Lock the login permission for guest

2026-06-21 03:11:44 +02:00 · 2023-11-28 20:04:34 +01:00
parent edc3186d64
commit f35bbdca59
7 changed files with 33 additions and 1 deletions
--- a/backend/src/collections/role-db/role-db.service.ts
+++ b/backend/src/collections/role-db/role-db.service.ts
@@ -14,6 +14,7 @@ import { ERoleBackend } from '../../database/entities/users/role.entity';
 import { Permissions } from '../../models/constants/permissions.const';
 import {
  ImmutableRolesList,
+  RolePermissionsLocks,
  UndeletableRolesList,
 } from '../../models/constants/roles.const';

@@ -114,6 +115,17 @@ export class RoleDbService {
      return Fail(FT.Permission, 'Cannot modify immutable role');
    }

+    // If the permission are missing a role specified in RolePermissionsLocks[roleToModify.name], fail
+    const missingPermissions = RolePermissionsLocks[roleToModify.name].filter(
+      (permission) => !permissions.includes(permission),
+    );
+    if (missingPermissions.length > 0) {
+      return Fail(
+        FT.Permission,
+        `Cannot remove permissions: ${missingPermissions.join(', ')}`,
+      );
+    }
+
    roleToModify.permissions = makeUnique(permissions);

    try {
--- a/backend/src/models/constants/roles.const.ts
+++ b/backend/src/models/constants/roles.const.ts
@@ -15,6 +15,15 @@ const UndeletableRolesTuple = tuple(
 // These roles will be applied by default to new users
 export const DefaultRolesList: string[] = ['user'];

+// These permissions will be locked for the specified roles
+export const RolePermissionsLocks: {
+  [key in string]: Permission[];
+} = {
+  guest: [Permission.UserLogin],
+  user: [],
+  admin: [],
+};
+
 // Derivatives
 export const SoulBoundRolesList: string[] = SoulBoundRolesTuple;
 export const ImmutableRolesList: string[] = ImmutableRolesTuple;
@@ -29,9 +38,9 @@ const SystemRoleDefaultsTyped: {
  [key in SystemRole]: Permissions;
 } = {
  guest: [
+    Permission.UserLogin,
    Permission.ImageView,
    Permission.ImageDeleteKey,
-    Permission.UserLogin,
  ],
  user: [
    Permission.ImageView,
--- a/backend/src/routes/api/roles/roles.controller.ts
+++ b/backend/src/routes/api/roles/roles.controller.ts
@@ -21,6 +21,7 @@ import { Permission } from '../../../models/constants/permissions.const';
 import {
  DefaultRolesList,
  ImmutableRolesList,
+  RolePermissionsLocks,
  SoulBoundRolesList,
  UndeletableRolesList,
 } from '../../../models/constants/roles.const';
@@ -113,6 +114,7 @@ export class RolesController {
      ImmutableRoles: ImmutableRolesList,
      UndeletableRoles: UndeletableRolesList,
      DefaultRoles: DefaultRolesList,
+      LockedPermissions: RolePermissionsLocks,
    };
  }
 }