Add revoke-user-user endpoint

packages/backend/src/routers/auth/revoke-user-user.js

@@ -0,0 +1,31 @@
+const APIError = require("../../api/APIError");
+const eggspress = require("../../api/eggspress");
+const { UserActorType } = require("../../services/auth/Actor");
+const { Context } = require("../../util/context");
+
+module.exports = eggspress('/auth/revoke-user-user', {
+    subdomain: 'api',
+    auth2: true,
+    allowedMethods: ['POST'],
+}, async (req, res, next) => {
+    const x = Context.get();
+    const svc_permission = x.get('services').get('permission');
+
+    // Only users can grant user-user permissions
+    const actor = Context.get('actor');
+    if ( ! (actor.type instanceof UserActorType) ) {
+        throw APIError.create('forbidden');
+    }
+
+    if ( ! req.body.target_username ) {
+        throw APIError.create('field_missing', null, { key: 'target_username' });
+    }
+
+    await svc_permission.revoke_user_user_permission(
+        actor, req.body.target_username, req.body.permission,
+        req.body.meta || {}
+    );
+
+    res.json({});
+});
+

packages/backend/src/services/PuterAPIService.js

@@ -31,7 +31,7 @@ class PuterAPIService extends BaseService {
         app.use(require('../routers/auth/grant-user-app'))
         app.use(require('../routers/auth/revoke-user-app'))
         app.use(require('../routers/auth/grant-user-user'));
-        // app.use(require('../routers/auth/revoke-user-user'));
+        app.use(require('../routers/auth/revoke-user-user'));
         app.use(require('../routers/auth/list-permissions'))
         app.use(require('../routers/auth/check-app'))
         app.use(require('../routers/auth/app-uid-from-origin'))

packages/backend/src/services/auth/PermissionService.js

@@ -526,6 +526,45 @@ class PermissionService extends BaseService {
         );
     }
 
+    async revoke_user_user_permission (actor, username, permission, meta) {
+        permission = await this._rewrite_permission(permission);
+
+        const user = await get_user({ username });
+        if ( ! user ) {
+            throw new Error('user not found');
+        }
+
+        console.log('revoking', user.id, actor.type.user.id, permission)
+
+        // DELETE permission
+        await this.db.write(
+            'DELETE FROM `user_to_user_permissions` ' +
+            'WHERE `holder_user_id` = ? AND `issuer_user_id` = ? AND `permission` = ?',
+            [
+                user.id,
+                actor.type.user.id,
+                permission,
+            ]
+        );
+
+        // INSERT audit table
+        await this.db.write(
+            'INSERT INTO `audit_user_to_user_permissions` (' +
+            '`holder_user_id`, `holder_user_id_keep`, `issuer_user_id`, `issuer_user_id_keep`, ' +
+            '`permission`, `action`, `reason`) ' +
+            'VALUES (?, ?, ?, ?, ?, ?, ?)',
+            [
+                user.id,
+                user.id,
+                actor.type.user.id,
+                actor.type.user.id,
+                permission,
+                'revoke',
+                meta?.reason || 'revoked via PermissionService',
+            ]
+        );
+    }
+
     get_parent_permissions (permission) {
         const parent_perms = [];
         {