Permissions revamp

backend/rbac.json

@@ -0,0 +1,40 @@
+{
+  "resources": {
+    "dev-portfolio": {
+      "read": ["lead", "admin"],
+      "write": ["dev_lead", "lead", "admin"]
+    },
+    "dev-portfolio-submission": {
+      "read": ["lead", "dev_lead", "admin"],
+      "write": ["dev_lead", "admin"]
+    },
+    "profile-image": {
+      "read": ["lead", "admin"],
+      "write": ["lead", "admin"]
+    },
+    "member": {
+      "read": ["lead", "admin"],
+      "write": ["lead", "admin"]
+    },
+    "member-diff": {
+      "read": ["lead", "admin"],
+      "write": ["lead", "admin"]
+    },
+    "shoutout": {
+      "read": ["lead", "admin"],
+      "write": ["lead", "admin"]
+    },
+    "team": {
+      "read": ["lead", "admin"],
+      "write": ["lead", "admin"]
+    },
+    "team-event": {
+      "read": ["lead", "ci_lead", "admin"],
+      "write": ["ci_lead", "admin"]
+    },
+    "team-event-attendance": {
+      "read": ["lead", "ci_lead", "admin"],
+      "write": ["ci_lead", "admin"]
+    }
+  }
+}

backend/src/API/devPortfolioAPI.ts

@@ -1,22 +1,15 @@
 import { DateTime } from 'luxon';
 import DevPortfolioDao from '../dao/DevPortfolioDao';
-import PermissionsManager from '../utils/permissionsManager';
-import { PermissionError, BadRequestError, NotFoundError } from '../utils/errors';
+import { BadRequestError, NotFoundError } from '../utils/errors';
 import { validateSubmission, isWithinDates } from '../utils/githubUtil';
 
 const zonedTime = (timestamp: number, ianatz = 'America/New_York') =>
   DateTime.fromMillis(timestamp, { zone: ianatz });
 
 export const devPortfolioDao = new DevPortfolioDao();
 
-export const getAllDevPortfolios = async (user: IdolMember): Promise<DevPortfolio[]> => {
-  const isLeadOrAdmin = await PermissionsManager.isLeadOrAdmin(user);
-  if (!isLeadOrAdmin)
-    throw new PermissionError(
-      `User with email ${user.email} does not have permission to view dev portfolios!`
-    );
-  return devPortfolioDao.getAllInstances();
-};
+export const getAllDevPortfolios = async (user: IdolMember): Promise<DevPortfolio[]> =>
+  devPortfolioDao.getAllInstances();
 
 export const getAllDevPortfolioInfo = async (): Promise<DevPortfolioInfo[]> =>
   devPortfolioDao.getAllDevPortfolioInfo();
@@ -30,11 +23,6 @@ export const getUsersDevPortfolioSubmissions = async (
 ): Promise<DevPortfolioSubmission[]> => devPortfolioDao.getUsersDevPortfolioSubmissions(uuid, user);
 
 export const getDevPortfolio = async (uuid: string, user: IdolMember): Promise<DevPortfolio> => {
-  const isLeadOrAdmin = await PermissionsManager.isLeadOrAdmin(user);
-  if (!isLeadOrAdmin)
-    throw new PermissionError(
-      `User with email ${user.email} does not have permission to view dev portfolios!`
-    );
   const devPortfolio = await devPortfolioDao.getInstance(uuid);
   if (!devPortfolio) throw new NotFoundError(`Dev portfolio with uuid: ${uuid} does not exist!`);
   return devPortfolio;
@@ -44,12 +32,6 @@ export const createNewDevPortfolio = async (
   instance: DevPortfolio,
   user: IdolMember
 ): Promise<DevPortfolio> => {
-  const canCreateDevPortfolio = await PermissionsManager.isLeadOrAdmin(user);
-  if (!canCreateDevPortfolio) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to create dev portfolio!`
-    );
-  }
   if (
     !instance.name ||
     instance.name.length === 0 ||
@@ -77,12 +59,6 @@ export const createNewDevPortfolio = async (
 };
 
 export const deleteDevPortfolio = async (uuid: string, user: IdolMember): Promise<void> => {
-  const canDeleteDevPortfolio = await PermissionsManager.isLeadOrAdmin(user);
-  if (!canDeleteDevPortfolio) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to delete dev portfolio!`
-    );
-  }
   await devPortfolioDao.deleteInstance(uuid);
 };
 
