Merge pull request #1853 from hedgedoc/feat/getNoteInterceptor

This commit is contained in:
Yannick Bungers 2021-12-02 22:02:09 +01:00 committed by GitHub
commit 87cb90abda
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 113 additions and 47 deletions

View file

@ -10,10 +10,10 @@ import {
Delete,
Get,
NotFoundException,
Param,
Post,
Put,
UseGuards,
UseInterceptors,
} from '@nestjs/common';
import { ApiTags } from '@nestjs/swagger';
@ -26,7 +26,8 @@ import { SessionGuard } from '../../../../identity/session.guard';
import { ConsoleLoggerService } from '../../../../logger/console-logger.service';
import { Note } from '../../../../notes/note.entity';
import { User } from '../../../../users/user.entity';
import { GetNotePipe } from '../../../utils/get-note.pipe';
import { GetNoteInterceptor } from '../../../utils/get-note.interceptor';
import { RequestNote } from '../../../utils/request-note.decorator';
import { RequestUser } from '../../../utils/request-user.decorator';
@UseGuards(SessionGuard)
@ -82,9 +83,10 @@ export class HistoryController {
}
}
@Put(':note')
@Put(':noteIdOrAlias')
@UseInterceptors(GetNoteInterceptor)
async updateHistoryEntry(
@Param('note', GetNotePipe) note: Note,
@RequestNote() note: Note,
@RequestUser() user: User,
@Body() entryUpdateDto: HistoryEntryUpdateDto,
): Promise<HistoryEntryDto> {
@ -103,9 +105,10 @@ export class HistoryController {
}
}
@Delete(':note')
@Delete(':noteIdOrAlias')
@UseInterceptors(GetNoteInterceptor)
async deleteHistoryEntry(
@Param('note', GetNotePipe) note: Note,
@RequestNote() note: Note,
@RequestUser() user: User,
): Promise<void> {
try {

View file

@ -14,6 +14,7 @@ import {
Param,
Post,
UseGuards,
UseInterceptors,
} from '@nestjs/common';
import {
@ -37,9 +38,10 @@ import { RevisionDto } from '../../../revisions/revision.dto';
import { RevisionsService } from '../../../revisions/revisions.service';
import { User } from '../../../users/user.entity';
import { UsersService } from '../../../users/users.service';
import { GetNotePipe } from '../../utils/get-note.pipe';
import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
import { MarkdownBody } from '../../utils/markdownbody-decorator';
import { PermissionsGuard } from '../../utils/permissions.guard';
import { RequestNote } from '../../utils/request-note.decorator';
import { RequestUser } from '../../utils/request-user.decorator';
@UseGuards(SessionGuard)
@ -58,10 +60,11 @@ export class NotesController {
@Get(':noteIdOrAlias')
@Permissions(Permission.READ)
@UseInterceptors(GetNoteInterceptor)
@UseGuards(PermissionsGuard)
async getNote(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<NoteDto> {
await this.historyService.updateHistoryEntryTimestamp(note, user);
return await this.noteService.toNoteDto(note);
@ -69,10 +72,9 @@ export class NotesController {
@Get(':noteIdOrAlias/media')
@Permissions(Permission.READ)
@UseInterceptors(GetNoteInterceptor)
@UseGuards(PermissionsGuard)
async getNotesMedia(
@Param('noteIdOrAlias', GetNotePipe) note: Note,
): Promise<MediaUploadDto[]> {
async getNotesMedia(@RequestNote() note: Note): Promise<MediaUploadDto[]> {
const media = await this.mediaService.listUploadsByNote(note);
return media.map((media) => this.mediaService.toMediaUploadDto(media));
}
@ -119,10 +121,11 @@ export class NotesController {
@Delete(':noteIdOrAlias')
@HttpCode(204)
@Permissions(Permission.OWNER)
@UseInterceptors(GetNoteInterceptor)
@UseGuards(PermissionsGuard)
async deleteNote(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
@Body() noteMediaDeletionDto: NoteMediaDeletionDto,
): Promise<void> {
const mediaUploads = await this.mediaService.listUploadsByNote(note);
@ -141,10 +144,11 @@ export class NotesController {
@Get(':noteIdOrAlias/revisions')
@Permissions(Permission.READ)
@UseInterceptors(GetNoteInterceptor)
@UseGuards(PermissionsGuard)
async getNoteRevisions(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<RevisionMetadataDto[]> {
const revisions = await this.revisionsService.getAllRevisions(note);
return await Promise.all(
@ -157,10 +161,11 @@ export class NotesController {
@Delete(':noteIdOrAlias/revisions')
@HttpCode(204)
@Permissions(Permission.READ)
@UseInterceptors(GetNoteInterceptor)
@UseGuards(PermissionsGuard)
async purgeNoteRevisions(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<void> {
this.logger.debug(
'Purging history of note: ' + note.id,
@ -176,10 +181,11 @@ export class NotesController {
@Get(':noteIdOrAlias/revisions/:revisionId')
@Permissions(Permission.READ)
@UseInterceptors(GetNoteInterceptor)
@UseGuards(PermissionsGuard)
async getNoteRevision(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
@Param('revisionId') revisionId: number,
): Promise<RevisionDto> {
try {

