overleaf/services/web/app/coffee/Features/TokenAccess/TokenAccessController.coffee

ProjectController = require "../Project/ProjectController"
AuthenticationController = require '../Authentication/AuthenticationController'
TokenAccessHandler = require './TokenAccessHandler'
Errors = require '../Errors/Errors'
logger = require 'logger-sharelatex'
settings = require 'settings-sharelatex'

module.exports = TokenAccessController =

	_loadEditor: (projectId, req, res, next) ->
		req.params.Project_id = projectId.toString()
		return ProjectController.loadEditor(req, res, next)

	_tryHigherAccess: (token, userId, req, res, next) ->
		TokenAccessHandler.findProjectWithHigherAccess token, userId, (err, project, projectExists) ->
			if err?
				logger.err {err, token, userId},
					"[TokenAccess] error finding project with higher access"
				return next(err)
			if !projectExists and settings.overleaf
				logger.log {token, userId},
					"[TokenAccess] no project found for this token"
				# Project does not exist, but may be unimported - try it on v1
				return res.redirect(settings.overleaf.host + req.url)
			if !project?
				logger.log {token, userId},
					"[TokenAccess] no project with higher access found for this user and token"
				return next(new Errors.NotFoundError())
			logger.log {token, userId, projectId: project._id},
				"[TokenAccess] user has higher access to project, redirecting"
			res.redirect(302, "/project/#{project._id}")

	readAndWriteToken: (req, res, next) ->
		userId = AuthenticationController.getLoggedInUserId(req)
		token = req.params['read_and_write_token']
		logger.log {userId, token}, "[TokenAccess] requesting read-and-write token access"
		TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, project) ->
			if err?
				logger.err {err, token, userId},
					"[TokenAccess] error getting project by readAndWrite token"
				return next(err)
			if !project?
				logger.log {token, userId},
					"[TokenAccess] no token-based project found for readAndWrite token"
				if !userId?
					logger.log {token},
						"[TokenAccess] No project found with read-write token, anonymous user, deny"
					return next(new Errors.NotFoundError())
				TokenAccessController._tryHigherAccess(token, userId, req, res, next)
			else
				if !userId?
					if TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED
						logger.log {token, projectId: project._id},
							"[TokenAccess] allow anonymous read-and-write token access"
						TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)
						req._anonymousAccessToken = token
						return TokenAccessController._loadEditor(project._id, req, res, next)
					else
						logger.log {token, projectId: project._id},
							"[TokenAccess] deny anonymous read-and-write token access"
						AuthenticationController._setRedirectInSession(req)
						return res.redirect('/restricted')
				if project.owner_ref.toString() == userId
					logger.log {userId, projectId: project._id},
						"[TokenAccess] user is already project owner"
					return TokenAccessController._loadEditor(project._id, req, res, next)
				logger.log {userId, projectId: project._id},
					"[TokenAccess] adding user to project with readAndWrite token"
				TokenAccessHandler.addReadAndWriteUserToProject userId, project._id, (err) ->
					if err?
						logger.err {err, token, userId, projectId: project._id},
							"[TokenAccess] error adding user to project with readAndWrite token"
						return next(err)
					return TokenAccessController._loadEditor(project._id, req, res, next)

	readOnlyToken: (req, res, next) ->
		userId = AuthenticationController.getLoggedInUserId(req)
		token = req.params['read_only_token']
		logger.log {userId, token}, "[TokenAccess] requesting read-only token access"
		TokenAccessHandler.findProjectWithReadOnlyToken token, (err, project, projectExists) ->
			if err?
				logger.err {err, token, userId},
					"[TokenAccess] error getting project by readOnly token"
				return next(err)
			if !projectExists and settings.overleaf
				logger.log {token, userId},
						"[TokenAccess] no project found for this token"
				return res.redirect(302, settings.overleaf.host + '/read/' + token)
			if !project?
				logger.log {token, userId},
					"[TokenAccess] no project found for readOnly token"
				if !userId?
					logger.log {token},
						"[TokenAccess] No project found with readOnly token, anonymous user, deny"
					return next(new Errors.NotFoundError())
				TokenAccessController._tryHigherAccess(token, userId, req, res, next)
			else
				if !userId?
					logger.log {userId, projectId: project._id},
						"[TokenAccess] adding anonymous user to project with readOnly token"
					TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)
					req._anonymousAccessToken = token
					return TokenAccessController._loadEditor(project._id, req, res, next)
				else
					if project.owner_ref.toString() == userId
						logger.log {userId, projectId: project._id},
							"[TokenAccess] user is already project owner"
						return TokenAccessController._loadEditor(project._id, req, res, next)
					logger.log {userId, projectId: project._id},
						"[TokenAccess] adding user to project with readOnly token"
					TokenAccessHandler.addReadOnlyUserToProject userId, project._id, (err) ->
						if err?
							logger.err {err, token, userId, projectId: project._id},
								"[TokenAccess] error adding user to project with readAndWrite token"
							return next(err)
						return TokenAccessController._loadEditor(project._id, req, res, next)
Render editor for token access, stub out ui changes 2017-09-28 11:06:08 -04:00			`ProjectController = require "../Project/ProjectController"`
Add token-access routes 2017-09-22 09:54:35 -04:00			`AuthenticationController = require '../Authentication/AuthenticationController'`
			`TokenAccessHandler = require './TokenAccessHandler'`
Render editor for token access, stub out ui changes 2017-09-28 11:06:08 -04:00			`Errors = require '../Errors/Errors'`
Unit test TokenAccessController 2017-10-03 09:04:59 -04:00			`logger = require 'logger-sharelatex'`
Intelligently redirect to v1 if no v2 project found for token 2018-09-10 12:21:58 -04:00			`settings = require 'settings-sharelatex'`
Add token-access routes 2017-09-22 09:54:35 -04:00
			`module.exports = TokenAccessController =`

