Allow specific group to create Login tokens (#7424)

2025-11-28 13:09:07 -05:00 · 2025-11-24 20:39:13 +01:00
parent fa96d666cc
commit 5ab4d70e10
3 changed files with 3 additions and 3 deletions
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -1784,7 +1784,7 @@
                  "array"
                ],
                "default": true,
-                "description": "Allows users to create alternative username/passwords for their account. Set to false to disallow all users, or set to a userid array to only allow some users."
+                "description": "Allows users to create alternative username/passwords for their account. Set to false to disallow all users, or set to a userid array or to a groupid array to only allow some users."
              },
              "twoFactorTimeout": {
                "type": "integer",
--- a/meshuser.js
+++ b/meshuser.js
@@ -5063,7 +5063,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                if (req.session.loginToken != null) { err = "Access denied"; } // Do not allow this command when logged in using a login token
                else if ((typeof domain.passwordrequirements == 'object') && (domain.passwordrequirements.logintokens === false)) { err = "Not supported"; } // Login tokens are not supported on this server
-                else if ((typeof domain.passwordrequirements == 'object') && Array.isArray(domain.passwordrequirements.logintokens) && (domain.passwordrequirements.logintokens.indexOf(user._id) < 0)) { err = "Not supported"; } // Login tokens are not supported by this user
+                else if ((typeof domain.passwordrequirements == 'object') && Array.isArray(domain.passwordrequirements.logintokens) && ((domain.passwordrequirements.logintokens.indexOf(user._id) < 0) && (user.links && Object.keys(user.links).some(key => domain.passwordrequirements.logintokens.indexOf(key) < 0)))) { err = "Not supported"; } // Login tokens are not supported by this user
                else if (common.validateString(command.name, 1, 100) == false) { err = "Invalid name"; } // Check name
                else if ((typeof command.expire != 'number') || (command.expire < 0)) { err = "Invalid expire value"; } // Check expire
--- a/webserver.js
+++ b/webserver.js
@@ -3369,7 +3369,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
        if (((obj.args.noagentupdate == 1) || (obj.args.noagentupdate == true))) { features2 += 0x00000010; } // No agent update
        if (parent.amtProvisioningServer != null) { features2 += 0x00000020; } // Intel AMT LAN provisioning server
        if (((typeof domain.passwordrequirements != 'object') || (domain.passwordrequirements.push2factor != false)) && (obj.parent.firebase != null)) { features2 += 0x00000040; } // Indicates device push notification 2FA is enabled
-        if ((typeof domain.passwordrequirements != 'object') || ((domain.passwordrequirements.logintokens !== false) && ((Array.isArray(domain.passwordrequirements.logintokens) == false) || (domain.passwordrequirements.logintokens.indexOf(user._id) >= 0)))) { features2 += 0x00000080; } // Indicates login tokens are allowed
+        if ((typeof domain.passwordrequirements != 'object') || ((domain.passwordrequirements.logintokens !== false) && ((Array.isArray(domain.passwordrequirements.logintokens) == false) || ((domain.passwordrequirements.logintokens.indexOf(user._id) >= 0) || (user.links && Object.keys(user.links).some(key => domain.passwordrequirements.logintokens.indexOf(key) >= 0)) )))) { features2 += 0x00000080; } // Indicates login tokens are allowed
        if (req.session.loginToken != null) { features2 += 0x00000100; } // LoginToken mode, no account changes.
        if (domain.ssh == true) { features2 += 0x00000200; } // SSH is enabled
        if (domain.localsessionrecording === false) { features2 += 0x00000400; } // Disable local recording feature