fix: fix domain privilege management per <Automattic/mongoose#11522>,…

… added ansible verbosity, bump deps
forwardemail · Apr 8, 2022 · d47e1d1 · d47e1d1
1 parent 27e8a80
commit d47e1d1
Show file tree

Hide file tree

Showing 9 changed files with 400 additions and 373 deletions.
diff --git a/ansible/playbooks/mongo.yml b/ansible/playbooks/mongo.yml
@@ -19,6 +19,9 @@
     mongodb_net_bindip: "127.0.0.1,{{ lookup('env', 'MONGO_HOST') }}"
     mongodb_security_javascript_enabled: true
     mongodb_manage_service: true
+    mongodb_config:
+      systemLog:
+        - "verbosity: 0"
   # this was already defined in the mongo role
   # https://github.com/UnderGreen/ansible-role-mongodb/blob/master/handlers/main.yml
   handlers:

diff --git a/app/controllers/web/my-account/create-invite.js b/app/controllers/web/my-account/create-invite.js
@@ -43,6 +43,10 @@ async function createInvite(ctx, next) {
 
   // create the invite
   ctx.state.domain = await Domains.findById(ctx.state.domain._id);
+  if (!ctx.state.domain)
+    return ctx.throw(
+      Boom.notFound(ctx.translateError('DOMAIN_DOES_NOT_EXIST'))
+    );
   ctx.state.domain.invites.push({
     email: email.toLowerCase(),
     group: ctx.request.body.group

diff --git a/app/controllers/web/my-account/remove-invite.js b/app/controllers/web/my-account/remove-invite.js
@@ -11,6 +11,10 @@ async function removeInvite(ctx, next) {
   if (!isSANB(email) || !isEmail(email))
     return ctx.throw(Boom.badRequest(ctx.translateError('INVALID_EMAIL')));
   ctx.state.domain = await Domains.findById(ctx.state.domain._id);
+  if (!ctx.state.domain)
+    return ctx.throw(
+      Boom.notFound(ctx.translateError('DOMAIN_DOES_NOT_EXIST'))
+    );
   // remove invite
   ctx.state.domain.invites = ctx.state.domain.invites.filter(
     (invite) => invite.email.toLowerCase() !== email.toLowerCase()

diff --git a/app/controllers/web/my-account/remove-member.js b/app/controllers/web/my-account/remove-member.js
@@ -27,6 +27,10 @@ async function removeMember(ctx, next) {
     );
 
   ctx.state.domain = await Domains.findById(ctx.state.domain._id);
+  if (!ctx.state.domain)
+    return ctx.throw(
+      Boom.notFound(ctx.translateError('DOMAIN_DOES_NOT_EXIST'))
+    );
   ctx.state.domain.members = ctx.state.domain.members.filter(
     (member) => member.user.toString() !== ctx.params.member_id
   );

diff --git a/app/controllers/web/my-account/retrieve-invite.js b/app/controllers/web/my-account/retrieve-invite.js
@@ -10,8 +10,16 @@ async function retrieveInvite(ctx) {
     );
 
   const domain = await Domains.findOne({
-    id: ctx.params.domain_id,
-    'invites.email': ctx.state.user.email
+    $or: [
+      {
+        id: ctx.params.domain_id,
+        'invites.email': ctx.state.user.email
+      },
+      {
+        id: ctx.params.domain_id,
+        'members.user': ctx.state.user._id
+      }
+    ]
   });
 
   if (!domain)
@@ -24,26 +32,30 @@ async function retrieveInvite(ctx) {
     (invite) => invite.email === ctx.state.user.email
   );
 
-  if (!invite)
-    return ctx.throw(
-      Boom.notFound(ctx.translateError('INVITE_DOES_NOT_EXIST'))
-    );
+  let group = 'user';
 
-  const { group } = invite;
-  domain.members.push({
-    user: ctx.state.user._id,
-    group
-  });
+  if (invite) {
+    ({ group } = invite);
+    domain.members.push({
+      user: ctx.state.user._id,
+      group
+    });
 
-  // remove invitee from invites list
-  domain.invites = domain.invites.filter(
-    (invite) => invite.email !== ctx.state.user.email
-  );
+    // remove invitee from invites list
+    domain.invites = domain.invites.filter(
+      (invite) => invite.email !== ctx.state.user.email
+    );
 
