overleaf/services/web/app/coffee/Features/TokenAccess/TokenAccessHandler.coffee

106 lines
3.6 KiB
CoffeeScript
Raw Normal View History

2017-09-22 09:54:35 -04:00
Project = require('../../models/Project').Project
CollaboratorsHandler = require('../Collaborators/CollaboratorsHandler')
2017-09-22 09:54:35 -04:00
PublicAccessLevels = require '../Authorization/PublicAccessLevels'
PrivilegeLevels = require '../Authorization/PrivilegeLevels'
2017-09-22 09:54:35 -04:00
ObjectId = require("mongojs").ObjectId
Settings = require('settings-sharelatex')
2017-09-22 09:54:35 -04:00
module.exports = TokenAccessHandler =
ANONYMOUS_READ_AND_WRITE_ENABLED:
Settings.allowAnonymousReadAndWriteSharing == true
findProjectWithReadOnlyToken: (token, callback=(err, project, projectExists)->) ->
2017-09-22 09:54:35 -04:00
Project.findOne {
'tokens.readOnly': token
}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, (err, project) ->
if err?
return callback(err)
if !project?
return callback(null, null, false)
if project.publicAccesLevel != PublicAccessLevels.TOKEN_BASED
return callback(null, null, true)
return callback(null, project, true)
2017-09-22 09:54:35 -04:00
findProjectWithReadAndWriteToken: (token, callback=(err, project)->) ->
Project.findOne {
'tokens.readAndWrite': token,
'publicAccesLevel': PublicAccessLevels.TOKEN_BASED
}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback
2017-09-22 09:54:35 -04:00
findProjectWithHigherAccess: (token, userId, callback=(err, project, projectExists)->) ->
Project.findOne {
$or: [
{'tokens.readAndWrite': token},
{'tokens.readOnly': token}
]
}, {_id: 1}, (err, project) ->
if err?
return callback(err)
if !project?
return callback(null, null, false) # Project doesn't exist, so we handle differently
projectId = project._id
CollaboratorsHandler.isUserInvitedMemberOfProject userId, projectId, (err, isMember) ->
if err?
return callback(err)
callback(
null,
if isMember == true then project else null,
true # Project does exist, but user doesn't have access
)
2017-09-22 09:54:35 -04:00
addReadOnlyUserToProject: (userId, projectId, callback=(err)->) ->
userId = ObjectId(userId.toString())
projectId = ObjectId(projectId.toString())
Project.update {
_id: projectId
}, {
$addToSet: {tokenAccessReadOnly_refs: userId}
2017-10-03 09:14:22 -04:00
}, callback
2017-09-22 09:54:35 -04:00
addReadAndWriteUserToProject: (userId, projectId, callback=(err)->) ->
userId = ObjectId(userId.toString())
projectId = ObjectId(projectId.toString())
Project.update {
_id: projectId
}, {
$addToSet: {tokenAccessReadAndWrite_refs: userId}
2017-10-03 09:14:22 -04:00
}, callback
2017-09-22 09:54:35 -04:00
grantSessionTokenAccess: (req, projectId, token) ->
2017-09-22 09:54:35 -04:00
if req.session?
if !req.session.anonTokenAccess?
req.session.anonTokenAccess = {}
req.session.anonTokenAccess[projectId.toString()] = token.toString()
2017-09-22 09:54:35 -04:00
getRequestToken: (req, projectId) ->
2017-09-27 09:01:52 -04:00
token = (
req?.session?.anonTokenAccess?[projectId.toString()] or
req?.headers['x-sl-anonymous-access-token']
2017-09-27 09:01:52 -04:00
)
return token
isValidToken: (projectId, token, callback=(err, isValidReadAndWrite, isValidReadOnly)->) ->
2017-09-27 09:01:52 -04:00
if !token
return callback null, false, false
_validate = (project) ->
project? and
project.publicAccesLevel == PublicAccessLevels.TOKEN_BASED and
project._id.toString() == projectId.toString()
TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, readAndWriteProject) ->
2017-09-27 09:01:52 -04:00
return callback(err) if err?
isValidReadAndWrite = _validate(readAndWriteProject)
TokenAccessHandler.findProjectWithReadOnlyToken token, (err, readOnlyProject) ->
return callback(err) if err?
isValidReadOnly = _validate(readOnlyProject)
callback null, isValidReadAndWrite, isValidReadOnly
protectTokens: (project, privilegeLevel) ->
if project? && project.tokens?
if privilegeLevel == PrivilegeLevels.OWNER
return
if privilegeLevel != PrivilegeLevels.READ_AND_WRITE
project.tokens.readAndWrite = ''
if privilegeLevel != PrivilegeLevels.READ_ONLY
project.tokens.readOnly = ''