If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`_loadEditor: (projectId, req, res, next) ->`
			`req.params.Project_id = projectId.toString()`
			`return ProjectController.loadEditor(req, res, next)`

De-duplicate logic in TokenAccessController 2017-11-01 10:05:29 -04:00			`_tryHigherAccess: (token, userId, req, res, next) ->`
Fix failing tests for token access If project was changed from token access to private, then we want to 404 on v2 (not redirect to v1). So the logic was changed to check if the project exists and if it does then a 404 is returned. If it does not then it redirects to v1. 2018-09-12 06:06:05 -04:00			`TokenAccessHandler.findProjectWithHigherAccess token, userId, (err, project, projectExists) ->`
De-duplicate logic in TokenAccessController 2017-11-01 10:05:29 -04:00			`if err?`
			`logger.err {err, token, userId},`
			`"[TokenAccess] error finding project with higher access"`
			`return next(err)`
Only redirect if has overleaf setting 2018-09-13 07:09:03 -04:00			`if !projectExists and settings.overleaf`
Fix failing tests for token access If project was changed from token access to private, then we want to 404 on v2 (not redirect to v1). So the logic was changed to check if the project exists and if it does then a 404 is returned. If it does not then it redirects to v1. 2018-09-12 06:06:05 -04:00			`logger.log {token, userId},`
			`"[TokenAccess] no project found for this token"`
Redirect directly from controller instead of via handler 2018-09-12 13:31:08 -04:00			`# Project does not exist, but may be unimported - try it on v1`
			`return res.redirect(settings.overleaf.host + req.url)`
De-duplicate logic in TokenAccessController 2017-11-01 10:05:29 -04:00			`if !project?`
			`logger.log {token, userId},`
			`"[TokenAccess] no project with higher access found for this user and token"`
			`return next(new Errors.NotFoundError())`
			`logger.log {token, userId, projectId: project._id},`
			`"[TokenAccess] user has higher access to project, redirecting"`
			`res.redirect(302, "/project/#{project._id}")`

