overleaf/services/web/app/coffee/Features/TokenAccess/TokenAccessController.coffee

ProjectController = require "../Project/ProjectController"
AuthenticationController = require '../Authentication/AuthenticationController'
TokenAccessHandler = require './TokenAccessHandler'
EditorRealTimeController = require "../Editor/EditorRealTimeController"
Errors = require '../Errors/Errors'
logger = require 'logger-sharelatex'

module.exports = TokenAccessController =

	_loadEditor: (projectId, req, res, next) ->
		req.params.Project_id = projectId.toString()
		return ProjectController.loadEditor(req, res, next)

	readAndWriteToken: (req, res, next) ->
		userId = AuthenticationController.getLoggedInUserId(req)
		token = req.params['read_and_write_token']
		logger.log {userId, token}, "requesting read-and-write token access"
		TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, project) ->
			if err?
				logger.err {err, token, userId},
					"error getting project by readAndWrite token"
				return next(err)
			if !project?
				logger.log {token, userId},
					"no project found for readAndWrite token"
				if !userId?
					logger.log {token},
						"No project found with read-write token, anonymous user"
					return next(new Errors.NotFoundError())
				TokenAccessHandler
					.findPrivateOverleafProjectWithReadAndWriteToken token, (err, project) ->
						if err?
							logger.err {err, token, userId},
								"error getting project by readAndWrite token"
							return next(err)
						if !project?
							logger.log {token, userId},
								"no private-overleaf project found with readAndWriteToken"
							return next(new Errors.NotFoundError())
						logger.log {token, projectId: project._id}, "redirecting user to project"
						res.redirect(302, "/project/#{project._id}")
			else
				if !userId?
					if TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED
						logger.log {token, projectId: project._id},
							"allow anonymous read-and-write token access"
						TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)
						req._anonymousAccessToken = token
						return TokenAccessController._loadEditor(project._id, req, res, next)
					else
						logger.log {token, projectId: project._id},
							"deny anonymous read-and-write token access"
						return next(new Errors.NotFoundError())
				if project.owner_ref.toString() == userId
					logger.log {userId, projectId: project._id},
						"user is already project owner"
					return TokenAccessController._loadEditor(project._id, req, res, next)
				logger.log {userId, projectId: project._id},
					"adding user to project with readAndWrite token"
				TokenAccessHandler.addReadAndWriteUserToProject userId, project._id, (err) ->
					if err?
						logger.err {err, token, userId, projectId: project._id},
							"error adding user to project with readAndWrite token"
						return next(err)
					# TODO: check if this is still needed by the client
					setTimeout( () ->
						EditorRealTimeController.emitToRoom(
							'project:membership:changed',
							{tokenMembers: true}
						)
					, 1000)
					return TokenAccessController._loadEditor(project._id, req, res, next)

	readOnlyToken: (req, res, next) ->
		userId = AuthenticationController.getLoggedInUserId(req)
		token = req.params['read_only_token']
		logger.log {userId, token}, "requesting read-only token access"
		TokenAccessHandler.findProjectWithReadOnlyToken token, (err, project) ->
			if err?
				logger.err {err, token, userId},
					"error getting project by readOnly token"
				return next(err)
			if !project?
				logger.log {token, userId},
					"no project found for readAndWrite token"
				return next(new Errors.NotFoundError())
			if !userId?
				logger.log {userId, projectId: project._id},
					"adding anonymous user to project with readOnly token"
				TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)
				req._anonymousAccessToken = token
				return TokenAccessController._loadEditor(project._id, req, res, next)
			else
				if project.owner_ref.toString() == userId
					logger.log {userId, projectId: project._id},
						"user is already project owner"
					return TokenAccessController._loadEditor(project._id, req, res, next)
				logger.log {userId, projectId: project._id},
					"adding user to project with readOnly token"
				TokenAccessHandler.addReadOnlyUserToProject userId, project._id, (err) ->
					if err?
						logger.err {err, token, userId, projectId: project._id},
							"error adding user to project with readAndWrite token"
						return next(err)
					return TokenAccessController._loadEditor(project._id, req, res, next)
Render editor for token access, stub out ui changes 2017-09-28 11:06:08 -04:00			`ProjectController = require "../Project/ProjectController"`
Add token-access routes 2017-09-22 09:54:35 -04:00			`AuthenticationController = require '../Authentication/AuthenticationController'`
			`TokenAccessHandler = require './TokenAccessHandler'`
WIP: track changes with token-access 2017-10-25 05:34:18 -04:00			`EditorRealTimeController = require "../Editor/EditorRealTimeController"`
Render editor for token access, stub out ui changes 2017-09-28 11:06:08 -04:00			`Errors = require '../Errors/Errors'`
Unit test TokenAccessController 2017-10-03 09:04:59 -04:00			`logger = require 'logger-sharelatex'`
Add token-access routes 2017-09-22 09:54:35 -04:00
			`module.exports = TokenAccessController =`

