overleaf/services/web/app/coffee/Features/Editor/EditorHttpController.coffee

ProjectEntityUpdateHandler = require "../Project/ProjectEntityUpdateHandler"
ProjectDeleter = require "../Project/ProjectDeleter"
logger = require "logger-sharelatex"
EditorRealTimeController = require "./EditorRealTimeController"
EditorController = require "./EditorController"
ProjectGetter = require('../Project/ProjectGetter')
UserGetter = require('../User/UserGetter')
AuthorizationManager = require("../Authorization/AuthorizationManager")
ProjectEditorHandler = require('../Project/ProjectEditorHandler')
Metrics = require('metrics-sharelatex')
CollaboratorsHandler = require("../Collaborators/CollaboratorsHandler")
CollaboratorsInviteHandler = require("../Collaborators/CollaboratorsInviteHandler")
PrivilegeLevels = require "../Authorization/PrivilegeLevels"
TokenAccessHandler = require '../TokenAccess/TokenAccessHandler'
AuthenticationController = require "../Authentication/AuthenticationController"

module.exports = EditorHttpController =
	joinProject: (req, res, next) ->
		project_id = req.params.Project_id
		user_id = req.query.user_id
		if user_id == "anonymous-user"
			user_id = null
		logger.log {user_id, project_id}, "join project request"
		Metrics.inc "editor.join-project"
		EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) ->
			return next(error) if error?
			# Hide access tokens if this is not the project owner
			TokenAccessHandler.protectTokens(project, privilegeLevel)
			res.json {
				project: project
				privilegeLevel: privilegeLevel
			}
			# Only show the 'renamed or deleted' message once
			if project?.deletedByExternalDataSource
				ProjectDeleter.unmarkAsDeletedByExternalSource project_id

	_buildJoinProjectView: (req, project_id, user_id, callback = (error, project, privilegeLevel) ->) ->
		logger.log {project_id, user_id}, "building the joinProject view"
		ProjectGetter.getProjectWithoutDocLines project_id, (error, project) ->
			return callback(error) if error?
			return callback(new Error("not found")) if !project?
			CollaboratorsHandler.getInvitedMembersWithPrivilegeLevels project_id, (error, members) ->
				return callback(error) if error?
				token = TokenAccessHandler.getRequestToken(req, project_id)
				AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, token, (error, privilegeLevel) ->
					return callback(error) if error?
					if !privilegeLevel? or privilegeLevel == PrivilegeLevels.NONE
						logger.log {project_id, user_id, privilegeLevel}, "not an acceptable privilege level, returning null"
						return callback null, null, false
					CollaboratorsInviteHandler.getAllInvites project_id, (error, invites) ->
						return callback(error) if error?
						logger.log {project_id, user_id, memberCount: members.length, inviteCount: invites.length, privilegeLevel}, "returning project model view"
						callback(null,
							ProjectEditorHandler.buildProjectModelView(project, members, invites),
							privilegeLevel
						)

	_nameIsAcceptableLength: (name)->
		return name? and name.length < 150 and name.length != 0

	addDoc: (req, res, next) ->
		project_id = req.params.Project_id
		name = req.body.name
		parent_folder_id = req.body.parent_folder_id
		user_id = AuthenticationController.getLoggedInUserId(req)
		logger.log project_id:project_id, name:name, parent_folder_id:parent_folder_id, "getting request to add doc to project"
		if !EditorHttpController._nameIsAcceptableLength(name)
			return res.sendStatus 400
		EditorController.addDoc project_id, parent_folder_id, name, [], "editor", user_id, (error, doc) ->
			if error == "project_has_to_many_files"
				res.status(400).json(req.i18n.translate("project_has_to_many_files"))
			else if error?
				next(error)
			else
				res.json doc

	addFolder: (req, res, next) ->
		project_id = req.params.Project_id
		name = req.body.name
		parent_folder_id = req.body.parent_folder_id
		if !EditorHttpController._nameIsAcceptableLength(name)
			return res.sendStatus 400
		EditorController.addFolder project_id, parent_folder_id, name, "editor", (error, doc) ->
			if error == "project_has_to_many_files"
				res.status(400).json(req.i18n.translate("project_has_to_many_files"))
			else if error?.message == 'invalid element name'
				res.status(400).json(req.i18n.translate('invalid_file_name'))
			else if error?
				next(error)
			else
				res.json doc