Add token-access routes 2017-09-22 09:54:35 -04:00			`readAndWriteToken: (req, res, next) ->`
			`userId = AuthenticationController.getLoggedInUserId(req)`
			`token = req.params['read_and_write_token']`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`logger.log {userId, token}, "[TokenAccess] requesting read-and-write token access"`
Add token-access routes 2017-09-22 09:54:35 -04:00			`TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, project) ->`
			`if err?`
			`logger.err {err, token, userId},`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`"[TokenAccess] error getting project by readAndWrite token"`
Add token-access routes 2017-09-22 09:54:35 -04:00			`return next(err)`
			`if !project?`
			`logger.log {token, userId},`
Generalise the higher-access logic for read-write token path 2017-11-01 07:50:04 -04:00			`"[TokenAccess] no token-based project found for readAndWrite token"`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`if !userId?`
			`logger.log {token},`
Account for higher-access in the token read-only path too 2017-11-01 10:01:00 -04:00			`"[TokenAccess] No project found with read-write token, anonymous user, deny"`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`return next(new Errors.NotFoundError())`
De-duplicate logic in TokenAccessController 2017-11-01 10:05:29 -04:00			`TokenAccessController._tryHigherAccess(token, userId, req, res, next)`
If a token-based project not found, check private overleaf project 2017-10-16 08:20:15 -04:00			`else`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`if !userId?`
			`if TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED`
			`logger.log {token, projectId: project._id},`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`"[TokenAccess] allow anonymous read-and-write token access"`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)`
Change `anonToken` and such to `anonymousAccessToken` 2017-10-20 05:10:21 -04:00			`req._anonymousAccessToken = token`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
			`else`
			`logger.log {token, projectId: project._id},`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`"[TokenAccess] deny anonymous read-and-write token access"`
Set redirect when bouncing away from token route This ensures that when the user logs in they will be redirected back to this token, the page they wanted to access in the first place. 2017-11-15 08:30:40 -05:00			`AuthenticationController._setRedirectInSession(req)`
When anon is denied access to read-write token, redirect to restricted 2017-11-06 11:46:42 -05:00			`return res.redirect('/restricted')`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`if project.owner_ref.toString() == userId`
			`logger.log {userId, projectId: project._id},`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`"[TokenAccess] user is already project owner"`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
If a token-based project not found, check private overleaf project 2017-10-16 08:20:15 -04:00			`logger.log {userId, projectId: project._id},`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`"[TokenAccess] adding user to project with readAndWrite token"`
If a token-based project not found, check private overleaf project 2017-10-16 08:20:15 -04:00			`TokenAccessHandler.addReadAndWriteUserToProject userId, project._id, (err) ->`
			`if err?`
			`logger.err {err, token, userId, projectId: project._id},`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`"[TokenAccess] error adding user to project with readAndWrite token"`
If a token-based project not found, check private overleaf project 2017-10-16 08:20:15 -04:00			`return next(err)`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
Add token-access routes 2017-09-22 09:54:35 -04:00
			`readOnlyToken: (req, res, next) ->`
			`userId = AuthenticationController.getLoggedInUserId(req)`
			`token = req.params['read_only_token']`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`logger.log {userId, token}, "[TokenAccess] requesting read-only token access"`
If no project found for read token, redirect to v1 2018-09-24 12:06:11 -04:00			`TokenAccessHandler.findProjectWithReadOnlyToken token, (err, project, projectExists) ->`
Add token-access routes 2017-09-22 09:54:35 -04:00			`if err?`
Unit test TokenAccessController 2017-10-03 09:04:59 -04:00			`logger.err {err, token, userId},`
Add "[TokenAccess]" context to log lines 2017-10-31 10:27:43 -04:00			`"[TokenAccess] error getting project by readOnly token"`
Add token-access routes 2017-09-22 09:54:35 -04:00			`return next(err)`
If no project found for read token, redirect to v1 2018-09-24 12:06:11 -04:00			`if !projectExists and settings.overleaf`
			`logger.log {token, userId},`
			`"[TokenAccess] no project found for this token"`
			`return res.redirect(302, settings.overleaf.host + '/read/' + token)`
Add token-access routes 2017-09-22 09:54:35 -04:00			`if !project?`
			`logger.log {token, userId},`
Account for higher-access in the token read-only path too 2017-11-01 10:01:00 -04:00			`"[TokenAccess] no project found for readOnly token"`
			`if !userId?`
			`logger.log {token},`
			`"[TokenAccess] No project found with readOnly token, anonymous user, deny"`
			`return next(new Errors.NotFoundError())`
De-duplicate logic in TokenAccessController 2017-11-01 10:05:29 -04:00			`TokenAccessController._tryHigherAccess(token, userId, req, res, next)`
Account for higher-access in the token read-only path too 2017-11-01 10:01:00 -04:00			`else`
			`if !userId?`
			`logger.log {userId, projectId: project._id},`
			`"[TokenAccess] adding anonymous user to project with readOnly token"`
			`TokenAccessHandler.grantSessionTokenAccess(req, project._id, token)`
			`req._anonymousAccessToken = token`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`return TokenAccessController._loadEditor(project._id, req, res, next)`
Account for higher-access in the token read-only path too 2017-11-01 10:01:00 -04:00			`else`
			`if project.owner_ref.toString() == userId`
			`logger.log {userId, projectId: project._id},`
			`"[TokenAccess] user is already project owner"`
			`return TokenAccessController._loadEditor(project._id, req, res, next)`
			`logger.log {userId, projectId: project._id},`
			`"[TokenAccess] adding user to project with readOnly token"`
			`TokenAccessHandler.addReadOnlyUserToProject userId, project._id, (err) ->`
			`if err?`
			`logger.err {err, token, userId, projectId: project._id},`
			`"[TokenAccess] error adding user to project with readAndWrite token"`
			`return next(err)`
			`return TokenAccessController._loadEditor(project._id, req, res, next)`
Add token-access routes 2017-09-22 09:54:35 -04:00