AuthzAPI.resolveImplicitRole(user, resource, [AuthzConstants.role.VIEWER], function(err, implicitRole, canInteract) {
if (err) {
return callback(err);
} else if (!canInteract) {
if (!user) {
// Anonymous users will not have an explicit role on anything, so we can
// short-circuit
return callback(permissionErr);
} else if ((!resource.id && resource.email) || AuthzUtil.isUserId(resource.id)) {
// If the target resource is a user (local or invited by email address) then we
// cannot have an explicit role. So short-circuit
return callback(permissionErr);
}
} else if (canInteract) {
// If we can implicitly interact, there is no reason to check explicit access
return callback();
}
// We are an authenticated user, checking interaction on a non-user resource, and we do not
// have implicit ability to interact. Check explicit access to figure out if we can interact
// VIA role assignment
AuthzAPI.hasAnyRole(user.id, AuthzUtil.getAuthzId(resource), function(err, hasAnyRole) {
if (err) {
return callback(err);
} else if (!hasAnyRole) {
return callback(permissionErr);
}
return callback();
});
});
AuthzAPI.resolveImplicitRole(user, resource, [AuthzConstants.role.VIEWER], function(err, implicitRole, canInteract) {
if (err) {
return callback(err);
} else if (implicitRole) {
// We have an implicit access, no reason to try and find an explicit access because we
// can atleast view
return callback();
} else if (!user) {
// Anonymous user with no implicit access cannot view
return callback(permissionErr);
} else if (AuthzUtil.isUserId(resource.id)) {
// Users can't have explicit access, therefore we can short-circuit here
return callback(permissionErr);
}
// By this point, we only have access to view if we have a role on the item
AuthzAPI.hasAnyRole(user.id, AuthzUtil.getAuthzId(resource), function(err, hasAnyRole) {
if (err) {
return callback(err);
} else if (!hasAnyRole) {
return callback(permissionErr);
}
return callback();
});
});
var _applyMemberChanges = function(ctx, resource, memberChangeInfo, callback) {
if (_.isEmpty(memberChangeInfo.changes)) {
return callback();
}
var authzResourceId = AuthzUtil.getAuthzId(resource);
return AuthzAPI.updateRoles(authzResourceId, memberChangeInfo.changes, callback);
};
var setRoles = module.exports.setRoles = function(ctx, resource, roles, callback) {
var validator = new Validator();
validator.check(null, {'code': 400, 'msg': 'Only authenticated users can share a resource'}).isLoggedInUser(ctx);
validator.check(null, {'code': 400, 'msg': 'An invalid resource was provided'}).isResource(resource);
validator.check(_.keys(roles).length, {'code': 400, 'msg': 'At least one role update should be specified'}).min(1);
var resourceAuthzId = null;
var resourceId = null;
if (resource) {
resourceAuthzId = AuthzUtil.getAuthzId(resource);
resourceId = resource.id;
}
_.each(roles, function(role, memberId) {
validator.check(memberId, {'code': 400, 'msg': 'Members must be either an email, a principal id, or an email combined with a user id separated by a ":" (e.g., me@myemail.com:u:oae:abc123)'}).isValidShareTarget();
validator.check(memberId, {'code': 400, 'msg': 'You cannot share a resource with itself'}).not(resourceAuthzId);
validator.check(memberId, {'code': 400, 'msg': 'You cannot share a resource with itself'}).not(resourceId);
validator.check(role, {'code': 400, 'msg': 'An invalid role was provided'}).isValidRoleChange();
});
if (validator.hasErrors()) {
return callback(validator.getFirstError());
}
// Split the targets into principal profiles and emails
_getTargetRoles(roles, function(err, targetRolesById) {
if (err) {
return callback(err);
}
var targetRoles = _.values(targetRolesById);
// Permission check to ensure the current user is allowed to set these roles
AuthzPermissions.canSetRoles(ctx, resource, targetRoles, function(err, memberChangeInfo, emailChangeInfo) {
if (err) {
return callback(err);
