overleaf/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee

CollaboratorsHandler = require("../Collaborators/CollaboratorsHandler")
Project = require("../../models/Project").Project
User = require("../../models/User").User
PrivilegeLevels = require("./PrivilegeLevels")
PublicAccessLevels = require("./PublicAccessLevels")
Errors = require("../Errors/Errors")
ObjectId = require("mongojs").ObjectId
TokenAccessHandler = require('../TokenAccess/TokenAccessHandler')


module.exports = AuthorizationManager =


	# Get the privilege level that the user has for the project
	# Returns:
	#	* privilegeLevel: "owner", "readAndWrite", of "readOnly" if the user has
	#	  access. false if the user does not have access
	#   * becausePublic: true if the access level is only because the project is public.
	getPrivilegeLevelForProject: (req, user_id, project_id,
																callback = (error, privilegeLevel, becausePublic) ->) ->

		getPublicAccessLevel = (project_id, cb=(err, level)->) ->
			if !ObjectId.isValid(project_id)
				return cb(new Error("invalid project id"))
			Project.findOne { _id: project_id }, { publicAccesLevel: 1 }, (error, project) ->
				return cb(error) if error?
				if !project?
					return cb new Errors.NotFoundError("no project found with id #{project_id}")
				cb null, project.publicAccesLevel

		if !user_id?
			# User is Anonymous, Try Token-based access
			getPublicAccessLevel project_id, (err, publicAccessLevel) ->
				return callback(err) if err?
				if publicAccessLevel == PublicAccessLevels.TOKEN_BASED
					TokenAccessHandler.requestHasReadOnlyTokenAccess req, project_id, (err, allowed) ->
						return callback(err) if err?
						if allowed
							callback null, PrivilegeLevels.READ_ONLY, false
						else
							callback null, PrivilegeLevels.NONE, false
				else if publicAccessLevel == PublicAccessLevels.READ_ONLY
					callback null, PrivilegeLevels.READ_ONLY, true
				else if publicAccessLevel == PublicAccessLevels.READ_AND_WRITE
					callback null, PrivilegeLevels.READ_AND_WRITE, true
				else
					callback null, PrivilegeLevels.NONE, false
		else
			# User is present, get their privilege level from database
			CollaboratorsHandler.getMemberIdPrivilegeLevel user_id, project_id, (error, privilegeLevel) ->
				return callback(error) if error?
				if privilegeLevel? and privilegeLevel != PrivilegeLevels.NONE
					# The user has direct access
					callback null, privilegeLevel, false
				else
					AuthorizationManager.isUserSiteAdmin user_id, (error, isAdmin) ->
						return callback(error) if error?
						if isAdmin
							callback null, PrivilegeLevels.OWNER, false
						else
							# Legacy public-access system
							# User is present (not anonymous), but does not have direct access
							getPublicAccessLevel project_id, (err, publicAccessLevel) ->
								return callback(err) if err?
								if publicAccessLevel == PublicAccessLevels.READ_ONLY
									callback null, PrivilegeLevels.READ_ONLY, true
								if publicAccessLevel == PublicAccessLevels.READ_AND_WRITE
									callback null, PrivilegeLevels.READ_AND_WRITE, true
								else
									callback null, PrivilegeLevels.NONE, false

	canUserReadProject: (req, user_id, project_id, callback = (error, canRead) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel) ->
			return callback(error) if error?
			return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE, PrivilegeLevels.READ_ONLY])
		
	canUserWriteProjectContent: (req, user_id, project_id, callback = (error, canWriteContent) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel) ->
			return callback(error) if error?
			return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE])
		
	canUserWriteProjectSettings: (req, user_id, project_id, callback = (error, canWriteSettings) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel, becausePublic) ->
			return callback(error) if error?
			if privilegeLevel == PrivilegeLevels.OWNER
				return callback null, true
			else if privilegeLevel == PrivilegeLevels.READ_AND_WRITE and !becausePublic
				return callback null, true
			else
				return callback null, false
	
	canUserAdminProject: (req, user_id, project_id, callback = (error, canAdmin) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel) ->
			return callback(error) if error?
			return callback null, (privilegeLevel == PrivilegeLevels.OWNER)
	
	isUserSiteAdmin: (user_id, callback = (error, isAdmin) ->) ->
		if !user_id?
			return callback null, false
		User.findOne { _id: user_id }, { isAdmin: 1 }, (error, user) ->
			return callback(error) if error?
			return callback null, (user?.isAdmin == true)
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`CollaboratorsHandler = require("../Collaborators/CollaboratorsHandler")`
			`Project = require("../../models/Project").Project`
			`User = require("../../models/User").User`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`PrivilegeLevels = require("./PrivilegeLevels")`
			`PublicAccessLevels = require("./PublicAccessLevels")`
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00			`Errors = require("../Errors/Errors")`
validate mongo id in getPrivilegeLevelForProject https://sentry.io/sharelatex-1/sl-web-server-prod/issues/204397665/ 2017-03-17 10:42:07 -04:00			`ObjectId = require("mongojs").ObjectId`
Working token-based access 2017-09-27 09:01:52 -04:00			`TokenAccessHandler = require('../TokenAccess/TokenAccessHandler')`
validate mongo id in getPrivilegeLevelForProject https://sentry.io/sharelatex-1/sl-web-server-prod/issues/204397665/ 2017-03-17 10:42:07 -04:00
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00
			`module.exports = AuthorizationManager =`
Working token-based access 2017-09-27 09:01:52 -04:00

Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`# Get the privilege level that the user has for the project`
			`# Returns:`
			`# * privilegeLevel: "owner", "readAndWrite", of "readOnly" if the user has`
			`# access. false if the user does not have access`
			`# * becausePublic: true if the access level is only because the project is public.`
Working token-based access 2017-09-27 09:01:52 -04:00			`getPrivilegeLevelForProject: (req, user_id, project_id,`
			`callback = (error, privilegeLevel, becausePublic) ->) ->`

			`getPublicAccessLevel = (project_id, cb=(err, level)->) ->`
validate mongo id in getPrivilegeLevelForProject https://sentry.io/sharelatex-1/sl-web-server-prod/issues/204397665/ 2017-03-17 10:42:07 -04:00			`if !ObjectId.isValid(project_id)`
Working token-based access 2017-09-27 09:01:52 -04:00			`return cb(new Error("invalid project id"))`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`Project.findOne { _id: project_id }, { publicAccesLevel: 1 }, (error, project) ->`
Working token-based access 2017-09-27 09:01:52 -04:00			`return cb(error) if error?`
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00			`if !project?`
Working token-based access 2017-09-27 09:01:52 -04:00			`return cb new Errors.NotFoundError("no project found with id #{project_id}")`
			`cb null, project.publicAccesLevel`
Read-only privelege for anonymous access 2017-09-20 04:36:06 -04:00
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`if !user_id?`
Working token-based access 2017-09-27 09:01:52 -04:00			`# User is Anonymous, Try Token-based access`
			`getPublicAccessLevel project_id, (err, publicAccessLevel) ->`
			`return callback(err) if err?`
			`if publicAccessLevel == PublicAccessLevels.TOKEN_BASED`
			`TokenAccessHandler.requestHasReadOnlyTokenAccess req, project_id, (err, allowed) ->`
			`return callback(err) if err?`
			`if allowed`
			`callback null, PrivilegeLevels.READ_ONLY, false`
			`else`
			`callback null, PrivilegeLevels.NONE, false`
			`else if publicAccessLevel == PublicAccessLevels.READ_ONLY`
			`callback null, PrivilegeLevels.READ_ONLY, true`
			`else if publicAccessLevel == PublicAccessLevels.READ_AND_WRITE`
			`callback null, PrivilegeLevels.READ_AND_WRITE, true`
			`else`
			`callback null, PrivilegeLevels.NONE, false`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`else`
Working token-based access 2017-09-27 09:01:52 -04:00			`# User is present, get their privilege level from database`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`CollaboratorsHandler.getMemberIdPrivilegeLevel user_id, project_id, (error, privilegeLevel) ->`
			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`if privilegeLevel? and privilegeLevel != PrivilegeLevels.NONE`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`# The user has direct access`
			`callback null, privilegeLevel, false`
			`else`
Allow admin access to projects 2016-03-21 13:03:31 -04:00			`AuthorizationManager.isUserSiteAdmin user_id, (error, isAdmin) ->`
			`return callback(error) if error?`
			`if isAdmin`
			`callback null, PrivilegeLevels.OWNER, false`
			`else`
Working token-based access 2017-09-27 09:01:52 -04:00			`# Legacy public-access system`
			`# User is present (not anonymous), but does not have direct access`
			`getPublicAccessLevel project_id, (err, publicAccessLevel) ->`
			`return callback(err) if err?`
			`if publicAccessLevel == PublicAccessLevels.READ_ONLY`
			`callback null, PrivilegeLevels.READ_ONLY, true`
			`if publicAccessLevel == PublicAccessLevels.READ_AND_WRITE`
			`callback null, PrivilegeLevels.READ_AND_WRITE, true`
			`else`
			`callback null, PrivilegeLevels.NONE, false`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00
Working token-based access 2017-09-27 09:01:52 -04:00			`canUserReadProject: (req, user_id, project_id, callback = (error, canRead) ->) ->`
			`AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE, PrivilegeLevels.READ_ONLY])`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00
Working token-based access 2017-09-27 09:01:52 -04:00			`canUserWriteProjectContent: (req, user_id, project_id, callback = (error, canWriteContent) ->) ->`
			`AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE])`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00
Working token-based access 2017-09-27 09:01:52 -04:00			`canUserWriteProjectSettings: (req, user_id, project_id, callback = (error, canWriteSettings) ->) ->`
			`AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel, becausePublic) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`if privilegeLevel == PrivilegeLevels.OWNER`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback null, true`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`else if privilegeLevel == PrivilegeLevels.READ_AND_WRITE and !becausePublic`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback null, true`
			`else`
			`return callback null, false`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00
Working token-based access 2017-09-27 09:01:52 -04:00			`canUserAdminProject: (req, user_id, project_id, callback = (error, canAdmin) ->) ->`
			`AuthorizationManager.getPrivilegeLevelForProject req, user_id, project_id, (error, privilegeLevel) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`return callback null, (privilegeLevel == PrivilegeLevels.OWNER)`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00
			`isUserSiteAdmin: (user_id, callback = (error, isAdmin) ->) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`if !user_id?`
			`return callback null, false`
			`User.findOne { _id: user_id }, { isAdmin: 1 }, (error, user) ->`
			`return callback(error) if error?`
Working token-based access 2017-09-27 09:01:52 -04:00			`return callback null, (user?.isAdmin == true)`