add JAMBONES_ADMIN_CARRIER check to limit creating carriers and numbers

lib/routes/api/accounts.js

@@ -140,6 +140,10 @@ router.put('/:sid/VoipCarriers/:voip_carrier_sid', async(req, res) => {
   const logger = req.app.locals.logger;
 
   try {
+    if (process.env.JAMBONES_ADMIN_CARRIER == 1 && (!req.user.hasScope('service_provider')
+      || !!req.user.hasScope('admin'))) {
+      throw new DbErrorBadRequest('insufficient privileges');
+    }
     const sid = parseVoipCarrierSid(req);
     const account_sid = parseAccountSid(req);
     await validateRequest(req, account_sid);

lib/routes/api/phone-numbers.js

@@ -19,6 +19,10 @@ const hasWhitespace = (str) => /\s/.test(str);
 /* check for required fields when adding */
 async function validateAdd(req) {
   try {
+    if (process.env.JAMBONES_ADMIN_CARRIER == 1 && (!req.user.hasScope('service_provider')
+      || !!req.user.hasScope('admin'))) {
+      throw new DbErrorBadRequest('insufficient privileges');
+    }
     /* account level user can only act on carriers associated to his/her account */
     if (req.user.hasAccountAuth) {
       req.body.account_sid = req.user.account_sid;

lib/routes/api/voip-carriers.js

@@ -9,6 +9,10 @@ const { parseVoipCarrierSid } = require('./utils');
 const validate = async(req) => {
   const {lookupAppBySid, lookupAccountBySid} = req.app.locals;
 
+  if (process.env.JAMBONES_ADMIN_CARRIER == 1 && (!req.user.hasScope('service_provider')
+    || !!req.user.hasScope('admin'))) {
+    throw new DbErrorBadRequest('insufficient privileges');
+  }
   /* account level user can only act on carriers associated to his/her account */
   if (req.user.hasAccountAuth) {
     req.body.account_sid = req.user.account_sid;