adapt-security · taylortom · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/lib/UsersModule.js b/lib/UsersModule.js
@@ -1,6 +1,7 @@
 import AbstractApiModule from 'adapt-authoring-api'
+import { hasGroupAccess } from './utils.js'
 /**
- * Module which handles user management
+ * Module which handles user management and user groups
  * @memberof users
  * @extends {AbstractApiModule}
  */
@@ -10,6 +11,11 @@ class UsersModule extends AbstractApiModule {
     await super.setValues()
     /** @ignore */ this.schemaName = 'user'
     /** @ignore */ this.collectionName = 'users'
+    /**
+     * Modules registered for user group support
+     * @type {Array<AbstractApiModule>}
+     */
+    this.groupModules = []
   }
 
   /**
@@ -29,6 +35,26 @@ class UsersModule extends AbstractApiModule {
       this.preInsertHook.tap(this.forceLowerCaseEmail)
       this.preUpdateHook.tap((ogDoc, updateData) => this.forceLowerCaseEmail(updateData))
     }
+
+    await this.registerGroupModule(this)
+  }
+
+  /**
+   * Registers a module for use with groups. Extends the module's schema
+   * with the userGroups field.
+   * @param {AbstractApiModule} mod
+   */
+  async registerGroupModule (mod) {
+    if (!mod.schemaName) {
+      return this.log('warn', 'cannot register module, module doesn\'t define a schemaName')
+    }
+    const jsonschema = await this.app.waitForModule('jsonschema')
+    jsonschema.extendSchema(mod.schemaName, 'usergroups')
+    mod.accessCheckHook.tap((req, resource) => {
+      return hasGroupAccess(resource.userGroups, req.auth?.user?.userGroups)
+    })
+    this.log('debug', `registered ${mod.name} for use with groups`)
+    this.groupModules.push(mod)
   }
 
   forceLowerCaseEmail (data) {
@@ -38,7 +64,7 @@ class UsersModule extends AbstractApiModule {
   /** @override */
   async processRequestMiddleware (req, res, next) {
     super.processRequestMiddleware(req, res, () => {
-      req.apiData.schemaName = req.auth.userSchemaName
+      req.apiData.schemaName = req.routeConfig.schemaName || req.auth.userSchemaName
       next()
     })
   }
@@ -89,6 +115,32 @@ class UsersModule extends AbstractApiModule {
     query.email = this.getConfig('forceLowerCaseEmail') ? query.email?.toLowerCase() : undefined
     return super.find(query, options, mongoOptions)
   }
+
+  /** @override */
+  async delete (query, options = {}, mongoOptions = {}) {
+    const doc = await super.delete(query, options, mongoOptions)
+    if (options.collectionName === 'usergroups') {
+      await this.removeGroupRefs(doc._id)
+    }
+    return doc
+  }
+
+  /**
+   * Removes references to a deleted group from all registered modules
+   * @param {String} groupId The _id of the deleted group
+   */
+  async removeGroupRefs (groupId) {
+    await Promise.all(this.groupModules.map(async m => {
+      const docs = await m.find({ userGroups: groupId })
+      return Promise.all(docs.map(async d => {
+        try {
+          await m.update({ _id: d._id }, { $pull: { userGroups: groupId } }, { rawUpdate: true })
+        } catch (e) {
+          this.log('warn', `Failed to remove group reference, ${e}`)
+        }
+      }))
+    }))
+  }
 }
 
 export default UsersModule
diff --git a/lib/utils.js b/lib/utils.js
@@ -0,0 +1 @@
+export { hasGroupAccess } from './utils/hasGroupAccess.js'
diff --git a/lib/utils/hasGroupAccess.js b/lib/utils/hasGroupAccess.js
@@ -0,0 +1,14 @@
+/**
+ * Checks whether a user shares at least one group with a document.
+ * Returns true if the document has no group restrictions.
+ * @param {Array} docGroups The userGroups array from the document
+ * @param {Array} userGroups The userGroups array from the requesting user
+ * @return {Boolean}
+ * @memberof users
+ */
+export function hasGroupAccess (docGroups, userGroups) {
+  if (!docGroups?.length) return true
+  if (!userGroups?.length) return false
+  const userSet = new Set(userGroups.map(g => g.toString()))
+  return docGroups.some(g => userSet.has(g.toString()))
+}
diff --git a/package.json b/package.json
@@ -12,6 +12,7 @@
   },
   "peerDependencies": {
     "adapt-authoring-core": "^2.0.0",
+    "adapt-authoring-jsonschema": "^1.2.0",
     "adapt-authoring-mongodb": "^3.0.0",
     "adapt-authoring-server": "^2.1.0"
   },

diff --git a/routes.json b/routes.json
@@ -34,6 +34,36 @@
       "modifying": false,
       "handlers": { "post": "queryHandler" },
       "permissions": { "post": ["read:${scope}"] }
+    },
+    {
+      "route": "/groups",
+      "collectionName": "usergroups",
+      "schemaName": "usergroup",
+      "handlers": { "get": "queryHandler", "post": "requestHandler" },
+      "permissions": { "get": ["read:usergroups"], "post": ["write:usergroups"] }
+    },
+    {
+      "route": "/groups/schema",
+      "collectionName": "usergroups",
+      "schemaName": "usergroup",
+      "handlers": { "get": "serveSchema" },
+      "permissions": { "get": ["read:schema"] }
+    },
+    {
+      "route": "/groups/:_id",
+      "collectionName": "usergroups",
+      "schemaName": "usergroup",
+      "handlers": { "get": "requestHandler", "put": "requestHandler", "patch": "requestHandler", "delete": "requestHandler" },
+      "permissions": { "get": ["read:usergroups"], "put": ["write:usergroups"], "patch": ["write:usergroups"], "delete": ["write:usergroups"] }
+    },
+    {
+      "route": "/groups/query",
+      "collectionName": "usergroups",
+      "schemaName": "usergroup",
+      "validate": false,
+      "modifying": false,
+      "handlers": { "post": "queryHandler" },
+      "permissions": { "post": ["read:usergroups"] }
     }
   ]
 }
diff --git a/schema/usergroup.schema.json b/schema/usergroup.schema.json
@@ -0,0 +1,13 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$anchor": "usergroup",
+  "description": "A group of system users",
+  "type": "object",
+  "properties": {
+    "displayName": {
+      "description": "Display name of the user group",
+      "type": "string"
+    }
+  },
+  "required": ["displayName"]
+}
diff --git a/schema/usergroups.schema.json b/schema/usergroups.schema.json
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$anchor": "usergroups",
+  "description": "Properties related to user group sharing",
+  "type": "object",
+  "$patch": {
+    "source": { "$ref": "user" },
+    "with": {
+      "properties": {
+        "userGroups": {
+          "description": "User groups the target object should be accessible to",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "isObjectId": true
+          }
+        }
+      }
+    }
+  }
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		export { hasGroupAccess } from './utils/hasGroupAccess.js'