If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`_loadEditor: (projectId, req, res, next) ->`
			`req.params.Project_id = projectId.toString()`
			`return ProjectController.loadEditor(req, res, next)`

Add token-access routes 2017-09-22 09:54:35 -04:00			`readAndWriteToken: (req, res, next) ->`
			`userId = AuthenticationController.getLoggedInUserId(req)`
			`token = req.params['read_and_write_token']`
			`logger.log {userId, token}, "requesting read-and-write token access"`
			`TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, project) ->`
			`if err?`
			`logger.err {err, token, userId},`
			`"error getting project by readAndWrite token"`
			`return next(err)`
			`if !project?`
			`logger.log {token, userId},`
			`"no project found for readAndWrite token"`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`if !userId?`
			`logger.log {token},`
			`"No project found with read-write token, anonymous user"`
			`return next(new Errors.NotFoundError())`
If a token-based project not found, check private overleaf project 2017-10-16 08:20:15 -04:00			`TokenAccessHandler`
			`.findPrivateOverleafProjectWithReadAndWriteToken token, (err, project) ->`
			`if err?`
			`logger.err {err, token, userId},`
			`"error getting project by readAndWrite token"`
			`return next(err)`
			`if !project?`
			`logger.log {token, userId},`
			`"no private-overleaf project found with readAndWriteToken"`
			`return next(new Errors.NotFoundError())`
			`logger.log {token, projectId: project._id}, "redirecting user to project"`
			`res.redirect(302, "/project/#{project._id}")`
			`else`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`if !userId?`
			`if TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED`
			`logger.log {token, projectId: project._id},`
			`"allow anonymous read-and-write token access"`
			`TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)`
Change `anonToken` and such to `anonymousAccessToken` 2017-10-20 05:10:21 -04:00			`req._anonymousAccessToken = token`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
			`else`
			`logger.log {token, projectId: project._id},`
			`"deny anonymous read-and-write token access"`
			`return next(new Errors.NotFoundError())`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`if project.owner_ref.toString() == userId`
			`logger.log {userId, projectId: project._id},`
			`"user is already project owner"`
			`return TokenAccessController._loadEditor(project._id, req, res, next)`
If a token-based project not found, check private overleaf project 2017-10-16 08:20:15 -04:00			`logger.log {userId, projectId: project._id},`
			`"adding user to project with readAndWrite token"`
			`TokenAccessHandler.addReadAndWriteUserToProject userId, project._id, (err) ->`
			`if err?`
			`logger.err {err, token, userId, projectId: project._id},`
			`"error adding user to project with readAndWrite token"`
			`return next(err)`
Remove tokenMembers sync to clients 2017-10-25 06:29:05 -04:00			`# TODO: check if this is still needed by the client`
WIP: track changes with token-access 2017-10-25 05:34:18 -04:00			`setTimeout( () ->`
			`EditorRealTimeController.emitToRoom(`
			`'project:membership:changed',`
			`{tokenMembers: true}`
			`)`
			`, 1000)`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
Add token-access routes 2017-09-22 09:54:35 -04:00
			`readOnlyToken: (req, res, next) ->`
			`userId = AuthenticationController.getLoggedInUserId(req)`
			`token = req.params['read_only_token']`
			`logger.log {userId, token}, "requesting read-only token access"`
			`TokenAccessHandler.findProjectWithReadOnlyToken token, (err, project) ->`
			`if err?`
Unit test TokenAccessController 2017-10-03 09:04:59 -04:00			`logger.err {err, token, userId},`
Add token-access routes 2017-09-22 09:54:35 -04:00			`"error getting project by readOnly token"`
			`return next(err)`
			`if !project?`
			`logger.log {token, userId},`
			`"no project found for readAndWrite token"`
Render editor for token access, stub out ui changes 2017-09-28 11:06:08 -04:00			`return next(new Errors.NotFoundError())`
Add token-access routes 2017-09-22 09:54:35 -04:00			`if !userId?`
			`logger.log {userId, projectId: project._id},`
			`"adding anonymous user to project with readOnly token"`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)`
Change `anonToken` and such to `anonymousAccessToken` 2017-10-20 05:10:21 -04:00			`req._anonymousAccessToken = token`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
Add token-access routes 2017-09-22 09:54:35 -04:00			`else`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`if project.owner_ref.toString() == userId`
			`logger.log {userId, projectId: project._id},`
			`"user is already project owner"`
			`return TokenAccessController._loadEditor(project._id, req, res, next)`
Add token-access routes 2017-09-22 09:54:35 -04:00			`logger.log {userId, projectId: project._id},`
			`"adding user to project with readOnly token"`
			`TokenAccessHandler.addReadOnlyUserToProject userId, project._id, (err) ->`
			`if err?`
			`logger.err {err, token, userId, projectId: project._id},`
			`"error adding user to project with readAndWrite token"`
			`return next(err)`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
Add token-access routes 2017-09-22 09:54:35 -04:00