refactor: get roles / permissions directly from group(s), not user object

src/core-services/account/index.js

@@ -6,6 +6,7 @@ import resolvers from "./resolvers/index.js";
 import schemas from "./schemas/index.js";
 import startup from "./startup.js";
 import accountByUserId from "./util/accountByUserId.js";
+import permissionsByUserId from "./util/permissionsByUserId.js";
 import { Account } from "./simpleSchemas.js";
 
 /**
@@ -48,7 +49,8 @@ export default async function register(app) {
       }
     },
     auth: {
-      accountByUserId
+      accountByUserId,
+      permissionsByUserId
     },
     functionsByType: {
       startup: [startup]

src/core-services/account/mutations/addAccountToGroup.js

@@ -1,8 +1,6 @@
-import _ from "lodash";
 import ReactionError from "@reactioncommerce/reaction-error";
 import SimpleSchema from "simpl-schema";
 import canAddAccountToGroup from "../util/canAddAccountToGroup.js";
-import ensureRoles from "../util/ensureRoles.js";
 
 const inputSchema = new SimpleSchema({
   accountId: String,
@@ -37,8 +35,6 @@ export default async function addAccountToGroup(context, input) {
   const groupToAddUserTo = await Groups.findOne({ _id: groupId });
   if (!groupToAddUserTo) throw new ReactionError("not-found", "No group found with that ID");
 
-  const { permissions: groupPermissions = [], shopId } = groupToAddUserTo;
-
   const isAllowed = await canAddAccountToGroup(context, groupToAddUserTo);
   if (!isAllowed) throw new ReactionError("access-denied", "Access Denied");
 
@@ -51,25 +47,6 @@ export default async function addAccountToGroup(context, input) {
   const groupToAdd = account.groups.includes(groupId);
   if (groupToAdd) throw new ReactionError("group-found", "Account is already in this group");
 
-  // Get existing roles from a user
-  const newAccountUserRoles = new Set((accountUser.roles || {})[shopId] || []);
-
-  // Merge existing roles on user and roles from new group
-  // TODO(pod-auth): this will likely be removed in #6031, where we no longer get roles from user.roles
-  const newRoles = [...newAccountUserRoles, ...groupPermissions];
-  const uniqueRoles = _.uniq(newRoles);
-
-  // Add all group roles to the user. Make sure this stays in this order.
-  await ensureRoles(context, newRoles);
-  await users.updateOne({
-    _id: account.userId
-  }, {
-    $set: {
-      [`roles.${shopId}`]: uniqueRoles
-    }
-  });
-  // TODO(pod-auth): this will likely be removed in #6031, where we no longer get roles from user.roles
-
   // Add new group to Account
   const accountGroups = Array.isArray(account.groups) ? account.groups : [];
   accountGroups.push(groupId);

src/core-services/account/mutations/createAccount.js

@@ -82,7 +82,7 @@ export default async function createAccount(context, input) {
   // The identity provider service gives the first created user the global "owner" role. When we
   // create an account for this user, they should be assigned to the "owner" group.
   if (authUserId === userId) {
-    const isGlobalOwner = await context.userHasPermission("reaction:legacy:shops", "owner", { shopId, legacyRoles: ["owner"] }); // TODO(pod-auth): update this permissions check
+    const isGlobalOwner = await context.userHasPermission("reaction:legacy:shops", "owner", { shopId }); // TODO(pod-auth): update this permissions check
     if (isGlobalOwner) groupSlug = "owner";
   }
 
@@ -115,8 +115,6 @@ export default async function createAccount(context, input) {
 
   await Accounts.insertOne(account);
 
-  // Add all group permissions to the user roles. Because of the complexity of this
-  // and potential security concerns if done incorrectly, it's best to use the mutation.
   try {
     await Promise.all(groups.map((groupId) => (
       context.mutations.addAccountToGroup(context.getInternalContext(), {

src/core-services/account/mutations/removeAccountFromGroup.js

@@ -1,8 +1,6 @@
-import _ from "lodash";
 import ReactionError from "@reactioncommerce/reaction-error";
 import SimpleSchema from "simpl-schema";
 import canAddAccountToGroup from "../util/canAddAccountToGroup.js";
-import ensureRoles from "../util/ensureRoles.js";
 
 const inputSchema = new SimpleSchema({
   accountId: String,
@@ -55,19 +53,6 @@ export default async function removeAccountFromGroup(context, input) {
 
