From 3b92226bab160f5703d9bae85c27a6fd39e5fb89 Mon Sep 17 00:00:00 2001 From: Philip Molares Date: Sun, 21 Nov 2021 17:18:23 +0100 Subject: [PATCH] feat: create permissions guard This guard protects resources and let's users only access them if they hold the correct permission Signed-off-by: Philip Molares --- src/api/utils/permissions.guard.ts | 66 ++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 src/api/utils/permissions.guard.ts diff --git a/src/api/utils/permissions.guard.ts b/src/api/utils/permissions.guard.ts new file mode 100644 index 000000000..5206f1c48 --- /dev/null +++ b/src/api/utils/permissions.guard.ts @@ -0,0 +1,66 @@ +/* + * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file) + * + * SPDX-License-Identifier: AGPL-3.0-only + */ +import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common'; +import { Reflector } from '@nestjs/core'; +import { Request } from 'express'; + +import { ConsoleLoggerService } from '../../logger/console-logger.service'; +import { NotesService } from '../../notes/notes.service'; +import { Permission } from '../../permissions/permissions.enum'; +import { PermissionsService } from '../../permissions/permissions.service'; +import { User } from '../../users/user.entity'; +import { getNote } from './get-note.pipe'; + +/** + * This guards controller methods from access, if the user has not the appropriate permissions. + * The permissions are set via the {@link Permissions} decorator in addition to this guard. + */ +@Injectable() +export class PermissionsGuard implements CanActivate { + constructor( + private readonly logger: ConsoleLoggerService, + private reflector: Reflector, + private permissionsService: PermissionsService, + private noteService: NotesService, + ) { + this.logger.setContext(PermissionsGuard.name); + } + + async canActivate(context: ExecutionContext): Promise { + const permissions = this.reflector.get( + 'permissions', + context.getHandler(), + ); + // If no permissions are set this is probably an error and this guard should not let the request pass + if (!permissions) { + this.logger.error( + 'Could not find permission metadata. This should never happen. If you see this, please open an issue at https://github.com/hedgedoc/hedgedoc/issues', + ); + return false; + } + const request: Request & { user: User } = context + .switchToHttp() + .getRequest(); + const user = request.user; + // handle CREATE permissions, as this does not need any note + if (permissions[0] === Permission.CREATE) { + return this.permissionsService.mayCreate(user); + } + // Get the note from the parameter noteIdOrAlias + // Attention: This gets the note an additional time if used in conjunction with GetNotePipe + const noteIdOrAlias = request.params['noteIdOrAlias']; + const note = await getNote(this.noteService, noteIdOrAlias); + switch (permissions[0]) { + case Permission.READ: + return this.permissionsService.mayRead(user, note); + case Permission.WRITE: + return this.permissionsService.mayWrite(user, note); + case Permission.OWNER: + return this.permissionsService.isOwner(user, note); + } + return false; + } +}