}
// Apply the changes to the authz members, if any
_applyMemberChanges(ctx, resource, memberChangeInfo, function(err) {
if (err) {
return callback(err);
}
// Apply the changes to the authz invitations, if any
_applyInvitationChanges(ctx, resource, emailChangeInfo, function(err) {
if (err) {
return callback(err);
}
return callback(null, memberChangeInfo, emailChangeInfo);
});
});
});
});
};
var _computeInvitationRolesAfterChanges = function(resource, emailTargetRoles, opts, callback) {
if (_.isEmpty(emailTargetRoles)) {
return callback(null, AuthzModel.EmailChangeInfo.empty());
}
var roleChanges = {};
_.each(emailTargetRoles, function(emailTargetRole) {
roleChanges[emailTargetRole.email] = emailTargetRole.role;
});
var authzId = (resource) ? AuthzUtil.getAuthzId(resource) : null;
return AuthzInvitationsUtil.computeInvitationRolesAfterChanges(authzId, roleChanges, opts, callback);
};
var _applyInvitationChanges = function(ctx, resource, emailChangeInfo, callback) {
var addedEmailRoles = _.pick(emailChangeInfo.changes, emailChangeInfo.emails.added);
var updatedEmailRoles = _.omit(emailChangeInfo.changes, emailChangeInfo.emails.added);
var authzResourceId = AuthzUtil.getAuthzId(resource);
OaeUtil.invokeIfNecessary(!_.isEmpty(updatedEmailRoles), AuthzInvitationsDAO.updateInvitationRoles, authzResourceId, updatedEmailRoles, function(err) {
if (err) {
return callback(err);
}
OaeUtil.invokeIfNecessary(!_.isEmpty(addedEmailRoles), AuthzInvitationsDAO.createInvitations, authzResourceId, addedEmailRoles, ctx.user().id, function(err, emailTokens) {
if (err) {
return callback(err);
}
return _emitInvited(ctx, resource, addedEmailRoles, emailTokens, callback);
});
});
};
var _computeMemberRolesAfterChanges = function(resource, principalTargetRoles, opts, callback) {
if (_.isEmpty(principalTargetRoles)) {
return callback(null, AuthzModel.MemberChangeInfo.empty());
}
var roleChanges = {};
_.each(principalTargetRoles, function(principalTargetRole) {
roleChanges[principalTargetRole.principal.id] = principalTargetRole.role;
});
var authzId = (resource) ? AuthzUtil.getAuthzId(resource) : null;
AuthzAPI.computeMemberRolesAfterChanges(authzId, roleChanges, opts, function(err, idChangeInfo) {
if (err) {
return callback(err);
}
var principalsById = _.chain(principalTargetRoles).pluck('principal').indexBy('id').value();
return callback(null, AuthzModel.MemberChangeInfo.fromIdChangeInfo(idChangeInfo, principalsById));
});
};
AuthzAPI.resolveImplicitRole(user, resource, AuthzConstants.role.ALL_PRIORITY, function(err, implicitRole, canInteract) {
if (err) {
return callback(err);
} else if (implicitRole === AuthzConstants.role.MANAGER) {
// We have an implicit manager role (e.g., we are an administrator), succeed
return callback();
} else if (AuthzUtil.isUserId(resource.id)) {
// It is not possible to have an explicit role on a user, short-circuit here
return callback(permissionErr);
}
// By this point, we can only manage if we have explicit manager role
AuthzAPI.hasRole(user.id, AuthzUtil.getAuthzId(resource), AuthzConstants.role.MANAGER, function(err, hasRole) {
if (err) {
return callback(err);
} else if (!hasRole) {
return callback(permissionErr);
}
return callback();
});
});
AuthzPermissions.canManage(ctx, resource, function(err) {
if (err) {
return callback(err);
}
// Get the invitation storage hash for which to resend an invitation
var resourceAuthzId = AuthzUtil.getAuthzId(resource);
AuthzInvitationsDAO.getInvitation(resourceAuthzId, email, function(err, invitationHash) {
if (err) {
return callback(err);
}
// Get the email token for the specified email
AuthzInvitationsDAO.getOrCreateTokensByEmails([email], function(err, tokensByEmail) {
if (err) {
return callback(err);
}
// Re-emit the invite event
var emailRoles = _.object([[email, invitationHash.role]]);
_emitInvited(ctx, resource, emailRoles, tokensByEmail, callback);
});
});
});