diff --git a/packages/user-mgnt/src/config/routes.ts b/packages/user-mgnt/src/config/routes.ts index 8f906fbe69f..6327345cb43 100644 --- a/packages/user-mgnt/src/config/routes.ts +++ b/packages/user-mgnt/src/config/routes.ts @@ -96,18 +96,7 @@ import changeEmailHandler, { } from '@user-mgnt/features/changeEmail/handler' import { getAllSystemsHandler } from '@user-mgnt/features/getAllSystems/handler' import * as mongoose from 'mongoose' - -const enum RouteScope { - DECLARE = 'declare', - REGISTER = 'register', - CERTIFY = 'certify', - PERFORMANCE = 'performance', - SYSADMIN = 'sysadmin', - NATLSYSADMIN = 'natlsysadmin', - VALIDATE = 'validate', - RECORDSEARCH = 'recordsearch', - VERIFY = 'verify' -} +import { SCOPES } from '@opencrvs/commons/authentication' export const getRoutes = () => { return [ @@ -215,12 +204,14 @@ export const getRoutes = () => { description: 'Changes password for logged-in user', auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -240,12 +231,14 @@ export const getRoutes = () => { description: 'Changes password for logged-in user', auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -265,12 +258,14 @@ export const getRoutes = () => { description: 'Changes email for logged-in user', auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -290,12 +285,14 @@ export const getRoutes = () => { description: 'Changes avatar for logged-in user', auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -315,12 +312,14 @@ export const getRoutes = () => { description: 'Retrieves a user mobile number', auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -338,12 +337,14 @@ export const getRoutes = () => { options: { auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -361,16 +362,16 @@ export const getRoutes = () => { description: 'Retrieves a user', auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE, - RouteScope.VERIFY, - RouteScope.RECORDSEARCH, - // @TODO: Refer to an enum / constant - 'record.confirm-registration' + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL, + SCOPES.RECORD_REGISTRATION_VERIFY_CERTIFIED_COPIES, + SCOPES.RECORDSEARCH ] }, validate: { @@ -386,7 +387,7 @@ export const getRoutes = () => { tags: ['api'], description: 'Creates a new user', auth: { - scope: [RouteScope.SYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] } } }, @@ -398,7 +399,7 @@ export const getRoutes = () => { tags: ['api'], description: 'Updates an existing user', auth: { - scope: [RouteScope.SYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] } } }, @@ -411,12 +412,14 @@ export const getRoutes = () => { description: 'Activate an existing pending user', auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -449,7 +452,7 @@ export const getRoutes = () => { handler: userAuditHandler, options: { auth: { - scope: [RouteScope.SYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: userAuditSchema @@ -464,12 +467,14 @@ export const getRoutes = () => { options: { auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -485,12 +490,14 @@ export const getRoutes = () => { options: { auth: { scope: [ - RouteScope.DECLARE, - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.RECORD_DECLARE_BIRTH, + SCOPES.RECORD_DECLARE_DEATH, + SCOPES.RECORD_DECLARE_MARRIAGE, + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -505,7 +512,7 @@ export const getRoutes = () => { handler: resendInviteHandler, options: { auth: { - scope: [RouteScope.SYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: resendInviteRequestSchema @@ -520,7 +527,7 @@ export const getRoutes = () => { handler: usernameReminderHandler, options: { auth: { - scope: [RouteScope.SYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: usernameReminderRequestSchema @@ -535,7 +542,7 @@ export const getRoutes = () => { handler: resetPasswordInviteHandler, options: { auth: { - scope: [RouteScope.SYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: resetPasswordRequestSchema @@ -552,7 +559,7 @@ export const getRoutes = () => { tags: ['api'], description: 'Creates a new system client', auth: { - scope: [RouteScope.NATLSYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: reqRegisterSystemSchema @@ -570,7 +577,7 @@ export const getRoutes = () => { tags: ['api'], description: 'Update system permissions', auth: { - scope: [RouteScope.SYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: reqUpdateSystemSchema @@ -585,7 +592,7 @@ export const getRoutes = () => { tags: ['api'], description: 'Deactivates a new system client', auth: { - scope: [RouteScope.NATLSYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: clientIdSchema @@ -603,7 +610,7 @@ export const getRoutes = () => { tags: ['api'], description: 'Reactivates a new system client', auth: { - scope: [RouteScope.NATLSYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: clientIdSchema @@ -666,11 +673,11 @@ export const getRoutes = () => { description: 'Gets count of users group by office ids', auth: { scope: [ - RouteScope.REGISTER, - RouteScope.CERTIFY, - RouteScope.PERFORMANCE, - RouteScope.SYSADMIN, - RouteScope.VALIDATE + SCOPES.REGISTER, + SCOPES.CERTIFY, + SCOPES.PERFORMANCE_READ, + SCOPES.CONFIG_UPDATE_ALL, + SCOPES.RECORD_SUBMIT_FOR_APPROVAL ] }, validate: { @@ -689,7 +696,7 @@ export const getRoutes = () => { description: 'Refresh client secret ', notes: 'Refresh client secret', auth: { - scope: [RouteScope.NATLSYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: systemSecretRequestSchema @@ -708,7 +715,7 @@ export const getRoutes = () => { description: 'Delete system ', notes: 'This is responsible for system deletion', auth: { - scope: [RouteScope.NATLSYSADMIN] + scope: [SCOPES.CONFIG_UPDATE_ALL] }, validate: { payload: clientIdSchema diff --git a/packages/user-mgnt/src/features/updateUser/handler.ts b/packages/user-mgnt/src/features/updateUser/handler.ts index 0bac0b40341..d361b329cdd 100644 --- a/packages/user-mgnt/src/features/updateUser/handler.ts +++ b/packages/user-mgnt/src/features/updateUser/handler.ts @@ -11,6 +11,7 @@ import * as Hapi from '@hapi/hapi' import { logger } from '@opencrvs/commons' import { Practitioner } from '@opencrvs/commons/types' +import { SCOPES } from '@opencrvs/commons/authentication' import { postUserActionToMetrics } from '@user-mgnt/features/changePhone/handler' import { createFhirPractitioner, @@ -70,7 +71,7 @@ export default async function updateUser( existingUser.role = user.role if (existingUser.primaryOfficeId !== user.primaryOfficeId) { - if (request.auth.credentials?.scope?.includes('natlsysadmin')) { + if (request.auth.credentials?.scope?.includes(SCOPES.CONFIG_UPDATE_ALL)) { existingUser.primaryOfficeId = user.primaryOfficeId } else { throw new Error('Location can be changed only by National System Admin')