@@ -116,14 +92,6 @@ export const updateSubmissions = async (
   updatedSubmissions: DevPortfolioSubmission[],
   user: IdolMember
 ): Promise<DevPortfolio> => {
-  const canChangeSubmission = await PermissionsManager.isLeadOrAdmin(user);
-
-  if (!canChangeSubmission) {
-    throw new PermissionError(
-      `User with email ${user.email} does not have permission to update dev portfolio submissions`
-    );
-  }
-
   const devPortfolio = await devPortfolioDao.getInstance(uuid);
   if (!devPortfolio) {
     throw new BadRequestError(`Dev portfolio with uuid: ${uuid} does not exist`);
@@ -138,12 +106,6 @@ export const updateSubmissions = async (
 };
 
 export const regradeSubmissions = async (uuid: string, user: IdolMember): Promise<DevPortfolio> => {
-  const canRequestRegrade = await PermissionsManager.isLeadOrAdmin(user);
-  if (!canRequestRegrade)
-    throw new PermissionError(
-      `User with email ${user.email} does not have permission to regrade dev portfolio submissions`
-    );
-
   const devPortfolio = await devPortfolioDao.getInstance(uuid);
   if (!devPortfolio) {
     throw new BadRequestError(`Dev portfolio with uuid: ${uuid} does not exist`);

backend/src/API/memberAPI.ts

@@ -1,6 +1,5 @@
 import { Request } from 'express';
 import MembersDao from '../dao/MembersDao';
-import PermissionsManager from '../utils/permissionsManager';
 import { BadRequestError, PermissionError } from '../utils/errors';
 import { bucket } from '../firebase';
 import { getNetIDFromEmail, computeMembersDiff } from '../utils/memberUtil';
@@ -14,12 +13,6 @@ export const allApprovedMembers = (): Promise<readonly IdolMember[]> =>
   MembersDao.getAllMembers(true);
 
 export const setMember = async (body: IdolMember, user: IdolMember): Promise<IdolMember> => {
-  const canEdit = await PermissionsManager.canEditMembers(user);
-  if (!canEdit) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to edit members!`
-    );
-  }
   if (!body.email || body.email === '') {
     throw new BadRequestError("Couldn't edit member with undefined email!");
   }
@@ -34,21 +27,13 @@ export const updateMember = async (
   body: IdolMember,
   user: IdolMember
 ): Promise<unknown> => {
-  const canEdit = await PermissionsManager.canEditMembers(user);
-  if (!canEdit && user.email !== body.email) {
-    // members are able to edit their own information
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to edit members!`
-    );
-  }
   if (!body.email || body.email === '') {
     throw new BadRequestError("Couldn't edit member with undefined email!");
   }
   if (
-    !canEdit &&
-    (body.role !== user.role ||
-      body.firstName !== user.firstName ||
-      body.lastName !== user.lastName)
+    body.role !== user.role ||
+    body.firstName !== user.firstName ||
+    body.lastName !== user.lastName
   ) {
     throw new PermissionError(
       `User with email: ${user.email} does not have permission to edit member name or roles!`
@@ -62,12 +47,6 @@ export const updateMember = async (
 };
 
 export const deleteMember = async (email: string, user: IdolMember): Promise<void> => {
-  const canEdit = await PermissionsManager.canEditMembers(user);
-  if (!canEdit) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to delete members!`
-    );
-  }
   if (!email || email === '') {
     throw new BadRequestError("Couldn't delete member with undefined email!");
   }
@@ -90,12 +69,6 @@ export const deleteImage = async (email: string): Promise<void> => {
 export const getUserInformationDifference = async (
   user: IdolMember
 ): Promise<readonly IdolMemberDiff[]> => {
-  const canReview = await PermissionsManager.canReviewChanges(user);
-  if (!canReview) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to review members information diff!`
-    );
-  }
   const [allApprovedMembersList, allLatestMembersList] = await Promise.all([
     allApprovedMembers(),
     allMembers()
@@ -108,12 +81,6 @@ export const reviewUserInformationChange = async (
   rejected: readonly string[],
   user: IdolMember
 ): Promise<void> => {
-  const canReview = await PermissionsManager.canReviewChanges(user);
-  if (!canReview) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to review members information diff!`
-    );
-  }
   await Promise.all([
     MembersDao.approveMemberInformationChanges(approved),
     MembersDao.revertMemberInformationChanges(rejected)

backend/src/API/shoutoutAPI.ts

@@ -1,4 +1,3 @@
-import PermissionsManager from '../utils/permissionsManager';
 import { NotFoundError, PermissionError } from '../utils/errors';
 import ShoutoutsDao from '../dao/ShoutoutsDao';
 
