1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
# Description:
# Auth allows you to assign roles to users which can be used by other scripts
# to restrict access to Hubot commands
#
# Dependencies:
# None
#
# Configuration:
# HUBOT_AUTH_ADMIN - A comma separate list of user IDs
#
# Commands:
# hubot <user> has <role> role - Assigns a role to a user
# hubot <user> doesn't have <role> role - Removes a role from a user
# hubot what role does <user> have - Find out what roles are assigned to a specific user
# hubot who has admin role - Find out who's an admin and can assign roles
#
# Notes:
# * Call the method: robot.auth.hasRole(msg.envelope.user,'<role>')
# * returns bool true or false
#
# * the 'admin' role can only be assigned through the environment variable
# * roles are all transformed to lower case
#
# * The script assumes that user IDs will be unique on the service end as to
# correctly identify a user. Names were insecure as a user could impersonate
# a user
#
# Author:
# alexwilliamsca, tombell
module.exports = (robot) ->
unless process.env.HUBOT_AUTH_ADMIN?
robot.logger.warning 'The HUBOT_AUTH_ADMIN environment variable not set'
if process.env.HUBOT_AUTH_ADMIN?
admins = process.env.HUBOT_AUTH_ADMIN.split ','
else
admins = []
class Auth
hasRole: (user, roles) ->
user = robot.brain.userForId(user.id)
if user? and user.roles?
roles = [roles] if typeof roles is 'string'
for role in roles
return true if role in user.roles
return false
usersWithRole: (role) ->
users = []
for own key, user of robot.brain.data.users
if robot.auth.hasRole(msg.envelope.user, role)
users.push(user)
users
robot.auth = new Auth
robot.respond /@?(.+) (has) (["'\w: -_]+) (role)/i, (msg) ->
name = msg.match[1].trim()
newRole = msg.match[3].trim().toLowerCase()
unless name.toLowerCase() in ['', 'who', 'what', 'where', 'when', 'why']
user = robot.brain.userForName(name)
return msg.reply "#{name} does not exist" unless user?
user.roles or= []
if newRole in user.roles
msg.reply "#{name} already has the '#{newRole}' role."
else
if newRole is 'admin'
msg.reply "Sorry, the 'admin' role can only be defined in the HUBOT_AUTH_ADMIN env variable."
else
myRoles = msg.message.user.roles or []
if msg.message.user.id.toString() in admins
user.roles.push(newRole)
msg.reply "Ok, #{name} has the '#{newRole}' role."
robot.respond /@?(.+) (doesn't have|does not have) (["'\w: -_]+) (role)/i, (msg) ->
name = msg.match[1].trim()
newRole = msg.match[3].trim().toLowerCase()
unless name.toLowerCase() in ['', 'who', 'what', 'where', 'when', 'why']
user = robot.brain.userForName(name)
return msg.reply "#{name} does not exist" unless user?
user.roles or= []
if newRole is 'admin'
msg.reply "Sorry, the 'admin' role can only be removed from the HUBOT_AUTH_ADMIN env variable."
else
myRoles = msg.message.user.roles or []
if msg.message.user.id.toString() in admins
user.roles = (role for role in user.roles when role isnt newRole)
msg.reply "Ok, #{name} doesn't have the '#{newRole}' role."
robot.respond /(what role does|what roles does) @?(.+) (have)\?*$/i, (msg) ->
name = msg.match[2].trim()
user = robot.brain.userForName(name)
return msg.reply "#{name} does not exist" unless user?
user.roles or= []
displayRoles = user.roles
if user.id.toString() in admins
displayRoles.push('admin') unless 'admin' in user.roles
if displayRoles.length == 0
msg.reply "#{name} has no roles."
else
msg.reply "#{name} has the following roles: #{displayRoles.join(', ')}."
robot.respond /who has admin role\?*$/i, (msg) ->
adminNames = []
for admin in admins
user = robot.brain.userForId(admin)
unless robot.auth.hasRole(msg.envelope.user,'admin')
adminNames.push user.name if user?
if adminNames.length > 0
msg.reply "The following people have the 'admin' role: #{adminNames.join(', ')}"
else
msg.reply "There are no people that have the 'admin' role."
|
