Fix user roles and owner permission checks

src/core-services/account/index.js

@@ -2,16 +2,13 @@ import i18n from "./i18n/index.js";
 import mutations from "./mutations/index.js";
 import policies from "./policies.json";
 import queries from "./queries/index.js";
-import { registerPluginHandlerForAccounts } from "./registration.js";
 import resolvers from "./resolvers/index.js";
 import schemas from "./schemas/index.js";
 import startup from "./startup.js";
 import tokenMiddleware from "./util/tokenMiddleware.js";
 import accountByUserId from "./util/accountByUserId.js";
 import { Account } from "./simpleSchemas.js";
 
-const ENROLL_URI_BASE = "account/enroll";
-
 /**
  * @summary Import and call this function to add this plugin to your API.
  * @param {ReactionAPI} app The ReactionAPI instance
@@ -23,16 +20,6 @@ export default async function register(app) {
     name: "reaction-accounts",
     version: app.context.appVersion,
     i18n,
-    addRolesToGroups: [{
-      groups: ["guest", "customer"],
-      roles: [
-        "account/login",
-        "account/verify",
-        "not-found",
-        "reset-password",
-        ENROLL_URI_BASE
-      ]
-    }],
     collections: {
       Accounts: {
         name: "Accounts",
@@ -65,7 +52,6 @@ export default async function register(app) {
       accountByUserId
     },
     functionsByType: {
-      registerPluginHandler: [registerPluginHandlerForAccounts],
       startup: [startup]
     },
     graphQL: {

src/core-services/account/mutations/addAccountToGroup.js

@@ -59,7 +59,7 @@ export default async function addAccountToGroup(context, input) {
 
   // Add all group roles to the user. Make sure this stays in this order.
   // Remove former group roles before adding new group roles, in case some are in both.
-  const newAccountUserRoles = new Set(accountUser.roles[shopId] || []);
+  const newAccountUserRoles = new Set((accountUser.roles || {})[shopId] || []);
 
   const formerGroupId = (account.groups || []).find((grpId) => allGroupIDsInShop.indexOf(grpId) !== -1);
   if (formerGroupId) {

src/core-services/account/mutations/createAccount.js

@@ -76,26 +76,38 @@ export default async function createAccount(context, input) {
   };
 
   let groupSlug = "customer"; // Default is to put new accounts into the "customer" permission group
+  let groups;
+  let invites;
 
   // The identity provider service gives the first created user the global "owner" role. When we
   // create an account for this user, they should be assigned to the "owner" group.
-  let groups;
-  let invites;
-  if (authUserId === userId && context.userHasPermission("reaction:legacy:shops", "owner", { shopId, legacyRoles: ["owner"] })) { // TODO(pod-auth): update this permissions check
-    groupSlug = "owner";
-  } else {
+  if (authUserId === userId) {
+    const isGlobalOwner = await context.userHasPermission("reaction:legacy:shops", "owner", { shopId, legacyRoles: ["owner"] }); // TODO(pod-auth): update this permissions check
+    if (isGlobalOwner) groupSlug = "owner";
+  }
+
+  // If we didn't already upgrade them to the "owner" group, see if they're been invited to any groups
+  if (groupSlug === "customer") {
     const emailAddresses = emails.map((emailRecord) => emailRecord.address);
     // Find all invites for all shops and add to all groups
     invites = await AccountInvites.find({ email: { $in: emailAddresses } }).toArray();
     groups = invites.map((invite) => invite.groupId);
   }
 
-  if (!groups) {
+  // If they weren't invited to any groups, put them in the customer or owner group as determined above
+  if (!groups || groups.length === 0) {
     if (shopId) {
       const group = await Groups.findOne({ slug: groupSlug, shopId });
       groups = group ? [group._id] : [];
     } else {
-      groups = [];
+      // Put them in a group for the primary shop
+      const primaryShopId = await context.queries.primaryShopId(context);
+      if (primaryShopId) {
+        const primaryShopGroup = await Groups.findOne({ slug: groupSlug, shopId: primaryShopId });
+        groups = primaryShopGroup ? [primaryShopGroup._id] : [];
+      } else {
+        groups = [];
+      }
     }
   }
 

src/core-services/account/mutations/createAuthGroupsForShop.js

@@ -6,7 +6,6 @@ import {
   defaultShopManagerRoles,
   defaultVisitorRoles
 } from "../util/defaultRoles.js";
-import addPluginRolesToGroups from "../util/addPluginRolesToGroups.js";
 
 /**
  * @name createAuthGroupsForShop
@@ -51,6 +50,4 @@ export default async function createAuthGroupsForShop(context, shopId) {
   });
 
   await Promise.all(promises);
-
-  await addPluginRolesToGroups(context, shopId);
 }

src/core-services/account/startup.js

@@ -1,12 +1,10 @@
-import addPluginRolesToGroups from "./util/addPluginRolesToGroups.js";
 import ensureRoles from "./util/ensureRoles.js";
 import {
   defaultCustomerRoles,
   defaultOwnerRoles,
   defaultShopManagerRoles,
   defaultVisitorRoles
 } from "./util/defaultRoles.js";
-import config from "./config.js";
 
 /**
  * @summary Called on startup
@@ -20,9 +18,4 @@ export default async function accountStartup(context) {
   await ensureRoles(context, defaultOwnerRoles);
   await ensureRoles(context, defaultShopManagerRoles);
   await ensureRoles(context, defaultVisitorRoles);
-
-  // timing is important, packages are rqd for initial permissions configuration.
-  if (config.NODE_ENV !== "test") {
-    await addPluginRolesToGroups(context);
-  }
 }

src/core/createApolloServer.js

@@ -95,9 +95,14 @@ export default function createApolloServer(options = {}) {
   ]);
 
   // Rewrite url to support legacy graphql routes
-  app.all(/\/graphql-\w+/, (req, res, next) => {
+  app.all(/\/graphql-\w+/, (req, res) => {
     req.url = path;
-    next();
+
+    // NOTE: This must use `app.handle(req, res)` instead
+    // of `next()` or else all of the middleware attached
+    // to `path` above does not run and, for example,
+    // `request.user` and `context.user` won't be set.
+    app.handle(req, res);
   });
 
   apolloServer.applyMiddleware({ app, cors: true, path });