|
|
|
@ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller {
|
|
|
|
|
const StarshipClient = this.models.get('oauth:Client')
|
|
|
|
|
const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
|
|
|
|
|
|
|
|
|
|
// Make sure the user has IAM access before proceeding
|
|
|
|
|
const Application = this.models.get('Application')
|
|
|
|
|
const Policy = this.models.get('iam:Policy')
|
|
|
|
|
const application = await Application.findOne({ oauth_client_ids: starship_client.id })
|
|
|
|
|
if ( !application ) {
|
|
|
|
|
this.output.warning('IAM Denial!')
|
|
|
|
|
return this.Vue.auth_message(res, {
|
|
|
|
|
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
|
|
|
|
next_destination: '/dash',
|
|
|
|
|
})
|
|
|
|
|
} else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
|
|
|
|
|
this.output.warning('IAM Denial!')
|
|
|
|
|
return this.Vue.auth_message(res, {
|
|
|
|
|
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
|
|
|
|
next_destination: '/dash',
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
req.user.authorize(starship_client)
|
|
|
|
|
await req.user.save()
|
|
|
|
|
return super.authorize_post(req, res, next)
|
|
|
|
@ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller {
|
|
|
|
|
const StarshipClient = this.models.get('oauth:Client')
|
|
|
|
|
const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })
|
|
|
|
|
|
|
|
|
|
// Make sure the user has IAM access before proceeding
|
|
|
|
|
const Application = this.models.get('Application')
|
|
|
|
|
const Policy = this.models.get('iam:Policy')
|
|
|
|
|
const application = await Application.findOne({ oauth_client_ids: starship_client.id })
|
|
|
|
|
if ( !application ) {
|
|
|
|
|
this.output.warning('IAM Denial!')
|
|
|
|
|
return this.Vue.auth_message(res, {
|
|
|
|
|
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
|
|
|
|
next_destination: '/dash',
|
|
|
|
|
})
|
|
|
|
|
} else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
|
|
|
|
|
this.output.warning('IAM Denial!')
|
|
|
|
|
return this.Vue.auth_message(res, {
|
|
|
|
|
message: req.T('saml.no_access').replace('APP_NAME', application.name),
|
|
|
|
|
next_destination: '/dash',
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( req.user.has_authorized(starship_client) ) {
|
|
|
|
|
return this.Vue.invoke_action(res, {
|
|
|
|
|
text: 'Grant Access',
|
|
|
|
|