in addons/addon-base-raas/packages/base-raas-services/lib/user/user-authz-service.js [86:135]
async authorizeUpdateAttributes(requestContext, { action }, user, existingUser) {
const isBeingUpdated = attribName => {
const oldValue = _.get(existingUser, attribName);
const newValue = _.get(user, attribName);
// The update ignores undefined values during update (i.e., it retains existing values for those)
// so compare for only if the new value is undefined
return !_.isUndefined(newValue) && !_.isEqual(oldValue, newValue);
};
let permissionSoFar;
// In addition to the permissions ascertained by the base class,
// make sure that we allow updating "userRole" only by admins
if (
isBeingUpdated('isExternalUser') ||
isBeingUpdated('userRole') ||
isBeingUpdated('isAdmin') ||
isBeingUpdated('projectId') ||
isBeingUpdated('identityProviderName') ||
isBeingUpdated('authenticationProviderId') ||
isBeingUpdated('isSamlAuthenticatedUser')
) {
// The "isExternalUser" and "userRole" properties should be updated only by admins
permissionSoFar = await allowIfAdmin(requestContext, { action });
if (isDeny(permissionSoFar)) return permissionSoFar; // return if denying
}
if (isBeingUpdated('userType') && existingUser.userType !== 'root') {
return deny(`Cannot update userType`);
}
// Similarly, in addition to the permissions ascertained by the base,
// make sure the following properties on root are immutable
if (existingUser.userType === 'root') {
permissionSoFar = await allowIfRoot(requestContext, { action });
if (isDeny(permissionSoFar)) return permissionSoFar; // return if denying
if (
isBeingUpdated('authenticationProviderId') ||
isBeingUpdated('identityProviderName') ||
isBeingUpdated('isAdmin') ||
isBeingUpdated('userRole') ||
isBeingUpdated('projectId')
) {
return deny('You are not authorized to alter these fields on the root user', true);
}
}
// If code reached here then allow this call
return allow();
}