overleaf/services/web/app/src/Features/Authorization/AuthorizationMiddleware.js

const AuthorizationManager = require('./AuthorizationManager')
const logger = require('@overleaf/logger')
const { ObjectId } = require('mongodb')
const Errors = require('../Errors/Errors')
const HttpErrorHandler = require('../Errors/HttpErrorHandler')
const AuthenticationController = require('../Authentication/AuthenticationController')
const SessionManager = require('../Authentication/SessionManager')
const TokenAccessHandler = require('../TokenAccess/TokenAccessHandler')
const { expressify } = require('../../util/promises')

async function ensureUserCanReadMultipleProjects(req, res, next) {
  const projectIds = (req.query.project_ids || '').split(',')
  const userId = _getUserId(req)
  for (const projectId of projectIds) {
    const token = TokenAccessHandler.getRequestToken(req, projectId)
    const canRead = await AuthorizationManager.promises.canUserReadProject(
      userId,
      projectId,
      token
    )
    if (!canRead) {
      return _redirectToRestricted(req, res, next)
    }
  }
  next()
}

async function blockRestrictedUserFromProject(req, res, next) {
  const projectId = _getProjectId(req)
  const userId = _getUserId(req)
  const token = TokenAccessHandler.getRequestToken(req, projectId)
  const isRestrictedUser = await AuthorizationManager.promises.isRestrictedUserForProject(
    userId,
    projectId,
    token
  )
  if (isRestrictedUser) {
    return HttpErrorHandler.forbidden(req, res)
  }
  next()
}

async function ensureUserCanReadProject(req, res, next) {
  const projectId = _getProjectId(req)
  const userId = _getUserId(req)
  const token = TokenAccessHandler.getRequestToken(req, projectId)
  const canRead = await AuthorizationManager.promises.canUserReadProject(
    userId,
    projectId,
    token
  )
  if (canRead) {
    logger.log({ userId, projectId }, 'allowing user read access to project')
    return next()
  }
  logger.log({ userId, projectId }, 'denying user read access to project')
  HttpErrorHandler.forbidden(req, res)
}

async function ensureUserCanWriteProjectSettings(req, res, next) {
  const projectId = _getProjectId(req)
  const userId = _getUserId(req)
  const token = TokenAccessHandler.getRequestToken(req, projectId)

  if (req.body.name != null) {
    const canRename = await AuthorizationManager.promises.canUserRenameProject(
      userId,
      projectId,
      token
    )
    if (!canRename) {
      return HttpErrorHandler.forbidden(req, res)
    }
  }

  const otherParams = Object.keys(req.body).filter(x => x !== 'name')
  if (otherParams.length > 0) {
    const canWrite = await AuthorizationManager.promises.canUserWriteProjectSettings(
      userId,
      projectId,
      token
    )
    if (!canWrite) {
      return HttpErrorHandler.forbidden(req, res)
    }
  }

  next()
}

async function ensureUserCanWriteProjectContent(req, res, next) {
  const projectId = _getProjectId(req)
  const userId = _getUserId(req)
  const token = TokenAccessHandler.getRequestToken(req, projectId)
  const canWrite = await AuthorizationManager.promises.canUserWriteProjectContent(
    userId,
    projectId,
    token
  )
  if (canWrite) {
    logger.log(
      { userId, projectId },
      'allowing user write access to project content'
    )
    return next()
  }
  logger.log(
    { userId, projectId },
    'denying user write access to project settings'
  )
  HttpErrorHandler.forbidden(req, res)
}

async function ensureUserCanAdminProject(req, res, next) {
  const projectId = _getProjectId(req)
  const userId = _getUserId(req)
  const token = TokenAccessHandler.getRequestToken(req, projectId)
  const canAdmin = await AuthorizationManager.promises.canUserAdminProject(
    userId,
    projectId,
    token
  )
  if (canAdmin) {
    logger.log({ userId, projectId }, 'allowing user admin access to project')
    return next()
  }
  logger.log({ userId, projectId }, 'denying user admin access to project')
  HttpErrorHandler.forbidden(req, res)
}