   // Get all other groups user belongs to, and all permissions from these groups, and flatten into single array
   const remainingGroupsUserBelongsTo = allGroupsUserBelongsTo.filter((group) => group.shopId === shopId && group._id !== groupId);
-  const remainingRolesToGiveUser = _.uniq(remainingGroupsUserBelongsTo.map((group) => group.permissions).flat());
-
-  // update user to only have roles from other groups they belong
-  // TODO(pod-auth): this will likely be removed in #6031, where we no longer get roles from user.roles
-  await ensureRoles(context, remainingRolesToGiveUser);
-  await users.updateOne({
-    _id: account.userId
-  }, {
-    $set: {
-      [`roles.${shopId}`]: remainingRolesToGiveUser
-    }
-  });
-  // TODO(pod-auth): this will likely be removed in #6031, where we no longer get roles from user.roles
 
   const remainingGroupIds = remainingGroupsUserBelongsTo.map((group) => group._id);
   await Accounts.updateOne({ _id: accountId }, { $set: { groups: remainingGroupIds } });

src/core-services/account/mutations/removeAccountGroup.js

@@ -21,7 +21,7 @@ export default async function removeAccountGroup(context, input) {
   const { Groups } = context.collections;
 
   // we are limiting group method actions to only users within the account managers role
-  await context.validatePermissions(`reaction:legacy:groups:${groupId}`, "remove", { shopId, legacyRoles: ["admin"] });
+  await context.validatePermissions(`reaction:legacy:groups:${groupId}`, "remove", { shopId });
 
   const defaultGroupsForShop = await Groups.find({
     shopId,
@@ -34,14 +34,13 @@ export default async function removeAccountGroup(context, input) {
   const forbiddenGroupIds = defaultGroupsForShop.map(({ _id }) => _id);
 
   if (forbiddenGroupIds.includes(groupId)) {
-    throw new ReactionError("accedd-denied", `Cannot remove default group with ID ${groupId}.`);
+    throw new ReactionError("access-denied", `Cannot remove default group with ID ${groupId}.`);
   }
 
   if (!defaultCustomerGroupForShop) {
     throw new ReactionError("server-error", `Cannot remove group ${groupId}. Default "customer" group doesn't exist to move users to.`);
   }
 
-  // TODO: Remove when we move away from legacy permission verification
   // Move accounts from their old group to their new group
   await moveAccountsToGroup(context, {
     shopId,

src/core-services/account/mutations/updateAccountGroup.js

@@ -37,7 +37,7 @@ export default async function updateAccountGroup(context, input) {
   const { Groups } = context.collections;
 
   // we are limiting group method actions to only users within the account managers role
-  await context.validatePermissions(`reaction:legacy:groups:${groupId}`, "update", { shopId, legacyRoles: ["admin"] });
+  await context.validatePermissions(`reaction:legacy:groups:${groupId}`, "update", { shopId });
 
   const defaultCustomerGroupForShop = await Groups.findOne({ slug: defaultCustomerGroupSlug, shopId }) || {};
 

src/core-services/account/queries/__snapshots__/groups.test.js.snap

@@ -1,3 +1,3 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`throws access-denied if not allowed 1`] = `"User does not have permissions to view groups"`;
+exports[`throws access-denied if not allowed 1`] = `"Access Denied"`;

src/core-services/account/queries/groups.js

@@ -1,5 +1,3 @@
-import ReactionError from "@reactioncommerce/reaction-error";
-
 /**
  * @name groups
  * @method
@@ -10,31 +8,11 @@ import ReactionError from "@reactioncommerce/reaction-error";
  * @returns {Object} Groups collection cursor
  */
 export default async function groups(context, shopId) {
-  const { collections, userId } = context;
-  const { Accounts, Groups } = collections;
-
-  // TODO: Break this query up into one for all groups (for admins only) and one for user's groups
-  if (context.userHasPermission("reaction:legacy:accounts", "read", { shopId })) { // TODO(pod-auth): update this permissions check
-    // find groups by shop ID
-    return Groups.find({ shopId });
-  }
+  const { collections } = context;
+  const { Groups } = collections;
 
