fix: use service account for internal user and fix root permissions

app/core/default-permissions.ts

@@ -5,7 +5,42 @@ export const admin = {
 		//        See the README.md for more information.
 		// @WARNING: This is currently unsupported, please be careful.
 		// { resource: 'apikey', action: 'create:any', attributes: '*' },
-		{ resource: 'software-versions', action: 'read:any', attributes: '*' }
+		{ resource: 'apikey', action: 'read:any', attributes: '*' },
+		{ resource: 'array', action: 'read:any', attributes: '*' },
+		{ resource: 'cpu', action: 'read:any', attributes: '*' },
+		{ resource: 'crash-reporting-enabled', action: 'read:any', attributes: '*' },
+		{ resource: 'device', action: 'read:any', attributes: '*' },
+		{ resource: 'device/unassigned', action: 'read:any', attributes: '*' },
+		{ resource: 'disk', action: 'read:any', attributes: '*' },
+		{ resource: 'disk/settings', action: 'read:any', attributes: '*' },
+		{ resource: 'display', action: 'read:any', attributes: '*' },
+		{ resource: 'docker/container', action: 'read:any', attributes: '*' },
+		{ resource: 'docker/network', action: 'read:any', attributes: '*' },
+		{ resource: 'flash', action: 'read:any', attributes: '*' },
+		{ resource: 'info', action: 'read:any', attributes: '*' },
+		{ resource: 'license-key', action: 'read:any', attributes: '*' },
+		{ resource: 'machine-id', action: 'read:any', attributes: '*' },
+		{ resource: 'memory', action: 'read:any', attributes: '*' },
+		{ resource: 'online', action: 'read:any', attributes: '*' },
+		{ resource: 'os', action: 'read:any', attributes: '*' },
+		{ resource: 'owner', action: 'read:any', attributes: '*' },
+		{ resource: 'parity-history', action: 'read:any', attributes: '*' },
+		{ resource: 'permission', action: 'read:any', attributes: '*' },
+		{ resource: 'plugin', action: 'read:any', attributes: '*' },
+		{ resource: 'registration', action: 'read:any', attributes: '*' },
+		{ resource: 'servers', action: 'read:any', attributes: '*' },
+		{ resource: 'service', action: 'read:any', attributes: '*' },
+		{ resource: 'service/emhttpd', action: 'read:any', attributes: '*' },
+		{ resource: 'service/unraid-api', action: 'read:any', attributes: '*' },
+		{ resource: 'services', action: 'read:any', attributes: '*' },
+		{ resource: 'share', action: 'read:any', attributes: '*' },
+		{ resource: 'software-versions', action: 'read:any', attributes: '*' },
+		{ resource: 'unraid-version', action: 'read:any', attributes: '*' },
+		{ resource: 'uptime', action: 'read:any', attributes: '*' },
+		{ resource: 'user', action: 'read:any', attributes: '*' },
+		{ resource: 'vars', action: 'read:any', attributes: '*' },
+		{ resource: 'vm/domain', action: 'read:any', attributes: '*' },
+		{ resource: 'vm/network', action: 'read:any', attributes: '*' }
 	]
 };
 
@@ -37,41 +72,18 @@ export const upc = {
 export const my_servers = {
 	extends: 'guest',
 	permissions: [
-		{ resource: 'apikey', action: 'read:any', attributes: '*' },
 		{ resource: 'array', action: 'read:any', attributes: '*' },
-		{ resource: 'cpu', action: 'read:any', attributes: '*' },
-		{ resource: 'crash-reporting-enabled', action: 'read:any', attributes: '*' },
-		{ resource: 'device', action: 'read:any', attributes: '*' },
-		{ resource: 'device/unassigned', action: 'read:any', attributes: '*' },
-		{ resource: 'disk', action: 'read:any', attributes: '*' },
-		{ resource: 'disk/settings', action: 'read:any', attributes: '*' },
 		{ resource: 'display', action: 'read:any', attributes: '*' },
 		{ resource: 'docker/container', action: 'read:any', attributes: '*' },
 		{ resource: 'docker/network', action: 'read:any', attributes: '*' },
-		{ resource: 'flash', action: 'read:any', attributes: '*' },
 		{ resource: 'info', action: 'read:any', attributes: '*' },
-		{ resource: 'license-key', action: 'read:any', attributes: '*' },
-		{ resource: 'machine-id', action: 'read:any', attributes: '*' },
-		{ resource: 'memory', action: 'read:any', attributes: '*' },
 		{ resource: 'online', action: 'read:any', attributes: '*' },
-		{ resource: 'os', action: 'read:any', attributes: '*' },
-		{ resource: 'owner', action: 'read:any', attributes: '*' },
-		{ resource: 'parity-history', action: 'read:any', attributes: '*' },
-		{ resource: 'permission', action: 'read:any', attributes: '*' },
-		{ resource: 'plugin', action: 'read:any', attributes: '*' },
-		{ resource: 'registration', action: 'read:any', attributes: '*' },
-		{ resource: 'servers', action: 'read:any', attributes: '*' },
 		{ resource: 'service', action: 'read:any', attributes: '*' },
 		{ resource: 'service/emhttpd', action: 'read:any', attributes: '*' },
 		{ resource: 'service/unraid-api', action: 'read:any', attributes: '*' },
 		{ resource: 'services', action: 'read:any', attributes: '*' },
-		{ resource: 'share', action: 'read:any', attributes: '*' },
-		{ resource: 'unraid-version', action: 'read:any', attributes: '*' },
 		{ resource: 'uptime', action: 'read:any', attributes: '*' },
-		{ resource: 'user', action: 'read:any', attributes: '*' },
-		{ resource: 'vars', action: 'read:any', attributes: '*' },
-		{ resource: 'vm/domain', action: 'read:any', attributes: '*' },
-		{ resource: 'vm/network', action: 'read:any', attributes: '*' }
+		{ resource: 'user', action: 'read:any', attributes: '*' }
 	]
 };
 

