diff --git a/app/config/roles.php b/app/config/roles.php index 6d09141f7..2aaee563c 100644 --- a/app/config/roles.php +++ b/app/config/roles.php @@ -8,8 +8,9 @@ $member = [ 'home', 'console', 'graphql', - 'sessions', - 'account', + 'sessions.write', + 'accounts.read', + 'accounts.write', 'teams.read', 'teams.write', 'documents.read', @@ -32,7 +33,7 @@ $member = [ $admins = [ 'global', 'graphql', - 'sessions', + 'sessions.write', 'teams.read', 'teams.write', 'documents.read', @@ -87,7 +88,7 @@ return [ 'home', 'console', 'graphql', - 'sessions', + 'sessions.write', 'documents.read', 'documents.write', 'files.read', diff --git a/app/config/scopes.php b/app/config/scopes.php index 684b8591b..f6b857091 100644 --- a/app/config/scopes.php +++ b/app/config/scopes.php @@ -1,11 +1,14 @@ [ - 'description' => 'Access to make actions on behalf of a user account', + 'accounts.read' => [ + 'description' => 'Access to read your active user account', ], - 'sessions' => [ - 'description' => 'Access to create new user sessions', + 'accounts.write' => [ + 'description' => 'Access to create, update, and delete your active user account', + ], + 'sessions.write' => [ + 'description' => 'Access to create, update, and delete user sessions', ], 'users.read' => [ 'description' => 'Access to read your project\'s users', diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index a7f9bac4e..62da62f63 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -55,7 +55,7 @@ App::post('/v1/account') ->desc('Create account') ->groups(['api', 'account', 'auth']) ->label('event', 'users.[userId].create') - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('auth.type', 'emailPassword') ->label('audits.event', 'user.create') ->label('audits.resource', 'user/{response.$id}') @@ -186,7 +186,7 @@ App::post('/v1/account/sessions/email') ->desc('Create email password session') ->groups(['api', 'account', 'auth', 'session']) ->label('event', 'users.[userId].sessions.[sessionId].create') - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('auth.type', 'emailPassword') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -310,7 +310,7 @@ App::get('/v1/account/sessions/oauth2/:provider') ->desc('Create OAuth2 session') ->groups(['api', 'account']) ->label('error', __DIR__ . '/../../views/general/error.phtml') - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('sdk.auth', []) ->label('sdk.hideServer', true) ->label('sdk.namespace', 'account') @@ -877,7 +877,7 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect') App::get('/v1/account/identities') ->desc('List Identities') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.read') ->label('usage.metric', 'users.{scope}.requests.read') ->label('sdk.auth', [APP_AUTH_TYPE_SESSION, APP_AUTH_TYPE_JWT]) ->label('sdk.namespace', 'account') @@ -928,7 +928,7 @@ App::get('/v1/account/identities') App::delete('/v1/account/identities/:identityId') ->desc('Delete identity') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('event', 'users.[userId].identities.[identityId].delete') ->label('audits.event', 'identity.delete') ->label('audits.resource', 'identity/{request.$identityId}') @@ -966,7 +966,7 @@ App::post('/v1/account/tokens/magic-url') ->alias('/v1/account/sessions/magic-url') ->desc('Create magic URL token') ->groups(['api', 'account']) - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('auth.type', 'magic-url') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1306,7 +1306,7 @@ App::put('/v1/account/sessions/magic-url') ->desc('Create session (deprecated)') ->label('event', 'users.[userId].sessions.[sessionId].create') ->groups(['api', 'account']) - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('auth.type', 'token') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1337,7 +1337,7 @@ App::post('/v1/account/sessions/token') ->desc('Create session') ->label('event', 'users.[userId].sessions.[sessionId].create') ->groups(['api', 'account']) - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('auth.type', 'token') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1368,7 +1368,7 @@ App::post('/v1/account/tokens/phone') ->alias('/v1/account/sessions/phone') ->desc('Create phone token') ->groups(['api', 'account']) - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('auth.type', 'phone') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1534,7 +1534,7 @@ App::post('/v1/account/sessions/anonymous') ->desc('Create anonymous session') ->groups(['api', 'account', 'auth', 'session']) ->label('event', 'users.[userId].sessions.[sessionId].create') - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('auth.type', 'anonymous') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1674,7 +1674,7 @@ App::post('/v1/account/sessions/anonymous') App::post('/v1/account/jwt') ->desc('Create JWT') ->groups(['api', 'account', 'auth']) - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('auth.type', 'jwt') ->label('sdk.auth', []) ->label('sdk.namespace', 'account') @@ -1796,7 +1796,7 @@ App::post('/v1/account/targets/push') App::get('/v1/account') ->desc('Get account') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.read') ->label('usage.metric', 'users.{scope}.requests.read') ->label('sdk.auth', [APP_AUTH_TYPE_SESSION, APP_AUTH_TYPE_JWT]) ->label('sdk.namespace', 'account') @@ -1817,7 +1817,7 @@ App::get('/v1/account') App::get('/v1/account/prefs') ->desc('Get account preferences') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.read') ->label('usage.metric', 'users.{scope}.requests.read') ->label('sdk.auth', [APP_AUTH_TYPE_SESSION, APP_AUTH_TYPE_JWT]) ->label('sdk.namespace', 'account') @@ -1840,7 +1840,7 @@ App::get('/v1/account/prefs') App::get('/v1/account/sessions') ->desc('List sessions') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.read') ->label('usage.metric', 'users.