Added new privilege for changing passwords.

changelog.md

@@ -10,6 +10,7 @@ Changelog
   covers these new ones.
 * It wasn't possible to see a full principal even if a user had
   `a12n:principal:list` privilege.
+* Added new privilege for changing passwords: `a12n:user:change-password`.
 
 
 0.24.0 (2023-11-09)

src/migrations/20231121134632_new_privileges.ts

@@ -0,0 +1,17 @@
+import { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex('privileges')
+    .insert({privilege: 'a12n:user:change-password', description: 'Allow changing a users\' password.'});
+
+}
+
+
+export async function down(knex: Knex): Promise<void> {
+
+  await knex('privileges')
+    .delete()
+    .whereIn('privileges', ['a12n:user:change-password']);
+
+}
+

src/privilege/types.ts

@@ -22,4 +22,4 @@ export type InternalPrivilege =
   | 'a12n:principals:update'
   | 'a12n:one-time-token:generate'
   | 'a12n:one-time-token:exchange'
-
+  | 'a12n:user:change-password';

src/user/controller/password.ts

@@ -2,17 +2,25 @@ import Controller from '@curveball/controller';
 import { Context } from '@curveball/core';
 import { PrincipalService } from '../../principal/service';
 import * as userService from '../service';
+import { UnprocessableEntity } from '@curveball/http-errors';
 
 class UserPasswordController extends Controller {
 
   async put(ctx: Context) {
 
-    ctx.privileges.require('admin');
-
     const userBody: any = ctx.request.body;
     const principalService = new PrincipalService(ctx.privileges);
     const user = await principalService.findByExternalId(ctx.params.id, 'user');
 
+    ctx.privileges.require('a12n:user:change-password', user.href);
+
+    if (!userBody.newPassword || typeof userBody.newPassword !== 'string') {
+      throw new UnprocessableEntity('The "newPassword" property is required.');
+    }
+    if (userBody.newPassword.length < 8) {
+      throw new UnprocessableEntity('Passwords must be at least 8 characters.');
+    }
+
     const password = userBody.newPassword;
 
     await userService.updatePassword(user, password);

src/user/controller/privileges.ts

@@ -5,7 +5,6 @@ import * as privilegeService from '../../privilege/service';
 import { PrivilegeMap } from '../../privilege/types';
 import * as hal from '../formats/hal';
 import { PrincipalService } from '../../principal/service';
-// import * as groupService from '../../group/service';
 
 type PolicyForm = {
   policyBody: string;

src/user/formats/hal.ts

@@ -85,7 +85,7 @@ export function item(user: User, privileges: PrivilegeMap, hasControl: boolean,
       title: 'App Permissions',
     };
   }
-  if (currentUserPrivileges.has('admin')) {
+  if (currentUserPrivileges.has('a12n:user:change-password', user.href)) {
     hal._links['password'] = {
       href: `${user.href}/password`,
       title: 'Change user\'s password',