Seeming working (though not very thoroughly tested) granular access control for reports, report templates and namespaces.

Should work both in local auth case and LDAP auth case.
2017-07-27 22:41:25 +03:00 · 2017-07-27 22:41:25 +03:00 · 34823cf0cf
commit 34823cf0cf
parent 89256d62bd
17 changed files with 352 additions and 146 deletions
--- a/models/shares.js
+++ b/models/shares.js
@ -129,17 +129,22 @@ async function _rebuildPermissions(tx, restriction) {
    }


-    // Change user 1 role to global role that has admin===true
-    let adminRole;
-    for (const role in config.roles.global) {
-        if (config.roles.global[role].admin) {
-            adminRole = role;
-            break;
+    // To prevent users locking out themselves, we consider user with id 1 to be the admin and always assign it
+    // the admin role. The admin role is a global role that has admin===true
+    // If this behavior is not desired, it is enough to delete the user with id 1.
+    const adminUser = await tx('users').where('id', 1 /* Admin user id */).first();
+    if (adminUser) {
+        let adminRole;
+        for (const role in config.roles.global) {
+            if (config.roles.global[role].admin) {
+                adminRole = role;
+                break;
+            }
        }
-    }

-    if (adminRole) {
-        await tx('users').update('role', adminRole).where('id', 1 /* Admin user id */);
+        if (adminRole) {
+            await tx('users').update('role', adminRole).where('id', 1 /* Admin user id */);
+        }
    }