async function ensureUserIsSiteAdmin(req, res, next) {
  const userId = _getUserId(req)
  const isAdmin = await AuthorizationManager.promises.isUserSiteAdmin(userId)
  if (isAdmin) {
    logger.log({ userId }, 'allowing user admin access to site')
    return next()
  }
  logger.log({ userId }, 'denying user admin access to site')
  _redirectToRestricted(req, res, next)
}

function _getProjectId(req) {
  const projectId = req.params.project_id || req.params.Project_id
  if (!projectId) {
    throw new Error('Expected project_id in request parameters')
  }
  if (!ObjectId.isValid(projectId)) {
    throw new Errors.NotFoundError(`invalid projectId: ${projectId}`)
  }
  return projectId
}

function _getUserId(req) {
  return (
    SessionManager.getLoggedInUserId(req.session) ||
    (req.oauth_user && req.oauth_user._id) ||
    null
  )
}

function _redirectToRestricted(req, res, next) {
  // TODO: move this to throwing ForbiddenError
  res.redirect(`/restricted?from=${encodeURIComponent(res.locals.currentUrl)}`)
}

function restricted(req, res, next) {
  if (SessionManager.isUserLoggedIn(req.session)) {
    return res.render('user/restricted', { title: 'restricted' })
  }
  const { from } = req.query
  logger.log({ from }, 'redirecting to login')
  if (from) {
    AuthenticationController.setRedirectInSession(req, from)
  }
  res.redirect('/login')
}

module.exports = {
  ensureUserCanReadMultipleProjects: expressify(
    ensureUserCanReadMultipleProjects
  ),
  blockRestrictedUserFromProject: expressify(blockRestrictedUserFromProject),
  ensureUserCanReadProject: expressify(ensureUserCanReadProject),
  ensureUserCanWriteProjectSettings: expressify(
    ensureUserCanWriteProjectSettings
  ),
  ensureUserCanWriteProjectContent: expressify(
    ensureUserCanWriteProjectContent
  ),
  ensureUserCanAdminProject: expressify(ensureUserCanAdminProject),
  ensureUserIsSiteAdmin: expressify(ensureUserIsSiteAdmin),
  restricted,
}
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`const AuthorizationManager = require('./AuthorizationManager')`
Merge pull request #5632 from overleaf/em-gcp-logging-web Improve GCP logging for web GitOrigin-RevId: 1198fab2e821a55563058171cfa435605216e337 2021-11-01 11:05:16 -04:00			`const logger = require('@overleaf/logger')`
Merge pull request #3185 from overleaf/jpa-normalize-mongo-imports [misc] normalize mongo imports GitOrigin-RevId: ac653d9982e0d36736b90f4c03d4c00be88ea76a 2020-09-23 04:49:26 -04:00			`const { ObjectId } = require('mongodb')`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`const Errors = require('../Errors/Errors')`
Replace HTTPErrors.ForbiddenError with calls to forbidden() handler (#2972) GitOrigin-RevId: 2a0c8fdaef9ba62b97cebad84603e6f076d770c0 2020-07-09 09:47:43 -04:00			`const HttpErrorHandler = require('../Errors/HttpErrorHandler')`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`const AuthenticationController = require('../Authentication/AuthenticationController')`
Merge pull request #4338 from overleaf/ab-session-manager Extract functions from AuthenticationController to SessionManager GitOrigin-RevId: 86870ce03a762e1a837dcf493759e8851e759883 2021-07-28 04:51:20 -04:00			`const SessionManager = require('../Authentication/SessionManager')`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`const TokenAccessHandler = require('../TokenAccess/TokenAccessHandler')`
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`const { expressify } = require('../../util/promises')`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`async function ensureUserCanReadMultipleProjects(req, res, next) {`
			`const projectIds = (req.query.project_ids \|\| '').split(',')`
			`const userId = _getUserId(req)`
			`for (const projectId of projectIds) {`
			`const token = TokenAccessHandler.getRequestToken(req, projectId)`
			`const canRead = await AuthorizationManager.promises.canUserReadProject(`
			`userId,`
			`projectId,`
			`token`
Merge pull request #3495 from overleaf/ae-prettier-2 Upgrade Prettier to v2 GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33 2021-04-14 09:17:21 -04:00			`)`
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`if (!canRead) {`
			`return _redirectToRestricted(req, res, next)`
			`}`
			`}`
			`next()`
			`}`
Merge pull request #2870 from overleaf/sk-restrict-chat Block restricted users from Chat endpoints GitOrigin-RevId: caec8fe2bc93d567dd57f32dc765bd74ba53e933 2020-06-04 04:47:12 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`async function blockRestrictedUserFromProject(req, res, next) {`
			`const projectId = _getProjectId(req)`
			`const userId = _getUserId(req)`
			`const token = TokenAccessHandler.getRequestToken(req, projectId)`
			`const isRestrictedUser = await AuthorizationManager.promises.isRestrictedUserForProject(`
			`userId,`
			`projectId,`
			`token`
			`)`
			`if (isRestrictedUser) {`
			`return HttpErrorHandler.forbidden(req, res)`
			`}`
			`next()`
			`}`