View file

@ -10,9 +10,9 @@ import {
Get,
HttpCode,
NotFoundException,
Param,
Put,
UseGuards,
UseInterceptors,
} from '@nestjs/common';
import {
ApiNoContentResponse,
@ -42,7 +42,8 @@ import {
successfullyDeletedDescription,
unauthorizedDescription,
} from '../../utils/descriptions';
import { GetNotePipe } from '../../utils/get-note.pipe';
import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
import { RequestNote } from '../../utils/request-note.decorator';
import { RequestUser } from '../../utils/request-user.decorator';
@ApiTags('me')
@ -85,8 +86,9 @@ export class MeController {
);
}
@UseInterceptors(GetNoteInterceptor)
@UseGuards(TokenAuthGuard)
@Get('history/:note')
@Get('history/:noteIdOrAlias')
@ApiOkResponse({
description: 'The history entry of the user which points to the note',
type: HistoryEntryDto,
@ -95,7 +97,7 @@ export class MeController {
@ApiNotFoundResponse({ description: notFoundDescription })
async getHistoryEntry(
@RequestUser() user: User,
@Param('note', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<HistoryEntryDto> {
try {
const foundEntry = await this.historyService.getEntryByNote(note, user);
@ -108,8 +110,9 @@ export class MeController {
}
}
@UseInterceptors(GetNoteInterceptor)
@UseGuards(TokenAuthGuard)
@Put('history/:note')
@Put('history/:noteIdOrAlias')
@ApiOkResponse({
description: 'The updated history entry',
type: HistoryEntryDto,
@ -118,7 +121,7 @@ export class MeController {
@ApiNotFoundResponse({ description: notFoundDescription })
async updateHistoryEntry(
@RequestUser() user: User,
@Param('note', GetNotePipe) note: Note,
@RequestNote() note: Note,
@Body() entryUpdateDto: HistoryEntryUpdateDto,
): Promise<HistoryEntryDto> {
// ToDo: Check if user is allowed to pin this history entry
@ -138,15 +141,16 @@ export class MeController {
}
}
@UseInterceptors(GetNoteInterceptor)
@UseGuards(TokenAuthGuard)
@Delete('history/:note')
@Delete('history/:noteIdOrAlias')
@HttpCode(204)
@ApiNoContentResponse({ description: successfullyDeletedDescription })
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
@ApiNotFoundResponse({ description: notFoundDescription })
async deleteHistoryEntry(
@RequestUser() user: User,
@Param('note', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<void> {
// ToDo: Check if user is allowed to delete note
try {

View file

@ -16,6 +16,7 @@ import {
Post,
Put,
UseGuards,
UseInterceptors,
} from '@nestjs/common';
import {
ApiCreatedResponse,
@ -59,9 +60,10 @@ import {
unauthorizedDescription,
} from '../../utils/descriptions';
import { FullApi } from '../../utils/fullapi-decorator';
import { GetNotePipe } from '../../utils/get-note.pipe';
import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
import { MarkdownBody } from '../../utils/markdownbody-decorator';
import { PermissionsGuard } from '../../utils/permissions.guard';
import { RequestNote } from '../../utils/request-note.decorator';
import { RequestUser } from '../../utils/request-user.decorator';
@ApiTags('notes')
@ -94,6 +96,7 @@ export class NotesController {
);
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.READ)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Get(':noteIdOrAlias')
@ -104,7 +107,7 @@ export class NotesController {
@FullApi
async getNote(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<NoteDto> {
await this.historyService.updateHistoryEntryTimestamp(note, user);
return await this.noteService.toNoteDto(note);
@ -141,6 +144,7 @@ export class NotesController {
}
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.OWNER)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Delete(':noteIdOrAlias')
@ -149,7 +153,7 @@ export class NotesController {
@FullApi
async deleteNote(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
@Body() noteMediaDeletionDto: NoteMediaDeletionDto,
): Promise<void> {
const mediaUploads = await this.mediaService.listUploadsByNote(note);
@ -166,6 +170,7 @@ export class NotesController {
return;
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.WRITE)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Put(':noteIdOrAlias')
@ -176,7 +181,7 @@ export class NotesController {
@FullApi
async updateNote(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
@MarkdownBody() text: string,
): Promise<NoteDto> {
this.logger.debug('Got raw markdown:\n' + text, 'updateNote');
@ -185,6 +190,7 @@ export class NotesController {
);
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.READ)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Get(':noteIdOrAlias/content')
@ -196,11 +202,12 @@ export class NotesController {
@Header('content-type', 'text/markdown')
async getNoteContent(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<string> {
return await this.noteService.getNoteContent(note);
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.READ)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Get(':noteIdOrAlias/metadata')
@ -211,11 +218,12 @@ export class NotesController {
@FullApi
async getNoteMetadata(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<NoteMetadataDto> {
return await this.noteService.toNoteMetadataDto(note);
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.OWNER)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Put(':noteIdOrAlias/metadata/permissions')
@ -226,7 +234,7 @@ export class NotesController {
@FullApi
async updateNotePermissions(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
@Body() updateDto: NotePermissionsUpdateDto,
): Promise<NotePermissionsDto> {
return this.noteService.toNotePermissionsDto(
@ -234,6 +242,7 @@ export class NotesController {
);
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.READ)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Get(':noteIdOrAlias/revisions')
@ -245,7 +254,7 @@ export class NotesController {
@FullApi
async getNoteRevisions(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<RevisionMetadataDto[]> {
const revisions = await this.revisionsService.getAllRevisions(note);
return await Promise.all(
@ -255,6 +264,7 @@ export class NotesController {
);
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.READ)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Get(':noteIdOrAlias/revisions/:revisionId')
@ -265,7 +275,7 @@ export class NotesController {
@FullApi
async getNoteRevision(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
@Param('revisionId') revisionId: number,
): Promise<RevisionDto> {
try {
@ -280,6 +290,7 @@ export class NotesController {
}
}
@UseInterceptors(GetNoteInterceptor)
@Permissions(Permission.READ)
@UseGuards(TokenAuthGuard, PermissionsGuard)
@Get(':noteIdOrAlias/media')
@ -291,7 +302,7 @@ export class NotesController {
@ApiUnauthorizedResponse({ description: unauthorizedDescription })
async getNotesMedia(
@RequestUser() user: User,
@Param('noteIdOrAlias', GetNotePipe) note: Note,
@RequestNote() note: Note,
): Promise<MediaUploadDto[]> {
const media = await this.mediaService.listUploadsByNote(note);
return media.map((media) => this.mediaService.toMediaUploadDto(media));

