async authorizeUpdateAttributes()

in components/base/packages/services/lib/user/user-authz-service.js [105:135]

• 23 lines of code
• 11 McCabe index (conditional complexity)

  async authorizeUpdateAttributes(requestContext, { action }, user, existingUser) {
    const isBeingUpdated = attribName => {
      const oldValue = _.get(existingUser, attribName);
      const newValue = _.get(user, attribName);
      // The update ignores undefined values during update (i.e., it retains existing values for those)
      // so compare for only if the new value is undefined
      return !_.isUndefined(newValue) && oldValue !== newValue;
    };

    // Make sure an inactive user isn't updating attributes
    permissionSoFar = await allowIfActive(requestContext, { action });
    if (isDeny(permissionSoFar)) return permissionSoFar; // return if denying

    let permissionSoFar;
    // Make sure that we allow updating "isExternalUser", "userRole" and "isAdmin" is done only by admins
    if (
      isBeingUpdated('isExternalUser') ||
      isBeingUpdated('userRole') ||
      isBeingUpdated('isAdmin') ||
      isBeingUpdated('status') ||
      isBeingUpdated('identityProviderName') ||
      isBeingUpdated('authenticationProviderId') ||
      isBeingUpdated('isSamlAuthenticatedUser')
    ) {
      permissionSoFar = await allowIfAdmin(requestContext, { action });
      if (isDeny(permissionSoFar)) return permissionSoFar; // return if denying
    }

    // If code reached here then allow this call
    return allow();
  }