	renameEntity: (req, res, next) ->
		project_id  = req.params.Project_id
		entity_id   = req.params.entity_id
		entity_type = req.params.entity_type
		name = req.body.name
		if !EditorHttpController._nameIsAcceptableLength(name)
			return res.sendStatus 400
		user_id = AuthenticationController.getLoggedInUserId(req)
		EditorController.renameEntity project_id, entity_id, entity_type, name, user_id, (error) ->
			return next(error) if error?
			res.sendStatus 204

	moveEntity: (req, res, next) ->
		project_id  = req.params.Project_id
		entity_id   = req.params.entity_id
		entity_type = req.params.entity_type
		folder_id = req.body.folder_id
		user_id = AuthenticationController.getLoggedInUserId(req)
		EditorController.moveEntity project_id, entity_id, folder_id, entity_type, user_id, (error) ->
			return next(error) if error?
			res.sendStatus 204

	deleteDoc: (req, res, next)->
		req.params.entity_type  = "doc"
		EditorHttpController.deleteEntity(req, res, next)

	deleteFile: (req, res, next)->
		req.params.entity_type = "file"
		EditorHttpController.deleteEntity(req, res, next)

	deleteFolder: (req, res, next)->
		req.params.entity_type = "folder"
		EditorHttpController.deleteEntity(req, res, next)

	deleteEntity: (req, res, next) ->
		project_id  = req.params.Project_id
		entity_id   = req.params.entity_id
		entity_type = req.params.entity_type
		user_id = AuthenticationController.getLoggedInUserId(req)
		EditorController.deleteEntity project_id, entity_id, entity_type, "editor", user_id, (error) ->
			return next(error) if error?
			res.sendStatus 204
refactor ProjectEntityHandler - moves project locking into ProjectEntityHandler - splits ProjectEntityHandler into ProjectEntityHandler, ProjectEntityUpdateHandler and ProjectEntityMongoUpdateHandler - adds upsertDoc/upsertFile and upsertDocWithPath/upsertFileWithPath to EditorController and ProjectEntiyUpdateHandler 2018-02-01 10:31:42 -05:00			`ProjectEntityUpdateHandler = require "../Project/ProjectEntityUpdateHandler"`
Factor out common joinProject logic to provide and HTTP end point for the real-time API 2014-11-07 07:31:47 -05:00			`ProjectDeleter = require "../Project/ProjectDeleter"`
Allow docs to be restored 2014-06-05 11:18:25 -04:00			`logger = require "logger-sharelatex"`
			`EditorRealTimeController = require "./EditorRealTimeController"`
Add in creating of files to editor 2014-06-22 07:10:42 -04:00			`EditorController = require "./EditorController"`
Clean up unused real-time code in web 2015-02-05 11:37:37 -05:00			`ProjectGetter = require('../Project/ProjectGetter')`
			`UserGetter = require('../User/UserGetter')`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00			`AuthorizationManager = require("../Authorization/AuthorizationManager")`
Clean up unused real-time code in web 2015-02-05 11:37:37 -05:00			`ProjectEditorHandler = require('../Project/ProjectEditorHandler')`
Remove the Metrics module, use metrics-sharelatex 2017-04-03 11:18:30 -04:00			`Metrics = require('metrics-sharelatex')`
Remove ProjectGetter.populateProjectWithUsers 2016-03-07 10:25:10 -05:00			`CollaboratorsHandler = require("../Collaborators/CollaboratorsHandler")`
Load invites on project load, rather than asynchronously. 2016-08-01 12:05:37 -04:00			`CollaboratorsInviteHandler = require("../Collaborators/CollaboratorsInviteHandler")`
Make privilege level check in EditorHttpController more explicit 2016-03-15 10:39:27 -04:00			`PrivilegeLevels = require "../Authorization/PrivilegeLevels"`
Refactor to not pass `req` down into Auth modules 2017-10-13 06:20:57 -04:00			`TokenAccessHandler = require '../TokenAccess/TokenAccessHandler'`
version doc renames 2017-11-01 14:21:05 -04:00			`AuthenticationController = require "../Authentication/AuthenticationController"`
Allow docs to be restored 2014-06-05 11:18:25 -04:00
			`module.exports = EditorHttpController =`
Factor out common joinProject logic to provide and HTTP end point for the real-time API 2014-11-07 07:31:47 -05:00			`joinProject: (req, res, next) ->`
			`project_id = req.params.Project_id`
			`user_id = req.query.user_id`
Convert 'anonymous-user' from real-time api in 'null' internally 2016-03-22 05:53:47 -04:00			`if user_id == "anonymous-user"`
			`user_id = null`
Factor out common joinProject logic to provide and HTTP end point for the real-time API 2014-11-07 07:31:47 -05:00			`logger.log {user_id, project_id}, "join project request"`
			`Metrics.inc "editor.join-project"`
Working token-based access 2017-09-27 09:01:52 -04:00			`EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) ->`
Factor out common joinProject logic to provide and HTTP end point for the real-time API 2014-11-07 07:31:47 -05:00			`return next(error) if error?`
Hide access tokens if user is not the project owner. This prevents sneaky read-only users from sniffing out the read-write link via the browser console. 2017-10-05 08:18:30 -04:00			`# Hide access tokens if this is not the project owner`
Abstract away the token-protection logic 2017-10-19 11:26:01 -04:00			`TokenAccessHandler.protectTokens(project, privilegeLevel)`
Factor out common joinProject logic to provide and HTTP end point for the real-time API 2014-11-07 07:31:47 -05:00			`res.json {`
			`project: project`
			`privilegeLevel: privilegeLevel`
			`}`
			`# Only show the 'renamed or deleted' message once`
add null check in on project 2014-12-12 05:27:14 -05:00			`if project?.deletedByExternalDataSource`
Factor out common joinProject logic to provide and HTTP end point for the real-time API 2014-11-07 07:31:47 -05:00			`ProjectDeleter.unmarkAsDeletedByExternalSource project_id`