View file

@ -4,29 +4,39 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
import {
ArgumentMetadata,
BadRequestException,
CallHandler,
ExecutionContext,
Injectable,
NestInterceptor,
NotFoundException,
PipeTransform,
} from '@nestjs/common';
import { Request } from 'express';
import { Observable } from 'rxjs';
import { ForbiddenIdError, NotInDBError } from '../../errors/errors';
import { ConsoleLoggerService } from '../../logger/console-logger.service';
import { Note } from '../../notes/note.entity';
import { NotesService } from '../../notes/notes.service';
import { User } from '../../users/user.entity';
/**
* Saves the note identified by the `noteIdOrAlias` URL parameter
* under the `note` property of the request object.
*/
@Injectable()
export class GetNotePipe implements PipeTransform<string, Promise<Note>> {
constructor(
private readonly logger: ConsoleLoggerService,
private noteService: NotesService,
) {
this.logger.setContext(GetNotePipe.name);
}
export class GetNoteInterceptor implements NestInterceptor {
constructor(private noteService: NotesService) {}
async transform(noteIdOrAlias: string, _: ArgumentMetadata): Promise<Note> {
return await getNote(this.noteService, noteIdOrAlias);
async intercept<T>(
context: ExecutionContext,
next: CallHandler,
): Promise<Observable<T>> {
const request: Request & { user: User; note: Note } = context
.switchToHttp()
.getRequest();
const noteIdOrAlias = request.params['noteIdOrAlias'];
request.note = await getNote(this.noteService, noteIdOrAlias);
return next.handle();
}
}

View file

@ -12,7 +12,7 @@ import { NotesService } from '../../notes/notes.service';
import { Permission } from '../../permissions/permissions.enum';
import { PermissionsService } from '../../permissions/permissions.service';
import { User } from '../../users/user.entity';
import { getNote } from './get-note.pipe';
import { getNote } from './get-note.interceptor';
/**
* This guards controller methods from access, if the user has not the appropriate permissions.
@ -50,7 +50,7 @@ export class PermissionsGuard implements CanActivate {
return this.permissionsService.mayCreate(user);
}
// Get the note from the parameter noteIdOrAlias
// Attention: This gets the note an additional time if used in conjunction with GetNotePipe
// Attention: This gets the note an additional time if used in conjunction with GetNoteInterceptor
const noteIdOrAlias = request.params['noteIdOrAlias'];
const note = await getNote(this.noteService, noteIdOrAlias);
switch (permissions[0]) {

View file

@ -0,0 +1,32 @@
/*
* SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
*
* SPDX-License-Identifier: AGPL-3.0-only
*/
import {
createParamDecorator,
ExecutionContext,
InternalServerErrorException,
} from '@nestjs/common';
import { Request } from 'express';
import { Note } from '../../notes/note.entity';
/**
* Extracts the {@link Note} object from a request
*
* Will throw an {@link InternalServerErrorException} if no note is present
*/
// eslint-disable-next-line @typescript-eslint/naming-convention
export const RequestNote = createParamDecorator(
(data: unknown, ctx: ExecutionContext) => {
const request: Request & { note: Note } = ctx.switchToHttp().getRequest();
if (!request.note) {
// We should have a note here, otherwise something is wrong
throw new InternalServerErrorException(
'Request is missing a note object',
);
}
return request.note;
},
);