app/core/modules/info/get-app-count.ts

@@ -24,7 +24,7 @@ interface Result extends CoreResult {
 /**
  * Get count of docker containers
  */
-export const getAppCount = async function (context: Readonly<CoreContext>): Promise<Result> {
+export const getAppCount = async function (context: CoreContext): Promise<Result> {
 	const { user } = context;
 
 	// Check permissions

app/core/types/global.ts

@@ -26,7 +26,7 @@ export interface CoreContext {
  * Result object
  */
 export interface CoreResult {
-	json?: Record<string, unknown>;
+	json?: Record<string, unknown> | Array<Record<string, unknown>>;
 	text?: string;
 	html?: string;
 }

app/graphql/index.ts

@@ -20,6 +20,9 @@ import * as resolvers from './resolvers';
 import { wsHasConnected, wsHasDisconnected } from '../ws';
 import { MOTHERSHIP_RELAY_WS_LINK } from '../consts';
 import { isNodeError } from '../core/utils';
+import { User } from '../core/types';
+
+const internalServiceUser: User = { id: '-1', description: 'Internal service account', name: 'internal', role: 'admin', password: false };
 
 const baseTypes = [gql`
 	scalar JSON
@@ -334,20 +337,16 @@ const apiKeyToUser = async (apiKey: string) => {
 
 // Update array values when slots change
 bus.on('slots', async () => {
-	coreLogger.silly('slots updated: loading user');
-	// @todo: Create a system user for this
-	const user = usersState.findOne({ name: 'root' });
-
 	coreLogger.silly('slots updated: running getArray');
 	await run('array', 'UPDATED', {
 		moduleToRun: modules.getArray,
 		context: {
-			user
+			user: internalServiceUser
 		}
 	});
 });
 
-let hostname;
+let hostname: string;
 
 // Update info/hostname when hostname changes
 bus.on('var', async data => {
@@ -358,11 +357,6 @@ bus.on('var', async data => {
 
 	// Hostname changed
 	if (hostname !== data.var.node.name) {
-		const user = usersState.findOne({ name: 'root' });
-		if (!user) {
-			return;
-		}
-
 		// Update cache
 		hostname = data.var.node.name;
 
@@ -384,17 +378,11 @@ dee.on('*', async (data: { Type: string }) => {
 		return;
 	}
 
-	// @todo: Create a system user for this
-	const user = usersState.findOne({ name: 'root' });
-
-	if (user) {
-		const { json } = await modules.getAppCount({
-			user
-		});
-		await publish('info', 'UPDATED', {
-			apps: json
-		});
-	}
+	const user: User = { id: '-1', description: 'Internal service account', name: 'internal', role: 'admin', password: false };
+	const { json } = await modules.getAppCount({ user });
+	await publish('info', 'UPDATED', {
+		apps: json
+	});
 });
 
 dee.listen();
@@ -403,7 +391,7 @@ dee.listen();
 run('uptime', 'UPDATED', {
 	moduleToRun: modules.getUptime,
 	context: {
-		user: usersState.findOne({ name: 'root' })
+		user: internalServiceUser
 	},
 	loop: Infinity
 }).catch((error: unknown) => {
@@ -414,7 +402,7 @@ run('uptime', 'UPDATED', {
 run('services', 'UPDATED', {
 	moduleToRun: modules.getServices,
 	context: {
-		user: usersState.findOne({ name: 'root' })
+		user: internalServiceUser
 	},
 	loop: Infinity
 }).catch((error: unknown) => {

app/run.ts

@@ -70,7 +70,7 @@ export const run = async (channel: string, mutation: string, options: RunOptions
 		coreLogger.silly(`run:${moduleToRun.name} %j`, result.json);
 
 		// Save result
-		await publish(channel, mutation, result.json);
+		await publish(channel, mutation, result.json as any);
 
 		// Bail as we're done looping
 		if (!loop || loop === 0) {