From 33ac5bc783bef31d8cbbfc64aff06c1d22f8d94a Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Wed, 9 Sep 2020 16:17:00 -0700
Subject: [PATCH] Fixed users that manage all device groups.

---
 webserver.js | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/webserver.js b/webserver.js
index 8a0d2552..ff4a1f55 100644
--- a/webserver.js
+++ b/webserver.js
@@ -5606,7 +5606,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         // Perform user pre-validation
         if ((user == null) || (nodeid == null)) { func(null, 0, false); return; } // Invalid user
         if (typeof user == 'string') { user = obj.users[user]; }
-        if ((user == null) || (user.links == null)) { func(null, 0, false); return; } // No rights
+        if (user == null) { func(null, 0, false); return; } // No rights
 
         // Perform node pre-validation
         if (obj.common.validateString(nodeid, 0, 128) == false) { func(null, 0, false); return; } // Invalid nodeid
@@ -5623,6 +5623,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                 func(nodes[0], 0xFFFFFFFF, true); return;
             }
 
+            // If no links, stop here.
+            if (user.links == null) { func(null, 0, false); return; }
+
             // Check device link
             var rights = 0, visible = false, r = user.links[nodeid];
             if (r != null) {
@@ -5668,7 +5671,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     // Returns a list of all meshes that this user has some rights too
     obj.GetAllMeshWithRights = function (user, rights) {
         if (typeof user == 'string') { user = obj.users[user]; }
-        if ((user == null) || (user.links == null)) { return []; }
+        if (user == null) { return []; }
 
         var r = [];
         if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0)) {
@@ -5677,6 +5680,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             for (var i in obj.meshes) { if ((obj.meshes[i]._id.startsWith(meshStartStr)) && (obj.meshes[i].deleted == null)) { r.push(obj.meshes[i]); } }
             return r;
         }
+        if (user.links == null) { return []; }
         for (var i in user.links) {
             if (i.startsWith('mesh/')) {
                 // Grant access to a device group thru a direct link
@@ -5705,7 +5709,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     // Returns a list of all mesh id's that this user has some rights too
     obj.GetAllMeshIdWithRights = function (user, rights) {
         if (typeof user == 'string') { user = obj.users[user]; }
-        if ((user == null) || (user.links == null)) { return []; }
+        if (user == null) { return []; }
         var r = [];
         if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0)) {
             // This is a super user that can see all device groups for a given domain
@@ -5713,6 +5717,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             for (var i in obj.meshes) { if ((obj.meshes[i]._id.startsWith(meshStartStr)) && (obj.meshes[i].deleted == null)) { r.push(obj.meshes[i]._id); } }
             return r;
         }
+        if (user.links == null) { return []; }
         for (var i in user.links) {
             if (i.startsWith('mesh/')) {
                 // Grant access to a device group thru a direct link
@@ -5742,7 +5747,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     obj.GetMeshRights = function (user, mesh) {
         if ((user == null) || (mesh == null)) { return 0; }
         if (typeof user == 'string') { user = obj.users[user]; }
-        if ((user == null) || (user.links == null)) { return 0; }
+        if (user == null) { return 0; }
         var r, meshid;
         if (typeof mesh == 'string') {
             meshid = mesh;
@@ -5754,6 +5759,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0) && (meshid.startsWith('mesh/' + user.domain + '/'))) { return 0xFFFFFFFF; }
 
         // Check direct user to device group permissions
+        if (user.links == null) return 0;
         var rights = 0;
         r = user.links[meshid];
         if (r != null) {
@@ -5786,7 +5792,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     obj.IsMeshViewable = function (user, mesh) {
         if ((user == null) || (mesh == null)) { return false; }
         if (typeof user == 'string') { user = obj.users[user]; }
-        if ((user == null) || (user.links == null)) { return false; }
+        if (user == null) { return false; }
         var meshid;
         if (typeof mesh == 'string') {
             meshid = mesh;
@@ -5798,6 +5804,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         if ((user.siteadmin == 0xFFFFFFFF) && (parent.config.settings.managealldevicegroups.indexOf(user._id) >= 0) && (meshid.startsWith('mesh/' + user.domain + '/'))) { return true; }
 
         // Check direct user to device group permissions
+        if (user.links == null) { return false; }
         if (user.links[meshid] != null) { return true; } // If the user has a direct link, stop here.
 
         // Check if we are part of any user groups that would give this user visibility to this device group.