Merge pull request #6729 from overleaf/jpa-cleanup-staff-access

[web] admin privilege does not imply staffAccess GitOrigin-RevId: 89760c7a9a8f0b0c82ebee40ca3236e9894ab9fa
2026-05-31 21:01:33 +02:00 · 2022-03-31 11:35:51 +01:00
parent ff2bf58a84
commit aa07f51fd9
3 changed files with 1 additions and 9 deletions
--- a/services/web/app/src/Features/Helpers/AuthorizationHelper.js
+++ b/services/web/app/src/Features/Helpers/AuthorizationHelper.js
@@ -1,14 +1,10 @@
 const { UserSchema } = require('../../models/User')
-const { hasAdminAccess } = require('./AdminAuthorizationHelper')

 module.exports = {
  hasAnyStaffAccess,
 }

 function hasAnyStaffAccess(user) {
-  if (hasAdminAccess(user)) {
-    return true
-  }
  if (!user.staffAccess) {
    return false
  }
--- a/services/web/app/src/Features/UserMembership/UserMembershipAuthorization.js
+++ b/services/web/app/src/Features/UserMembership/UserMembershipAuthorization.js
@@ -1,13 +1,9 @@
-const { hasAdminAccess } = require('../Helpers/AdminAuthorizationHelper')
 const UserMembershipAuthorization = {
  hasStaffAccess(requiredStaffAccess) {
    return req => {
      if (!req.user) {
        return false
      }
-      if (hasAdminAccess(req.user)) {
-        return true
-      }
      return (
        requiredStaffAccess &&
        req.user.staffAccess &&
--- a/services/web/test/unit/src/HelperFiles/AuthorizationHelperTests.js
+++ b/services/web/test/unit/src/HelperFiles/AuthorizationHelperTests.js
@@ -43,7 +43,7 @@ describe('AuthorizationHelper', function () {
    it('with admin user', function () {
      const user = { isAdmin: true }
      this.AdminAuthorizationHelper.hasAdminAccess.returns(true)
-      expect(this.AuthorizationHelper.hasAnyStaffAccess(user)).to.be.true
+      expect(this.AuthorizationHelper.hasAnyStaffAccess(user)).to.be.false
    })

    it('with staff user', function () {