Working token-based access 2017-09-27 09:01:52 -04:00			`_buildJoinProjectView: (req, project_id, user_id, callback = (error, project, privilegeLevel) ->) ->`
Improve logging, add acceptance tests for joinProject json 2016-08-16 06:17:45 -04:00			`logger.log {project_id, user_id}, "building the joinProject view"`
Clean up unused real-time code in web 2015-02-05 11:37:37 -05:00			`ProjectGetter.getProjectWithoutDocLines project_id, (error, project) ->`
			`return callback(error) if error?`
			`return callback(new Error("not found")) if !project?`
use ProjectGetter rather than Project directly 2018-02-15 07:18:43 -05:00			`CollaboratorsHandler.getInvitedMembersWithPrivilegeLevels project_id, (error, members) ->`
Clean up unused real-time code in web 2015-02-05 11:37:37 -05:00			`return callback(error) if error?`
remove unused call to UserGetter.getUser 2018-09-13 12:14:28 -04:00			`token = TokenAccessHandler.getRequestToken(req, project_id)`
			`AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, token, (error, privilegeLevel) ->`
Clean up unused real-time code in web 2015-02-05 11:37:37 -05:00			`return callback(error) if error?`
remove unused call to UserGetter.getUser 2018-09-13 12:14:28 -04:00			`if !privilegeLevel? or privilegeLevel == PrivilegeLevels.NONE`
			`logger.log {project_id, user_id, privilegeLevel}, "not an acceptable privilege level, returning null"`
			`return callback null, null, false`
			`CollaboratorsInviteHandler.getAllInvites project_id, (error, invites) ->`
Clean up unused real-time code in web 2015-02-05 11:37:37 -05:00			`return callback(error) if error?`
remove unused call to UserGetter.getUser 2018-09-13 12:14:28 -04:00			`logger.log {project_id, user_id, memberCount: members.length, inviteCount: invites.length, privilegeLevel}, "returning project model view"`
			`callback(null,`
			`ProjectEditorHandler.buildProjectModelView(project, members, invites),`
			`privilegeLevel`
			`)`
Clean up unused real-time code in web 2015-02-05 11:37:37 -05:00
clients can not rename docs/files/folders to blank name. Client and server side checks added 2015-03-02 07:46:02 -05:00			`_nameIsAcceptableLength: (name)->`
			`return name? and name.length < 150 and name.length != 0`

