Permit login with blank scope

Required for the editor, which doesn't know the appropriate scope
for the user logging in. The user will adopt their default permission
scope once logged in.

editor/js/ui/deploy.js

@@ -237,7 +237,7 @@ RED.deploy = (function() {
             }).fail(function(xhr,textStatus,err) {
                 RED.nodes.dirty(true);
                 if (xhr.responseText) {
-                    RED.notify(RED._("notification.error",{message:xhr.responseJSON.message}),"error");
+                    RED.notify(RED._("notification.error",{message:xhr.responseText}),"error");
                 } else {
                     RED.notify(RED._("notification.error",{message:RED._("deploy.errors.noResponse")}),"error");
                 }

editor/js/ui/editor.js

@@ -287,6 +287,8 @@ RED.editor = (function() {
                                     }).done(function() {
                                             RED.library.loadFlowLibrary();
                                             RED.notify(RED._("library.savedNodes"),"success");
+                                    }).fail(function(xhr,textStatus,err) {
+                                        RED.notify(RED._("library.saveFailed",{message:xhr.responseText}),"error");
                                     });
                                 }
                             }

editor/js/ui/library.js

@@ -329,7 +329,7 @@ RED.library = (function() {
             }).done(function(data,textStatus,xhr) {
                 RED.notify(RED._("library.savedType", {type:options.type}),"success");
             }).fail(function(xhr,textStatus,err) {
-                RED.notify(RED._("library.saveFailed",{message:xhr.responseJSON.message}),"error");
+                RED.notify(RED._("library.saveFailed",{message:xhr.responseText}),"error");
             });
         }
         $( "#node-dialog-library-save-confirm" ).dialog({

editor/js/user.js

@@ -86,7 +86,7 @@ RED.user = (function() {
                         var body = {
                             client_id: "node-red-editor",
                             grant_type: "password",
-                            scope:"*"
+                            scope:""
                         }
                         for (var i=0;i<data.prompts.length;i++) {
                             var field = data.prompts[i];

red/api/auth/permissions.js

@@ -33,7 +33,11 @@ function hasPermission(userScope,permission) {
         return true;
     }
 
-    if (userScope == "*") {
+    if (permission === "") {
+        return true;
+    }
+
+    if (userScope === "*") {
         return true;
     }
 
@@ -46,7 +50,7 @@ function hasPermission(userScope,permission) {
         return true;
     }
 
-    if (userScope == "read") {
+    if (userScope === "read") {
         return readRE.test(permission);
     } else {
         return false; // anything not allowed is disallowed

red/api/auth/strategies.js

@@ -85,6 +85,9 @@ var passwordTokenExchange = function(client, username, password, scope, done) {
 
     Users.authenticate(username,password).then(function(user) {
         if (user) {
+            if (scope === "") {
+                scope = user.permissions;
+            }
             if (permissions.hasPermission(user.permissions,scope)) {
                 loginAttempts = loginAttempts.filter(function(logEntry) {
                     return logEntry.user !== username;

test/red/api/auth/permissions_spec.js

@@ -40,5 +40,9 @@ describe("Auth permissions", function() {
             permissions.hasPermission("read",["foo.read","foo.write"]).should.be.false;
             permissions.hasPermission("read",["foo.read","bar.read"]).should.be.true;
         });
+        it('permits an empty permission', function() {
+            permissions.hasPermission("*","").should.be.true;
+            permissions.hasPermission("read",[""]).should.be.true;
+        });
     });
 });