Fix API for Carriers & SIP Gateways (#492)

* allow account api keys to get/post sip gateways

* require sp sid when creating carriers

* allow account level api keys to query carriers

* lookup and set the service_provider_sid on account create carrier

lib/routes/api/accounts.js

@@ -161,6 +161,9 @@ router.post('/:sid/VoipCarriers', async(req, res) => {
   try {
     const account_sid = parseAccountSid(req);
     await validateRequest(req, account_sid);
+    // Set the service_provder_sid to the relevent value for the account
+    const account = await Account.retrieve(req.user.account_sid);
+    payload.service_provider_sid = account[0].service_provider_sid;
 
     logger.debug({payload}, 'POST /:sid/VoipCarriers');
     const uuid = await VoipCarrier.make({

lib/routes/api/service-providers.js

@@ -46,10 +46,16 @@ async function validateRetrieve(req) {
       return;
     }
 
-    if (req.user.hasScope('service_provider') || req.user.hasScope('account')) {
+    if (req.user.hasScope('service_provider')) {
       if (service_provider_sid === req.user.service_provider_sid) return;
     }
 
+    if (req.user.hasScope('account')) {
+      const results = await Account.retrieve(req.user.account_sid);
+      if (service_provider_sid === results[0].service_provider_sid) return;
+    }
+
+
     throw new DbErrorForbidden('insufficient permissions');
   } catch (error) {
     throw error;

lib/routes/api/sip-gateways.js

@@ -18,8 +18,7 @@ const checkUserScope = async(req, voip_carrier_sid) => {
     const carrier = await lookupCarrierBySid(voip_carrier_sid);
     if (!carrier) throw new DbErrorBadRequest('invalid voip_carrier_sid');
 
-    if ((!carrier.service_provider_sid || carrier.service_provider_sid === req.user.service_provider_sid) &&
-      (!carrier.account_sid || carrier.account_sid === req.user.account_sid)) {
+    if (!carrier.account_sid || carrier.account_sid === req.user.account_sid) {
 
       if (req.method !== 'GET' && !carrier.account_sid) {
         throw new DbErrorForbidden('insufficient privileges');