Add permission checks for notes routes

Signed-off-by: Yannick Bungers <git@innay.de>

src/api/public/notes/notes.controller.ts

@@ -15,6 +15,7 @@ import {
   Post,
   Put,
   Request,
+  UnauthorizedException,
   UseGuards,
 } from '@nestjs/common';
 import { NotInDBError } from '../../../errors/errors';
@@ -33,6 +34,8 @@ import { NoteDto } from '../../../notes/note.dto';
 import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
 import { RevisionMetadataDto } from '../../../revisions/revision-metadata.dto';
 import { RevisionDto } from '../../../revisions/revision.dto';
+import { PermissionsService } from '../../../permissions/permissions.service';
+import { Note } from '../../../notes/note.entity';
 
 @ApiTags('notes')
 @ApiSecurity('token')
@@ -42,6 +45,7 @@ export class NotesController {
     private readonly logger: ConsoleLoggerService,
     private noteService: NotesService,
     private revisionsService: RevisionsService,
+    private permissionsService: PermissionsService,
     private historyService: HistoryService,
   ) {
     this.logger.setContext(NotesController.name);
@@ -54,7 +58,10 @@ export class NotesController {
     @MarkdownBody() text: string,
   ): Promise<NoteDto> {
     // ToDo: provide user for createNoteDto
-    this.logger.debug('Got raw markdown:\n' + text, 'createNote');
+    if (!this.permissionsService.mayCreate(req.user)) {
+      throw new UnauthorizedException('Creating note denied!');
+    }
+    this.logger.debug('Got raw markdown:\n' + text);
     return this.noteService.toNoteDto(
       await this.noteService.createNote(text, undefined, req.user),
     );
@@ -62,18 +69,24 @@ export class NotesController {
 
   @UseGuards(TokenAuthGuard)
   @Get(':noteIdOrAlias')
-  async getNote(@Request() req, @Param('noteIdOrAlias') noteIdOrAlias: string) {
-    // ToDo: check if user is allowed to view this note
+  async getNote(
+    @Request() req,
+    @Param('noteIdOrAlias') noteIdOrAlias: string,
+  ): Promise<NoteDto> {
+    let note: Note;
     try {
-      const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
-      await this.historyService.createOrUpdateHistoryEntry(note, req.user);
-      return this.noteService.toNoteDto(note);
+      note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
     } catch (e) {
       if (e instanceof NotInDBError) {
         throw new NotFoundException(e.message);
       }
       throw e;
     }
+    if (!this.permissionsService.mayRead(req.user, note)) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
+    await this.historyService.createOrUpdateHistoryEntry(note, req.user);
+    return this.noteService.toNoteDto(note);
   }
 
   @UseGuards(TokenAuthGuard)
@@ -83,7 +96,9 @@ export class NotesController {
     @Param('noteAlias') noteAlias: string,
     @MarkdownBody() text: string,
   ): Promise<NoteDto> {
-    // ToDo: check if user is allowed to view this note
+    if (!this.permissionsService.mayCreate(req.user)) {
+      throw new UnauthorizedException('Creating note denied!');
+    }
     this.logger.debug('Got raw markdown:\n' + text, 'createNamedNote');
     return this.noteService.toNoteDto(
       await this.noteService.createNote(text, noteAlias, req.user),
@@ -96,7 +111,10 @@ export class NotesController {
     @Request() req,
     @Param('noteIdOrAlias') noteIdOrAlias: string,
   ): Promise<void> {
-    // ToDo: check if user is allowed to delete this note
+    const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
+    if (!this.permissionsService.isOwner(req.user, note)) {
+      throw new UnauthorizedException('Deleting note denied!');
+    }
     this.logger.debug('Deleting note: ' + noteIdOrAlias, 'deleteNote');
     try {
       await this.noteService.deleteNoteByIdOrAlias(noteIdOrAlias);
@@ -117,7 +135,10 @@ export class NotesController {
     @Param('noteIdOrAlias') noteIdOrAlias: string,
     @MarkdownBody() text: string,
   ): Promise<NoteDto> {
-    // ToDo: check if user is allowed to change this note
+    const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
+    if (!this.permissionsService.mayWrite(req.user, note)) {
+      throw new UnauthorizedException('Updating note denied!');
+    }
     this.logger.debug('Got raw markdown:\n' + text, 'updateNote');
     try {
       return this.noteService.toNoteDto(
@@ -138,7 +159,10 @@ export class NotesController {
     @Request() req,
     @Param('noteIdOrAlias') noteIdOrAlias: string,
   ): Promise<string> {
-    // ToDo: check if user is allowed to view this notes content
+    const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
+    if (!this.permissionsService.mayRead(req.user, note)) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
     try {
       return await this.noteService.getNoteContent(noteIdOrAlias);
     } catch (e) {
@@ -155,7 +179,10 @@ export class NotesController {
     @Request() req,
     @Param('noteIdOrAlias') noteIdOrAlias: string,
   ): Promise<NoteMetadataDto> {
-    // ToDo: check if user is allowed to view this notes metadata
+    const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
+    if (!this.permissionsService.mayRead(req.user, note)) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
     try {
       return this.noteService.toNoteMetadataDto(
         await this.noteService.getNoteByIdOrAlias(noteIdOrAlias),
@@ -175,7 +202,10 @@ export class NotesController {
     @Param('noteIdOrAlias') noteIdOrAlias: string,
     @Body() updateDto: NotePermissionsUpdateDto,
   ): Promise<NotePermissionsDto> {
-    // ToDo: check if user is allowed to view this notes permissions
+    const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
+    if (!this.permissionsService.isOwner(req.user, note)) {
+      throw new UnauthorizedException('Updating note denied!');
+    }
     try {
       return this.noteService.toNotePermissionsDto(
         await this.noteService.updateNotePermissions(noteIdOrAlias, updateDto),
@@ -194,7 +224,10 @@ export class NotesController {
     @Request() req,
     @Param('noteIdOrAlias') noteIdOrAlias: string,
   ): Promise<RevisionMetadataDto[]> {
-    // ToDo: check if user is allowed to view this notes revisions
+    const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
+    if (!this.permissionsService.mayRead(req.user, note)) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
     try {
       const revisions = await this.revisionsService.getAllRevisions(
         noteIdOrAlias,
@@ -219,7 +252,10 @@ export class NotesController {
     @Param('noteIdOrAlias') noteIdOrAlias: string,
     @Param('revisionId') revisionId: number,
   ): Promise<RevisionDto> {
-    // ToDo: check if user is allowed to view this notes revision
+    const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
+    if (!this.permissionsService.mayRead(req.user, note)) {
+      throw new UnauthorizedException('Reading note denied!');
+    }
     try {
       return this.revisionsService.toRevisionDto(
         await this.revisionsService.getRevision(noteIdOrAlias, revisionId),

src/api/public/public-api.module.ts

@@ -16,6 +16,7 @@ import { MeController } from './me/me.controller';
 import { NotesController } from './notes/notes.controller';
 import { MediaController } from './media/media.controller';
 import { MonitoringController } from './monitoring/monitoring.controller';
+import { PermissionsModule } from '../../permissions/permissions.module';
 
 @Module({
   imports: [
@@ -26,6 +27,7 @@ import { MonitoringController } from './monitoring/monitoring.controller';
     MonitoringModule,
     LoggerModule,
     MediaModule,
+    PermissionsModule,
   ],
   controllers: [
     MeController,