{scope}.requests.read') ->label('sdk.auth', [APP_AUTH_TYPE_SESSION, APP_AUTH_TYPE_JWT]) ->label('sdk.namespace', 'account') @@ -1879,7 +1879,7 @@ App::get('/v1/account/sessions') App::get('/v1/account/logs') ->desc('List logs') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.read') ->label('usage.metric', 'users.{scope}.requests.read') ->label('sdk.auth', [APP_AUTH_TYPE_SESSION, APP_AUTH_TYPE_JWT]) ->label('sdk.namespace', 'account') @@ -1940,7 +1940,7 @@ App::get('/v1/account/logs') App::get('/v1/account/sessions/:sessionId') ->desc('Get session') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.read') ->label('usage.metric', 'users.{scope}.requests.read') ->label('sdk.auth', [APP_AUTH_TYPE_SESSION, APP_AUTH_TYPE_JWT]) ->label('sdk.namespace', 'account') @@ -1986,7 +1986,7 @@ App::patch('/v1/account/name') ->desc('Update name') ->groups(['api', 'account']) ->label('event', 'users.[userId].update.name') - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('audits.event', 'user.update') ->label('audits.resource', 'user/{response.$id}') ->label('usage.metric', 'users.{scope}.requests.update') @@ -2020,7 +2020,7 @@ App::patch('/v1/account/password') ->desc('Update password') ->groups(['api', 'account']) ->label('event', 'users.[userId].update.password') - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('audits.event', 'user.update') ->label('audits.resource', 'user/{response.$id}') ->label('audits.userId', '{response.$id}') @@ -2087,7 +2087,7 @@ App::patch('/v1/account/email') ->desc('Update email') ->groups(['api', 'account']) ->label('event', 'users.[userId].update.email') - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('audits.event', 'user.update') ->label('audits.resource', 'user/{response.$id}') ->label('usage.metric', 'users.{scope}.requests.update') @@ -2175,7 +2175,7 @@ App::patch('/v1/account/phone') ->desc('Update phone') ->groups(['api', 'account']) ->label('event', 'users.[userId].update.phone') - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('audits.event', 'user.update') ->label('audits.resource', 'user/{response.$id}') ->label('usage.metric', 'users.{scope}.requests.update') @@ -2253,7 +2253,7 @@ App::patch('/v1/account/prefs') ->desc('Update preferences') ->groups(['api', 'account']) ->label('event', 'users.[userId].update.prefs') - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('audits.event', 'user.update') ->label('audits.resource', 'user/{response.$id}') ->label('usage.metric', 'users.{scope}.requests.update') @@ -2287,7 +2287,7 @@ App::patch('/v1/account/status') ->desc('Update status') ->groups(['api', 'account']) ->label('event', 'users.[userId].update.status') - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('audits.event', 'user.update') ->label('audits.resource', 'user/{response.$id}') ->label('usage.metric', 'users.{scope}.requests.delete') @@ -2330,7 +2330,7 @@ App::patch('/v1/account/status') App::delete('/v1/account/sessions/:sessionId') ->desc('Delete session') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('event', 'users.[userId].sessions.[sessionId].delete') ->label('audits.event', 'session.delete') ->label('audits.resource', 'user/{user.$id}') @@ -2406,7 +2406,7 @@ App::delete('/v1/account/sessions/:sessionId') App::patch('/v1/account/sessions/:sessionId') ->desc('Update OAuth session (refresh tokens)') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('event', 'users.[userId].sessions.[sessionId].update') ->label('audits.event', 'session.update') ->label('audits.resource', 'user/{response.userId}') @@ -2492,7 +2492,7 @@ App::patch('/v1/account/sessions/:sessionId') App::delete('/v1/account/sessions') ->desc('Delete sessions') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('event', 'users.[userId].sessions.[sessionId].delete') ->label('audits.event', 'session.delete') ->label('audits.resource', 'user/{user.$id}') @@ -2553,7 +2553,7 @@ App::delete('/v1/account/sessions') App::post('/v1/account/recovery') ->desc('Create password recovery') ->groups(['api', 'account']) - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('event', 'users.[userId].recovery.[tokenId].create') ->label('audits.event', 'recovery.create') ->label('audits.resource', 'user/{response.userId}') @@ -2731,7 +2731,7 @@ App::post('/v1/account/recovery') App::put('/v1/account/recovery') ->desc('Create password recovery (confirmation)') ->groups(['api', 'account']) - ->label('scope', 'sessions') + ->label('scope', 'sessions.write') ->label('event', 'users.[userId].recovery.[tokenId].update') ->label('audits.event', 'recovery.update') ->label('audits.resource', 'user/{response.userId}') @@ -2814,7 +2814,7 @@ App::put('/v1/account/recovery') App::post('/v1/account/verification') ->desc('Create email verification') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('event', 'users.[userId].verification.[tokenId].create') ->label('audits.event', 'verification.create') ->label('audits.resource', 'user/{response.userId}') @@ -3036,7 +3036,7 @@ App::put('/v1/account/verification') App::post('/v1/account/verification/phone') ->desc('Create phone verification') ->groups(['api', 'account']) - ->label('scope', 'account') + ->label('scope', 'accounts.write') ->label('event', 'users.[userId].verification.[tokenId].create') ->label('audits.event', 'verification.create') ->label('audits.resource', 'user/{response.userId}') diff --git a/tests/e2e/Scopes/ProjectCustom.php b/tests/e2e/Scopes/ProjectCustom.php index b5aa7edd6..6d44d535c 100644 --- a/tests/e2e/Scopes/ProjectCustom.php +++ b/tests/e2e/Scopes/ProjectCustom.php @@ -83,8 +83,9 @@ trait ProjectCustom 'health.read', 'rules.read', 'rules.write', - 'sessions', - 'account', + 'sessions.write', + 'accounts.write', + 'accounts.read', 'targets.read', 'targets.write', 'providers.read',