@@ -19,27 +18,13 @@ export const getShoutouts = async (
   memberEmail: string,
   type: 'given' | 'received',
   user: IdolMember
-): Promise<Shoutout[]> => {
-  const canEdit: boolean = await PermissionsManager.canGetShoutouts(user);
-  if (!canEdit && memberEmail !== user.email) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to get shoutouts!`
-    );
-  }
-  return shoutoutsDao.getShoutouts(memberEmail, type);
-};
+): Promise<Shoutout[]> => shoutoutsDao.getShoutouts(memberEmail, type);
 
 export const hideShoutout = async (
   uuid: string,
   hide: boolean,
   user: IdolMember
 ): Promise<void> => {
-  const canEdit = await PermissionsManager.canHideShoutouts(user);
-  if (!canEdit) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to hide shoutouts!`
-    );
-  }
   const shoutout = await shoutoutsDao.getShoutout(uuid);
   if (!shoutout) throw new NotFoundError(`Shoutout with uuid: ${uuid} does not exist!`);
   await shoutoutsDao.updateShoutout({ ...shoutout, hidden: hide });
@@ -50,11 +35,5 @@ export const deleteShoutout = async (uuid: string, user: IdolMember): Promise<vo
   if (!shoutout) {
     throw new NotFoundError(`No shoutout with id '${uuid}' found.`);
   }
-  const isLeadOrAdmin = await PermissionsManager.isLeadOrAdmin(user);
-  if (!isLeadOrAdmin && shoutout.giver.email !== user.email) {
-    throw new PermissionError(
-      `You are not a lead or admin, so you can't delete a shoutout from a different user!`
-    );
-  }
   await shoutoutsDao.deleteShoutout(uuid);
 };

backend/src/API/siteIntegrationAPI.ts

@@ -1,12 +1,10 @@
 import { Octokit } from '@octokit/rest';
 import { PRResponse } from '../types/GithubTypes';
-import PermissionsManager from '../utils/permissionsManager';
 import { PermissionError, BadRequestError } from '../utils/errors';
 
 require('dotenv').config();
 
 export const requestIDOLPullDispatch = async (user: IdolMember): Promise<{ updated: boolean }> => {
-  await checkPermissions(user);
   const octokit = new Octokit({
     auth: `token ${process.env.BOT_TOKEN}`,
     userAgent: 'cornell-dti/idol-backend'
@@ -20,15 +18,13 @@ export const requestIDOLPullDispatch = async (user: IdolMember): Promise<{ updat
 };
 
 export const getIDOLChangesPR = async (user: IdolMember): Promise<{ pr: PRResponse }> => {
-  await checkPermissions(user);
   const foundPR = await findBotPR();
   return { pr: foundPR };
 };
 
 export const acceptIDOLChanges = async (
   user: IdolMember
 ): Promise<{ pr: PRResponse; merged: boolean }> => {
-  await checkPermissions(user);
   const octokit = new Octokit({
     auth: `token ${process.env.BOT_TOKEN}`,
     userAgent: 'cornell-dti/idol-backend'
@@ -62,7 +58,6 @@ export const acceptIDOLChanges = async (
 export const rejectIDOLChanges = async (
   user: IdolMember
 ): Promise<{ pr: PRResponse; closed: boolean }> => {
-  await checkPermissions(user);
   const foundPR = await findBotPR();
   const octokit2 = new Octokit({
     auth: `token ${process.env.BOT_2_TOKEN}`,
@@ -99,12 +94,3 @@ const findBotPR = async (): Promise<PRResponse> => {
   }
   return foundPR;
 };
-
-const checkPermissions = async (user: IdolMember): Promise<void> => {
-  const canEdit = await PermissionsManager.canDeploySite(user);
-  if (!canEdit) {
-    throw new PermissionError(
-      `User with email: ${user.email} does not have permission to trigger site deploys!`
-    );
-  }
-};

backend/src/API/teamAPI.ts

@@ -1,7 +1,6 @@
 import { v4 as uuidv4 } from 'uuid';
-import PermissionsManager from '../utils/permissionsManager';
 import { Team } from '../types/DataTypes';
-import { BadRequestError, PermissionError } from '../utils/errors';
+import { BadRequestError } from '../utils/errors';
 import MembersDao from '../dao/MembersDao';
 
 const membersDao = new MembersDao();
@@ -93,12 +92,6 @@ const updateFormerMembers = async (team: Team, oldTeam: Team): Promise<void> =>
 };
 
 export const setTeam = async (teamBody: Team, member: IdolMember): Promise<Team> => {
-  const canEdit = await PermissionsManager.canEditTeams(member);
-  if (!canEdit) {
-    throw new PermissionError(
-      `User with email: ${member.email} does not have permission to edit teams!`
-    );
-  }
   if (teamBody.members.length > 0 && !teamBody.members[0].email) {
     throw new BadRequestError('Malformed members on POST!');
   }
@@ -110,12 +103,6 @@ export const deleteTeam = async (teamBody: Team, member: IdolMember): Promise<Te
   if (!teamBody.uuid || teamBody.uuid === '') {
     throw new BadRequestError("Couldn't delete team with undefined uuid!");
   }
-  const canEdit = await PermissionsManager.canEditTeams(member);
-  if (!canEdit) {
-    throw new PermissionError(
-      `User with email: ${member.email} does not have permission to delete teams!`
-    );
-  }
   await updateTeamMembers({ ...teamBody, members: [], leaders: [], formerMembers: [] });
   return teamBody;
 };