redirect on invite verification link

controllers/user.go

@@ -1151,14 +1151,13 @@ func userInviteSignUp(w http.ResponseWriter, r *http.Request) {
 func userInviteVerify(w http.ResponseWriter, r *http.Request) {
 	email, _ := url.QueryUnescape(r.URL.Query().Get("email"))
 	code, _ := url.QueryUnescape(r.URL.Query().Get("code"))
-	logger.Log(0, "EMAIL", email, "CODE", code)
 	err := logic.ValidateAndApproveUserInvite(email, code)
 	if err != nil {
 		logger.Log(0, "failed to fetch users: ", err.Error())
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
 	}
-	logic.ReturnSuccessResponse(w, r, "invite is valid")
+	http.Redirect(w, r, url.QueryEscape(fmt.Sprintf("%s/invite-signup?email=%s&code=%s", servercfg.GetFrontendURL(), email, code)), http.StatusPermanentRedirect)
 }
 
 // swagger:route POST /api/v1/users/invite user inviteUsers

logic/auth.go

@@ -113,7 +113,12 @@ func CreateUser(user *models.User) error {
 	}
 	// set password to encrypted password
 	user.Password = string(hash)
-
+	if len(user.NetworkRoles) == 0 {
+		user.NetworkRoles = make(map[models.NetworkID]map[models.UserRole]struct{})
+	}
+	if len(user.UserGroups) == 0 {
+		user.UserGroups = make(map[models.UserGroupID]struct{})
+	}
 	tokenString, _ := CreateUserJWT(user.UserName, user.PlatformRoleID)
 	if tokenString == "" {
 		logger.Log(0, "failed to generate token", err.Error())

logic/user_mgmt.go

@@ -104,6 +104,13 @@ func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
 	if err == nil {
 		return fmt.Errorf("role with id `%s` exists already", userRole.ID.String())
 	}
+	if len(userRole.NetworkLevelAccess) > 0 {
+		for rsrcType := range userRole.NetworkLevelAccess {
+			if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
+				return errors.New("invalid rsrc type " + rsrcType.String())
+			}
+		}
+	}
 	if userRole.NetworkID == "" {
 		return errors.New("only network roles are allowed to be created")
 	}
@@ -121,6 +128,13 @@ func ValidateUpdateRoleReq(userRole models.UserRolePermissionTemplate) error {
 	if roleInDB.Default {
 		return errors.New("cannot update default role")
 	}
+	if len(userRole.NetworkLevelAccess) > 0 {
+		for rsrcType := range userRole.NetworkLevelAccess {
+			if _, ok := models.RsrcTypeMap[rsrcType]; !ok {
+				return errors.New("invalid rsrc type " + rsrcType.String())
+			}
+		}
+	}
 	return nil
 }
 

migrate/migrate.go

@@ -347,16 +347,21 @@ func syncUsers() {
 			if user.PlatformRoleID.String() != "" {
 				continue
 			}
+			if len(user.NetworkRoles) == 0 {
+				user.NetworkRoles = make(map[models.NetworkID]map[models.UserRole]struct{})
+			}
+			if len(user.UserGroups) == 0 {
+				user.UserGroups = make(map[models.UserGroupID]struct{})
+			}
 			if user.IsSuperAdmin {
 				user.PlatformRoleID = models.SuperAdminRole
-				logic.UpsertUser(user)
+
 			} else if user.IsAdmin {
 				user.PlatformRoleID = models.AdminRole
-				logic.UpsertUser(user)
 			} else {
 				user.PlatformRoleID = models.ServiceUser
-				logic.UpsertUser(user)
 			}
+			logic.UpsertUser(user)
 			if len(user.RemoteGwIDs) > 0 {
 				// define user roles for network
 				// assign relevant network role to user

models/user_mgmt.go

@@ -20,6 +20,21 @@ func (rid RsrcID) String() string {
 	return string(rid)
 }
 
+var RsrcTypeMap = map[RsrcType]struct{}{
+	HostRsrc:           {},
+	RelayRsrc:          {},
+	RemoteAccessGwRsrc: {},
+	ExtClientsRsrc:     {},
+	InetGwRsrc:         {},
+	EgressGwRsrc:       {},
+	NetworkRsrc:        {},
+	EnrollmentKeysRsrc: {},
+	UserRsrc:           {},
+	AclRsrc:            {},
+	DnsRsrc:            {},
+	FailOverRsrc:       {},
+}
+
 const (
 	HostRsrc           RsrcType = "hosts"
 	RelayRsrc          RsrcType = "relays"