tighten check for customers and billing

skadefro · skadefro · commit 85bfccf2bcf3 · 2021-06-14T00:06:59.000+02:00
diff --git a/OpenFlow/src/DatabaseConnection.ts b/OpenFlow/src/DatabaseConnection.ts
@@ -895,7 +895,9 @@ export class DatabaseConnection {
                     delete user2.customerid;
                 }
                 if (!NoderedUtil.IsNullEmpty(user2.customerid)) {
-                    if (!user.HasRoleName("customer admins") && !user.HasRoleName("admins")) throw new Error("Access denied (not admin) to customer with id " + user2.customerid);
+                    if (user2._type == "user") {
+                        if (!user.HasRoleName("customer admins") && !user.HasRoleName("admins")) throw new Error("Access denied (not admin) to customer with id " + user2.customerid);
+                    }
                     customer = await this.getbyid<Customer>(user2.customerid, "users", jwt, span)
                     if (customer == null) throw new Error("Access denied to customer with id " + user2.customerid);
                     // if (!user.HasRoleName(customer.name + " admins")) throw new Error("Access denied to customer with " + customer.name);
diff --git a/OpenFlow/src/Messages/Message.ts b/OpenFlow/src/Messages/Message.ts
@@ -3087,6 +3087,10 @@ export class Message {
                 user = await Config.db.getbyid(usage.userid, "users", jwt, span) as any;
                 if (user == null) throw new Error("Unknown usage or Access Denied (user)");
             }
+            const tuser = Crypt.verityToken(jwt);
+            if (!tuser.HasRoleName(customer.name + " admins") && !tuser.HasRoleName("admins")) {
+                throw new Error("Access denied, adding plan (admins)");
+            }
 
 
             if (!NoderedUtil.IsNullEmpty(usage.product.added_resourceid) && !NoderedUtil.IsNullEmpty(usage.product.added_stripeprice)) {
@@ -3199,6 +3203,10 @@ export class Message {
             if (NoderedUtil.IsNullUndefinded(customer)) throw new Error("Unknown customer or Access Denied");
             if (NoderedUtil.IsNullEmpty(customer.stripeid)) throw new Error("Customer has no billing information, please update with vattype and vatnumber");
 
+            const user = Crypt.verityToken(cli.jwt);
+            if (!user.HasRoleName(customer.name + " admins") && !user.HasRoleName("admins")) {
+                throw new Error("Access denied, getting invoice (admins)");
+            }
 
             let subscription: stripe_subscription;
             if (!NoderedUtil.IsNullEmpty(customer.subscriptionid)) {
@@ -3317,6 +3325,12 @@ export class Message {
             if (Config.stripe_force_vat && (NoderedUtil.IsNullEmpty(customer.vattype) || NoderedUtil.IsNullEmpty(customer.vatnumber))) {
                 throw new Error("Only business can buy, please fill out vattype and vatnumber");
             }
+
+            const tuser = Crypt.verityToken(jwt);
+            if (!tuser.HasRoleName(customer.name + " admins") && !tuser.HasRoleName("admins")) {
+                throw new Error("Access denied, adding plan (admins)");
+            }
+
             if (NoderedUtil.IsNullEmpty(customer.vattype)) customer.vattype = "";
             if (NoderedUtil.IsNullEmpty(customer.vatnumber)) customer.vatnumber = "";
             customer.vatnumber = customer.vatnumber.toUpperCase();
diff --git a/OpenFlowNodeRED/src/nodered/nodes/api.html b/OpenFlowNodeRED/src/nodered/nodes/api.html
@@ -727,7 +727,7 @@
         icon: "font-awesome/fa-trash",
         defaults: {
             name: { value: "" },
-            query: { value: "payload", validate: validate("querytype"), required: true },
+            query: { value: "query", validate: validate("querytype"), required: true },
             querytype: { value: "" },
             collection: { value: "entities", validate: validate("collectiontype"), required: true },
             collectiontype: { value: "" },