Add in creating of files to editor 2014-06-22 07:10:42 -04:00			`addDoc: (req, res, next) ->`
			`project_id = req.params.Project_id`
			`name = req.body.name`
			`parent_folder_id = req.body.parent_folder_id`
pass user_id into EditorController.addDoc 2017-11-23 10:40:14 -05:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
made ProjectGetter.getProject more robust it can deal with multiple types of query better, including mongoose ids which are not being matched like mongojs ids. 2016-02-29 14:01:46 -05:00			`logger.log project_id:project_id, name:name, parent_folder_id:parent_folder_id, "getting request to add doc to project"`
clients can not rename docs/files/folders to blank name. Client and server side checks added 2015-03-02 07:46:02 -05:00			`if !EditorHttpController._nameIsAcceptableLength(name)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`return res.sendStatus 400`
pass user_id into EditorController.addDoc 2017-11-23 10:40:14 -05:00			`EditorController.addDoc project_id, parent_folder_id, name, [], "editor", user_id, (error, doc) ->`
add in the calls to block large projects 2016-02-29 08:05:17 -05:00			`if error == "project_has_to_many_files"`
			`res.status(400).json(req.i18n.translate("project_has_to_many_files"))`
			`else if error?`
			`next(error)`
			`else`
			`res.json doc`
Allow creation of folders 2014-06-22 09:39:38 -04:00
			`addFolder: (req, res, next) ->`
			`project_id = req.params.Project_id`
			`name = req.body.name`
			`parent_folder_id = req.body.parent_folder_id`
clients can not rename docs/files/folders to blank name. Client and server side checks added 2015-03-02 07:46:02 -05:00			`if !EditorHttpController._nameIsAcceptableLength(name)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`return res.sendStatus 400`
Fix broken argument signature of addFolder 2014-10-16 06:26:57 -04:00			`EditorController.addFolder project_id, parent_folder_id, name, "editor", (error, doc) ->`
add in the calls to block large projects 2016-02-29 08:05:17 -05:00			`if error == "project_has_to_many_files"`
			`res.status(400).json(req.i18n.translate("project_has_to_many_files"))`
Account for error being null 2017-03-31 05:46:13 -04:00			`else if error?.message == 'invalid element name'`
Cleaner error reporting for `addFolder` endpoint 2017-03-31 05:31:03 -04:00			`res.status(400).json(req.i18n.translate('invalid_file_name'))`
add in the calls to block large projects 2016-02-29 08:05:17 -05:00			`else if error?`
handle errors normally in addFolder modal 2018-01-17 07:11:02 -05:00			`next(error)`
add in the calls to block large projects 2016-02-29 08:05:17 -05:00			`else`
			`res.json doc`
Rename files 2014-06-22 15:08:56 -04:00
			`renameEntity: (req, res, next) ->`
			`project_id = req.params.Project_id`
			`entity_id = req.params.entity_id`
			`entity_type = req.params.entity_type`
			`name = req.body.name`
clients can not rename docs/files/folders to blank name. Client and server side checks added 2015-03-02 07:46:02 -05:00			`if !EditorHttpController._nameIsAcceptableLength(name)`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`return res.sendStatus 400`
pass user_id into EditorController.addDoc 2017-11-23 10:40:14 -05:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
version doc renames 2017-11-01 14:21:05 -04:00			`EditorController.renameEntity project_id, entity_id, entity_type, name, user_id, (error) ->`
Rename files 2014-06-22 15:08:56 -04:00			`return next(error) if error?`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`res.sendStatus 204`
Rename files 2014-06-22 15:08:56 -04:00
			`moveEntity: (req, res, next) ->`
			`project_id = req.params.Project_id`
			`entity_id = req.params.entity_id`
			`entity_type = req.params.entity_type`
			`folder_id = req.body.folder_id`
version moving entities 2017-11-02 05:44:23 -04:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
			`EditorController.moveEntity project_id, entity_id, folder_id, entity_type, user_id, (error) ->`
replace error message with Error object 2018-01-31 05:26:31 -05:00			`return next(error) if error?`
			`res.sendStatus 204`
Rename files 2014-06-22 15:08:56 -04:00
explicitly set the file types to delete the wild card version can get mixed up with app.del '/project/:project_id/contents/*', httpAuth, TpdsController.deleteProjectContents 2014-10-24 07:01:35 -04:00			`deleteDoc: (req, res, next)->`
			`req.params.entity_type = "doc"`
			`EditorHttpController.deleteEntity(req, res, next)`

			`deleteFile: (req, res, next)->`
			`req.params.entity_type = "file"`
			`EditorHttpController.deleteEntity(req, res, next)`

			`deleteFolder: (req, res, next)->`
			`req.params.entity_type = "folder"`
			`EditorHttpController.deleteEntity(req, res, next)`

Rename files 2014-06-22 15:08:56 -04:00			`deleteEntity: (req, res, next) ->`
			`project_id = req.params.Project_id`
			`entity_id = req.params.entity_id`
			`entity_type = req.params.entity_type`
pass userId to EditorHttpController.deleteEntity 2017-12-15 05:53:38 -05:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
			`EditorController.deleteEntity project_id, entity_id, entity_type, "editor", user_id, (error) ->`
Rename files 2014-06-22 15:08:56 -04:00			`return next(error) if error?`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`res.sendStatus 204`