Invert privilege check logic

2024-06-09 11:42:01 +03:00 · 2024-06-09 11:42:01 +03:00 · 46351fb17d
commit 46351fb17d
parent 8dd6ccc58c
9 changed files with 23 additions and 10 deletions
--- a/src/lib/components/admin/AdminSidebar.svelte
+++ b/src/lib/components/admin/AdminSidebar.svelte
@ -15,7 +15,7 @@
 		{
 			href: '/ssoadmin/oauth2',
 			title: $t('admin.menu.oauth2'),
-			privileges: [['admin:oauth2', 'self:oauth2']]
+			privileges: ['admin:oauth2', 'self:oauth2']
 		},
 		{
 			href: '/ssoadmin/audit',
--- a/src/lib/server/admin-utils.ts
+++ b/src/lib/server/admin-utils.ts
@ -3,6 +3,12 @@ import { Users, type UserSession } from './users';
 import { hasPrivileges, type RequiredPrivileges } from '$lib/utils';

 export class AdminUtils {
+	/**
+	 * Check a session privileges against a list of required privileges.
+	 * @param session User session with privileges loaded
+	 * @param privileges OR logic, AND's arrays
+	 * @throws 403 error if privileges are not met
+	 */
 	static checkPrivileges(session: UserSession, privileges: RequiredPrivileges): void {
 		if (!session.privileges?.length || !hasPrivileges(session.privileges, privileges)) {
 			error(403, 'Forbidden resource');
--- a/src/lib/utils.ts
+++ b/src/lib/utils.ts
@ -1,9 +1,15 @@
 export type RequiredPrivileges = (string | string[])[];

+/**
+ * Check a list of privileges against a list of required privileges.
+ * @param list List of privileges
+ * @param privileges OR logic, AND's arrays
+ * @returns Satisfies privileges
+ */
 export const hasPrivileges = (list: string[], privileges: RequiredPrivileges) =>
-	privileges.every((item) => {
+	privileges.some((item) => {
 		if (Array.isArray(item)) {
-			return item.some((sub) => list.includes(sub));
+			return item.every((sub) => list.includes(sub));
 		}
 		return list.includes(item);
 	});
--- a/src/routes/account/+page.svelte
+++ b/src/routes/account/+page.svelte
@ -28,7 +28,7 @@

 	let internalErrors: string[] = [];
 	$: errors = [...internalErrors, ...(form?.errors?.length ? form.errors : [])];
-	$: adminButton = hasPrivileges(data.privileges, [['admin', 'self:oauth2']]);
+	$: adminButton = hasPrivileges(data.privileges, ['admin', 'self:oauth2']);

 	let usernameRef: HTMLInputElement;
 	let displayRef: HTMLInputElement;
--- a/src/routes/ssoadmin/+layout.server.ts
+++ b/src/routes/ssoadmin/+layout.server.ts
@ -1,4 +1,5 @@
 import { Users } from '$lib/server/users/index.js';
+import { hasPrivileges } from '$lib/utils.js';
 import { error, redirect } from '@sveltejs/kit';

 export const load = async ({ url, locals }) => {
@ -11,7 +12,7 @@ export const load = async ({ url, locals }) => {

 	// Only users with 'admin' privilege can access
 	const privileges = await Users.getUserPrivileges(currentUser);
-	if (!privileges.includes('admin')) {
+	if (!hasPrivileges(privileges, ['admin', 'self:oauth2'])) {
 		return error(404, 'Not Found');
 	}

--- a/src/routes/ssoadmin/oauth2/+page.server.ts
+++ b/src/routes/ssoadmin/oauth2/+page.server.ts
@ -9,7 +9,7 @@ const PAGE_SIZE = 20;
 export const load = async ({ parent, url }) => {
 	const { user } = await parent();
 	const currentUser = await Users.getBySession(user);
-	AdminUtils.checkPrivileges(user, [['admin:oauth2', 'self:oauth2']]);
+	AdminUtils.checkPrivileges(user, ['admin:oauth2', 'self:oauth2']);

 	let limit = PAGE_SIZE;
 	let page = 1;
@ -28,7 +28,7 @@ export const load = async ({ parent, url }) => {

 	const offset = (page - 1) * limit;
 	const fullPrivileges = hasPrivileges(user.privileges, ['admin:oauth2']);
-	const createPrivileges = hasPrivileges(user.privileges, [['admin:oauth2', 'self:oauth2:create']]);
+	const createPrivileges = hasPrivileges(user.privileges, ['admin:oauth2', 'self:oauth2:create']);

 	const data = await OAuth2Clients.getClientByAdminUser(currentUser as User, {
 		filter,
--- a/src/routes/ssoadmin/oauth2/[uuid]/+page.server.ts
+++ b/src/routes/ssoadmin/oauth2/[uuid]/+page.server.ts
@ -375,7 +375,7 @@ export const actions = {
 export const load = async ({ params: { uuid }, parent }) => {
 	const { user } = await parent();
 	const currentUser = await Users.getBySession(user);
-	AdminUtils.checkPrivileges(user, [['admin:oauth2', 'self:oauth2']]);
+	AdminUtils.checkPrivileges(user, ['admin:oauth2', 'self:oauth2']);

 	const fullPrivileges = hasPrivileges(user.privileges, ['admin:oauth2']);

--- a/src/routes/ssoadmin/oauth2/[uuid]/user/[user]/+page.server.ts
+++ b/src/routes/ssoadmin/oauth2/[uuid]/user/[user]/+page.server.ts
@ -67,7 +67,7 @@ export const actions = {
 export const load = async ({ params: { uuid, user: userId }, parent }) => {
 	const { user } = await parent();
 	const currentUser = await Users.getBySession(user);
-	AdminUtils.checkPrivileges(user, [['admin:oauth2', 'self:oauth2']]);
+	AdminUtils.checkPrivileges(user, ['admin:oauth2', 'self:oauth2']);

 	const fullPrivileges = hasPrivileges(user.privileges || [], ['admin:oauth2']);

--- a/src/routes/ssoadmin/oauth2/new/+page.server.ts
+++ b/src/routes/ssoadmin/oauth2/new/+page.server.ts
@ -48,7 +48,7 @@ export const actions = {

 export const load = async ({ parent }) => {
 	const { user } = await parent();
-	AdminUtils.checkPrivileges(user, [['admin:oauth2', 'self:oauth2:create']]);
+	AdminUtils.checkPrivileges(user, ['admin:oauth2', 'self:oauth2:create']);

 	return {};
 };