword, newPassword } = data
  const userId = req.user?.userId
-  const dbUser = await User.findOne({ userId })
+  const dbUser = await User.findOne({ id: userId })

  if (!dbUser)
    throw {
--- a/api/src/controllers/user.ts
+++ b/api/src/controllers/user.ts
@@ -21,9 +21,9 @@ import {
  getUserAutoExec,
  updateUserAutoExec,
  ModeType,
-  AuthProviderType
+  ALL_USERS_GROUP
 } from '../utils'
-import { GroupResponse } from './group'
+import { GroupController, GroupResponse } from './group'

 export interface UserResponse {
  id: number
@@ -237,6 +237,15 @@ const createUser = async (data: UserPayload): Promise<UserDetailsResponse> => {

  const savedUser = await user.save()

+  const groupController = new GroupController()
+  const allUsersGroup = await groupController
+    .getGroupByGroupName(ALL_USERS_GROUP.name)
+    .catch(() => {})
+
+  if (allUsersGroup) {
+    await groupController.addUserToGroup(allUsersGroup.groupId, savedUser.id)
+  }
+
  return {
    id: savedUser.id,
    displayName: savedUser.displayName,
--- a/api/src/middlewares/authorize.ts
+++ b/api/src/middlewares/authorize.ts
@@ -5,7 +5,7 @@ import {
  PermissionSettingForRoute,
  PermissionType
 } from '../controllers/permission'
-import { getPath, isPublicRoute } from '../utils'
+import { getPath, isPublicRoute, TopLevelRoutes } from '../utils'

 export const authorize: RequestHandler = async (req, res, next) => {
  const { user } = req
@@ -22,6 +22,9 @@ export const authorize: RequestHandler = async (req, res, next) => {
  if (!dbUser) return res.sendStatus(401)

  const path = getPath(req)
+  const { baseUrl } = req
+  const topLevelRoute =
+    TopLevelRoutes.find((route) => baseUrl.startsWith(route)) || baseUrl

  // find permission w.r.t user
  const permission = await Permission.findOne({
@@ -35,6 +38,21 @@ export const authorize: RequestHandler = async (req, res, next) => {
    else return res.sendStatus(401)
  }

+  // find permission w.r.t user on top level
+  const topLevelPermission = await Permission.findOne({
+    path: topLevelRoute,
+    type: PermissionType.route,
+    user: dbUser._id
+  })
+
+  if (topLevelPermission) {
+    if (topLevelPermission.setting === PermissionSettingForRoute.grant)
+      return next()
+    else return res.sendStatus(401)
+  }
+
+  let isPermissionDenied = false
+
  // find permission w.r.t user's groups
  for (const group of dbUser.groups) {
    const groupPermission = await Permission.findOne({
@@ -42,8 +60,28 @@ export const authorize: RequestHandler = async (req, res, next) => {
      type: PermissionType.route,
      group
    })
-    if (groupPermission?.setting === PermissionSettingForRoute.grant)
-      return next()
+
+    if (groupPermission) {
+      if (groupPermission.setting === PermissionSettingForRoute.grant) {
+        return next()
+      } else {
+        isPermissionDenied = true
+      }
+    }
  }
+
+  if (!isPermissionDenied) {
+    // find permission w.r.t user's groups on top level
+    for (const group of dbUser.groups) {
+      const groupPermission = await Permission.findOne({
+        path: topLevelRoute,
+        type: PermissionType.route,
+        group
+      })
+      if (groupPermission?.setting === PermissionSettingForRoute.grant)
+        return next()
+    }
+  }
+
  return res.sendStatus(401)
 }
--- a/api/src/utils/getAuthorizedRoutes.ts
+++ b/api/src/utils/getAuthorizedRoutes.ts
@@ -1,7 +1,8 @@
 import { Request } from 'express'

+export const TopLevelRoutes = ['/AppStream', '/SASjsApi']
+
 const StaticAuthorizedRoutes = [
-  '/AppStream',
  '/SASjsApi/code/execute',
  '/SASjsApi/stp/execute',
  '/SASjsApi/drive/deploy',
@@ -15,7 +16,7 @@ const StaticAuthorizedRoutes = [
 export const getAuthorizedRoutes = () => {
  const streamingApps = Object.keys(process.appStreamConfig)
  const streamingAppsRoutes = streamingApps.map((app) => `/AppStream/${app}`)
-  return [...StaticAuthorizedRoutes, ...streamingAppsRoutes]
+  return [...TopLevelRoutes, ...StaticAuthorizedRoutes, ...streamingAppsRoutes]
 }

 export const getPath = (req: Request) => {
--- a/api/src/utils/seedDB.ts
+++ b/api/src/utils/seedDB.ts
@@ -23,12 +23,12 @@ export const seedDB = async (): Promise<ConfigurationType> => {
  }

  // Checking if 'AllUsers' Group is already in the database
-  let groupExist = await Group.findOne({ name: GROUP.name })
+  let groupExist = await Group.findOne({ name: ALL_USERS_GROUP.name })
  if (!groupExist) {
-    const group = new Group(GROUP)
+    const group = new Group(ALL_USERS_GROUP)
    groupExist = await group.save()

-    process.logger.success(`DB Seed - Group created: ${GROUP.name}`)
+    process.logger.success(`DB Seed - Group created: ${ALL_USERS_GROUP.name}`)
  }

  // Checking if 'Public' Group is already in the database
@@ -54,7 +54,7 @@ export const seedDB = async (): Promise<ConfigurationType> => {
  if (!groupExist.hasUser(usernameExist)) {
    groupExist.addUser(usernameExist)
    process.logger.success(
-      `DB Seed - admin account '${ADMIN_USER.username}' added to Group '${GROUP.name}'`
+      `DB Seed - admin account '${ADMIN_USER.username}' added to Group '${ALL_USERS_GROUP.name}'`
    )
  }

@@ -75,7 +75,7 @@ export const seedDB = async (): Promise<ConfigurationType> => {
  }
 }

-const GROUP = {
+export const ALL_USERS_GROUP = {
  name: 'AllUsers',
  description: 'Group contains all users'
 }
Author	SHA1	Message	Date
semantic-release-bot	02ae041a81	chore(release): 0.29.0 [skip ci] # [0.29.0](https://github.com/sasjs/server/compare/v0.28.7...v0.29.0) (2023-02-06) ### Features * Add /SASjsApi endpoint in permissions ([`b3402ea`](`b3402ea80a`))	2023-02-06 13:07:06 +00:00
Allan Bowe	c4c84b1537	Merge pull request #338 from sasjs/issue-224 feat: Add /SASjsApi endpoint in permissions	2023-02-06 13:02:49 +00:00
Sabir Hassan	b3402ea80a	feat: Add /SASjsApi endpoint in permissions	2023-02-06 15:29:24 +05:00
semantic-release-bot	abe942e697	chore(release): 0.28.7 [skip ci] ## [0.28.7](https://github.com/sasjs/server/compare/v0.28.6...v0.28.7) (2023-02-03) ### Bug Fixes * add user to all users group on user creation ([`2bae52e`](`2bae52e307`))	2023-02-03 13:48:40 +00:00
Allan Bowe	faf2edb111	Merge pull request #337 from sasjs/issue-336 fix: add user to all users group on user creation	2023-02-03 13:44:46 +00:00
Sabir Hassan	5bec453e89	chore: quick fix	2023-02-03 18:39:35 +05:00
Sabir Hassan	7f2174dd2c	chore: quick fix	2023-02-03 16:48:18 +05:00
Sabir Hassan	2bae52e307	fix: add user to all users group on user creation	2023-02-03 16:47:18 +05:00