-
Notifications
You must be signed in to change notification settings - Fork 335
/
permissions.ts
88 lines (83 loc) · 2.91 KB
/
permissions.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import {and, not, or} from 'graphql-shield'
import type {ShieldRule} from 'graphql-shield/dist/types'
import {Resolvers} from './resolverTypes'
import getTeamIdFromArgTemplateId from './rules/getTeamIdFromArgTemplateId'
import isAuthenticated from './rules/isAuthenticated'
import isEnvVarTrue from './rules/isEnvVarTrue'
import {isOrgTier} from './rules/isOrgTier'
import isSuperUser from './rules/isSuperUser'
import isUserViewer from './rules/isUserViewer'
import {isViewerBillingLeader} from './rules/isViewerBillingLeader'
import {isViewerOnOrg} from './rules/isViewerOnOrg'
import isViewerOnTeam from './rules/isViewerOnTeam'
import {isViewerTeamLead} from './rules/isViewerTeamLead'
import rateLimit from './rules/rateLimit'
type Wildcard = {
'*': ShieldRule
}
type FieldMap<T> =
| Wildcard
| {
[P in keyof T]: ShieldRule
}
export type PermissionMap<T> = {
[P in keyof T]?: FieldMap<T[P]>
}
const permissionMap: PermissionMap<Resolvers> = {
Mutation: {
'*': isAuthenticated,
// don't check isAuthenticated for acceptTeamInvitation here because there are special cases handled in the resolver
acceptTeamInvitation: rateLimit({perMinute: 50, perHour: 100}),
createImposterToken: isSuperUser,
loginWithGoogle: and(
not(isEnvVarTrue('AUTH_GOOGLE_DISABLED')),
rateLimit({perMinute: 50, perHour: 500})
),
loginWithMicrosoft: and(
not(isEnvVarTrue('AUTH_MICROSOFT_DISABLED')),
rateLimit({perMinute: 50, perHour: 500})
),
signUpWithPassword: and(
not(isEnvVarTrue('AUTH_INTERNAL_DISABLED')),
rateLimit({perMinute: 50, perHour: 500})
),
loginWithPassword: and(
not(isEnvVarTrue('AUTH_INTERNAL_DISABLED')),
rateLimit({perMinute: 50, perHour: 500})
),
verifyEmail: rateLimit({perMinute: 50, perHour: 100}),
addApprovedOrganizationDomains: or(
isSuperUser,
and(
isViewerBillingLeader<'Mutation.addApprovedOrganizationDomains'>('args.orgId'),
isOrgTier<'Mutation.addApprovedOrganizationDomains'>('args.orgId', 'enterprise')
)
),
removeApprovedOrganizationDomains: or(
isSuperUser,
isViewerBillingLeader<'Mutation.removeApprovedOrganizationDomains'>('args.orgId')
),
uploadIdPMetadata: isViewerOnOrg<'Mutation.uploadIdPMetadata'>('args.orgId'),
updateTemplateCategory: isViewerOnTeam(getTeamIdFromArgTemplateId),
generateInsight: or(isSuperUser, isViewerTeamLead('args.teamId'))
},
Query: {
'*': isAuthenticated,
getDemoEntities: rateLimit({perMinute: 5, perHour: 50}),
SAMLIdP: rateLimit({perMinute: 120, perHour: 3600})
},
Organization: {
saml: and(
isViewerBillingLeader<'Organization.saml'>('source.id'),
isOrgTier<'Organization.saml'>('source.id', 'enterprise')
)
},
RetroReflectionGroup: {
smartTitle: isSuperUser,
voterIds: isSuperUser
},
User: {
domains: or(isSuperUser, isUserViewer)
}
}
export default permissionMap