-  // save domain
-  domain.locale = ctx.locale;
-  domain.skip_verification = true;
-  ctx.state.domain = await domain.save();
+    // save domain
+    domain.locale = ctx.locale;
+    domain.skip_verification = true;
+    ctx.state.domain = await domain.save();
+  } else {
+    const match = domain.members.find(
+      (member) => member._id.toString() === ctx.state.user.id
+    );
+    group = match && match.group === 'admin' ? 'admin' : 'user';
+  }
 
   // flash a message to the user telling them they've successfully accepted
   const message =
@@ -62,8 +74,8 @@ async function retrieveInvite(ctx) {
   // redirect user to either alias page (if user) or admin page (if admin)
   const redirectTo =
     group === 'admin'
-      ? ctx.state.l(`/my-account/domains/${ctx.state.domain.name}`)
-      : ctx.state.l(`/my-account/domains/${ctx.state.domain.name}/aliases`);
+      ? ctx.state.l(`/my-account/domains/${domain.name}`)
+      : ctx.state.l(`/my-account/domains/${domain.name}/aliases`);
 
   if (ctx.accepts('html')) ctx.redirect(redirectTo);
   else ctx.body = { redirectTo };

diff --git a/app/controllers/web/my-account/update-domain.js b/app/controllers/web/my-account/update-domain.js
@@ -9,6 +9,10 @@ const { Domains } = require('#models');
 // eslint-disable-next-line complexity
 async function updateDomain(ctx, next) {
   ctx.state.domain = await Domains.findById(ctx.state.domain._id);
+  if (!ctx.state.domain)
+    return ctx.throw(
+      Boom.notFound(ctx.translateError('DOMAIN_DOES_NOT_EXIST'))
+    );
 
   // Custom SMTP Port Forwarding
   if (isSANB(ctx.request.body.smtp_port)) {

diff --git a/app/controllers/web/my-account/update-member.js b/app/controllers/web/my-account/update-member.js
@@ -15,29 +15,34 @@ async function updateMember(ctx, next) {
   )
     return ctx.throw(Boom.badRequest(ctx.translateError('INVALID_GROUP')));
 
-  const member = ctx.state.domain.members.find(
-    (member) => member.user.id === ctx.params.member_id
-  );
-
-  if (!member)
-    return ctx.throw(Boom.notFound(ctx.translateError('INVALID_USER')));
-
-  const domain = await Domains.findById(ctx.state.domain._id);
-
-  if (!domain)
+  ctx.state.domain = await Domains.findById(ctx.state.domain._id);
+  if (!ctx.state.domain)
     return ctx.throw(
       Boom.notFound(ctx.translateError('DOMAIN_DOES_NOT_EXIST'))
     );
 
+  const match = ctx.state.domain.members.find(
+    (member) => member.user.toString() === ctx.params.member_id
+  );
+
+  if (!match)
+    return ctx.throw(Boom.notFound(ctx.translateError('INVALID_USER')));
+
   // swap the user group based off ctx.request.body.group
-  for (const member of domain.members) {
-    if (member.user.toString() === ctx.params.member_id)
-      member.group = ctx.request.body.group;
-  }
-
-  domain.locale = ctx.locale;
-  domain.client = ctx.client;
-  ctx.state.domain = await domain.save();
+  // <https://github.com/Automattic/mongoose/issues/11522>
+  ctx.state.domain.members = ctx.state.domain.members.map((member) => {
+    return {
+      user: member.user,
+      group:
+        member.user.toString() === ctx.params.member_id
+          ? ctx.request.body.group
+          : member.group
+    };
+  });
+
+  ctx.state.domain.locale = ctx.locale;
+  ctx.state.domain.client = ctx.client;
+  ctx.state.domain = await ctx.state.domain.save();
 
   if (ctx.api) return next();
 