-  const userAccount = await Accounts.findOne({
-    userId
-  }, {
-    projection: {
-      groups: 1
-    }
-  });
+  await context.validatePermissions("reaction:legacy:groups", "read", { shopId });
 
-  // If user is not found, throw an error
-  if (!userAccount) throw new ReactionError("access-denied", "User does not have permissions to view groups");
-
-  // find groups by shop ID limited to those the current user is in
-  return Groups.find({
-    _id: {
-      $in: userAccount.groups || []
-    },
-    shopId
-  });
+  // TODO: Break this query up into one for all groups (for admins only) and one for user's groups
+  return Groups.find({ shopId });
 }

src/core-services/account/queries/groups.test.js

@@ -1,45 +1,34 @@
 import mockContext from "@reactioncommerce/api-utils/tests/mockContext.js";
+import ReactionError from "@reactioncommerce/reaction-error";
 import groupsQuery from "./groups.js";
 
 const fakeShopId = "FAKE_SHOP_ID";
-const fakeAccount = { _id: "FAKE_ACCOUNT_ID", groups: ["group1", "group2"] };
+mockContext.validatePermissions = jest.fn("validatePermissions");
+
 
 beforeEach(() => {
   jest.resetAllMocks();
 });
 
 test("returns the groups cursor if userHasPermission returns true", async () => {
   mockContext.collections.Groups.find.mockReturnValueOnce("CURSOR");
-  mockContext.userHasPermission.mockReturnValueOnce(true);
+  mockContext.validatePermissions.mockReturnValueOnce(Promise.resolve(undefined));
   const result = await groupsQuery(mockContext, fakeShopId);
+
   expect(mockContext.collections.Groups.find).toHaveBeenCalledWith({ shopId: fakeShopId });
-  expect(mockContext.userHasPermission).toHaveBeenCalledWith(
-    "reaction:legacy:accounts",
+  expect(mockContext.validatePermissions).toHaveBeenCalledWith(
+    "reaction:legacy:groups",
     "read",
     { shopId: fakeShopId }
   );
   expect(result).toBe("CURSOR");
 });
 
-test("returns the groups cursor for groups the current user is in, if userHasPermission returns false", async () => {
-  mockContext.collections.Groups.find.mockReturnValueOnce("CURSOR");
-  mockContext.userHasPermission.mockReturnValueOnce(false);
-  mockContext.collections.Accounts.findOne.mockReturnValueOnce(fakeAccount);
-  const result = await groupsQuery(mockContext, fakeShopId);
-  expect(mockContext.collections.Groups.find).toHaveBeenCalledWith({
-    _id: { $in: fakeAccount.groups },
-    shopId: fakeShopId
-  });
-  expect(mockContext.userHasPermission).toHaveBeenCalledWith(
-    "reaction:legacy:accounts",
-    "read",
-    { shopId: fakeShopId }
-  );
-  expect(result).toBe("CURSOR");
-});
 
 test("throws access-denied if not allowed", async () => {
-  mockContext.userHasPermission.mockReturnValueOnce(false);
+  mockContext.validatePermissions.mockImplementation(() => {
+    throw new ReactionError("access-denied", "Access Denied");
+  });
   mockContext.collections.Accounts.findOne.mockReturnValueOnce(undefined);
   const result = groupsQuery(mockContext, fakeShopId);
   return expect(result).rejects.toThrowErrorMatchingSnapshot();

src/core-services/account/queries/index.js

@@ -2,14 +2,12 @@ import accounts from "./accounts.js";
 import group from "./group.js";
 import groups from "./groups.js";
 import roles from "./roles.js";
-import shopAdministrators from "./shopAdministrators.js";
 import userAccount from "./userAccount.js";
 
 export default {
   accounts,
   group,
   groups,
   roles,
-  shopAdministrators,
   userAccount
 };