search

auth0-extensions / auth0-delegated-administration-extension

This extension allows non-dashboard administrators to manage (a subset of) users.
https://auth0.com/docs/extensions/delegated-admin
Other
28 stars 80 forks source link

Issue with showing current user devices #297

Open lRoberth opened 4 months ago

lRoberth commented 4 months ago

When trying to view the current devices from a specific user in the DA dashboard, an empty list will show: image

While if going to the actual Auth0 Dashboard, the devices does show: Screenshot 2024-06-17 at 17 21 49

Currently running version 4.3.0 Can't find if it's either permission issues or something related.

Every setting is on default, except logins are done through SSO and we're using the next Access Hook, which blacklists a set of roles depending on the role.

/*
Delegated Admin Allow Hook
Description:
    This code restricts a list of actions depending on the user role.
    By default, the code will restrict interactions with `change password, create user, delete user, block user` on all roles except administrator.
*/
function(ctx, callback){
    // Set this to true to make Administrator bypass the blacklist.
    var shouldAdminBypassRestrictions = true;

    var user = ctx.request.user;
    var action = ctx.payload.action;
    var userMetadata = user.app_metadata = user.app_metadata || {};
    var userRoles = userMetadata.roles || ['Delegated Admin - User'];

    // List of blacklisted actions per role.
    var role_blacklist = {
        "Delegated Admin - Administrator": [

        ],
        "Delegated Admin - Operator": [
            'delete:user',
            'create:user'
        ],
        "Delegated Admin - User": [
            'delete:user',
            'change:password',
            'create:user'
        ],
        "Delegated Admin - Auditor": [
            'delete:user',
            'change:password',
            'create:user'
        ]
    };

    if(shouldAdminBypassRestrictions && userRoles.includes("Delegated Admin - Administrator")) {
        return callback();  // Allow execution immediately if the user is an administrator
    }

    // Loop through every role the user has
    for(var i = 0; i < userRoles.length; i++){
        let userRole = userRoles[i];

        // If the user role is in the list of blacklisted roles
        if(role_blacklist.hasOwnProperty(userRole)) {
            var blacklistedActions = role_blacklist[userRole];

            // Check if the action that is to be executed is blacklisted in the user role.
            if(blacklistedActions.includes(action)){
                return callback(new Error("You are not allowed to perform this action."));
            }
        }
    }

  return callback();
}