diff --git a/package.json b/package.json
@@ -33,7 +33,7 @@
     "@ladjs/api": "7.1.1",
     "@ladjs/assets": "1.4.2",
     "@ladjs/env": "3.0.0",
-    "@ladjs/graceful": "2.0.0",
+    "@ladjs/graceful": "2.0.1",
     "@ladjs/i18n": "7.2.6",
     "@ladjs/mongoose": "3.0.0",
     "@ladjs/mongoose-error-messages": "1.0.0",
@@ -49,20 +49,20 @@
     "@sidoshi/random-string": "1.0.0",
     "@tkrotoff/bootstrap-floating-label": "0.8",
     "accounting": "0.4.1",
-    "apexcharts": "3.34.0",
+    "apexcharts": "3.35.0",
     "array-join-conjunction": "1.0.0",
-    "aws-sdk": "2.1104.0",
+    "aws-sdk": "2.1110.0",
     "axe": "8.1.2",
     "basic-auth": "2.0.1",
     "boolean": "3.2.0",
     "bootstrap": "4.6.0",
-    "bree": "8.0.2",
+    "bree": "8.0.3",
     "bson-objectid": "2.0.3",
     "cabin": "9.1.2",
     "capitalize": "2.0.4",
     "captain-hook": "0.0.3",
     "clipboard": "2.0.10",
-    "codemirror": "^5.65.2",
+    "codemirror": "5.65.2",
     "consolidate": "0.16.0",
     "country-list": "2.2.0",
     "crypto-random-string": "3",
@@ -80,8 +80,8 @@
     "github-markdown-css": "5.1.0",
     "hcaptcha": "0.1.0",
     "highlight.js": "11.5.0",
-    "html-to-text": "8.1.0",
-    "htmlhint": "^1.1.3",
+    "html-to-text": "8.2.0",
+    "htmlhint": "1.1.3",
     "humanize-string": "2",
     "ip": "1.1.5",
     "is-fqdn": "2.0.1",
@@ -106,7 +106,7 @@
     "memoizee": "0.4.15",
     "mongodb-memory-server": "8.4.2",
     "mongodb-short-id": "0.3.3",
-    "mongoose": "6.2.9",
+    "mongoose": "6.2.10",
     "mongoose-common-plugin": "2.0.3",
     "mongoose-omit-common-fields": "0.0.6",
     "mongoose-unique-validator": "2.0.3",
@@ -138,7 +138,7 @@
     "speakingurl": "14.0.1",
     "split-lines": "2",
     "stacktrace-js": "2.0.2",
-    "stripe": "8.214.0",
+    "stripe": "8.215.0",
     "striptags": "3.2.0",
     "superagent": "7.1.1",
     "sweetalert2": "8",
@@ -152,21 +152,21 @@
   },
   "devDependencies": {
     "@babel/cli": "7.17.6",
-    "@babel/core": "7.17.8",
+    "@babel/core": "7.17.9",
     "@babel/polyfill": "7.12.1",
     "@babel/preset-env": "7.16.11",
     "@commitlint/cli": "16.2.3",
     "@commitlint/config-conventional": "16.2.1",
     "@ladjs/browserslist-config": "0.0.1",
     "@ladjs/gulp-envify": "2.0.1",
     "@ladjs/pug-lint-config-lad": "0.1.1",
-    "@prettier/plugin-pug": "1.20.0",
+    "@prettier/plugin-pug": "1.20.1",
     "ava": "4.1.0",
     "babel-eslint": "10.1.0",
     "browserify": "17.0.0",
     "bundle-collapser": "1.4.0",
     "codecov": "3.8.3",
-    "cssnano": "5.1.5",
+    "cssnano": "5.1.7",
     "del": "6.0.0",
     "eslint": "8.12.0",
     "eslint-config-xo-lass": "1.0.6",
@@ -214,12 +214,12 @@
     "postcss-preset-env": "7.4.3",
     "postcss-reporter": "7.0.5",
     "postcss-scss": "4.0.3",
-    "prettier": "2.6.1",
+    "prettier": "2.6.2",
     "pug-lint": "2.6.0",
     "rc": "1.2.8",
     "remark-cli": "10.0.1",
     "remark-preset-github": "4.0.1",
-    "sass": "1.49.9",
+    "sass": "1.50.0",
     "sinon": "13.0.1",
     "stylelint": "14.6.1",
     "stylelint-config-recommended-scss": "6.0.0",