			`async function ensureUserCanReadProject(req, res, next) {`
			`const projectId = _getProjectId(req)`
			`const userId = _getUserId(req)`
			`const token = TokenAccessHandler.getRequestToken(req, projectId)`
			`const canRead = await AuthorizationManager.promises.canUserReadProject(`
			`userId,`
			`projectId,`
			`token`
			`)`
			`if (canRead) {`
			`logger.log({ userId, projectId }, 'allowing user read access to project')`
			`return next()`
			`}`
			`logger.log({ userId, projectId }, 'denying user read access to project')`
			`HttpErrorHandler.forbidden(req, res)`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`async function ensureUserCanWriteProjectSettings(req, res, next) {`
			`const projectId = _getProjectId(req)`
			`const userId = _getUserId(req)`
			`const token = TokenAccessHandler.getRequestToken(req, projectId)`

			`if (req.body.name != null) {`
			`const canRename = await AuthorizationManager.promises.canUserRenameProject(`
			`userId,`
			`projectId,`
			`token`
Merge pull request #3495 from overleaf/ae-prettier-2 Upgrade Prettier to v2 GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33 2021-04-14 09:17:21 -04:00			`)`
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`if (!canRename) {`
			`return HttpErrorHandler.forbidden(req, res)`
			`}`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`const otherParams = Object.keys(req.body).filter(x => x !== 'name')`
			`if (otherParams.length > 0) {`
			`const canWrite = await AuthorizationManager.promises.canUserWriteProjectSettings(`
			`userId,`
			`projectId,`
			`token`
Merge pull request #3495 from overleaf/ae-prettier-2 Upgrade Prettier to v2 GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33 2021-04-14 09:17:21 -04:00			`)`
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`if (!canWrite) {`
			`return HttpErrorHandler.forbidden(req, res)`
			`}`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`next()`
			`}`

			`async function ensureUserCanWriteProjectContent(req, res, next) {`
			`const projectId = _getProjectId(req)`
			`const userId = _getUserId(req)`
			`const token = TokenAccessHandler.getRequestToken(req, projectId)`
			`const canWrite = await AuthorizationManager.promises.canUserWriteProjectContent(`
			`userId,`
			`projectId,`
			`token`
			`)`
			`if (canWrite) {`
			`logger.log(`
			`{ userId, projectId },`
			`'allowing user write access to project content'`
Merge pull request #3495 from overleaf/ae-prettier-2 Upgrade Prettier to v2 GitOrigin-RevId: 85aa3fa1acb6332c4f58c46165a43d1a51471f33 2021-04-14 09:17:21 -04:00			`)`
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`return next()`
			`}`
			`logger.log(`
			`{ userId, projectId },`
			`'denying user write access to project settings'`
			`)`
			`HttpErrorHandler.forbidden(req, res)`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`async function ensureUserCanAdminProject(req, res, next) {`
			`const projectId = _getProjectId(req)`
			`const userId = _getUserId(req)`
			`const token = TokenAccessHandler.getRequestToken(req, projectId)`
			`const canAdmin = await AuthorizationManager.promises.canUserAdminProject(`
			`userId,`
			`projectId,`
			`token`
			`)`
			`if (canAdmin) {`
			`logger.log({ userId, projectId }, 'allowing user admin access to project')`
			`return next()`
			`}`
			`logger.log({ userId, projectId }, 'denying user admin access to project')`
			`HttpErrorHandler.forbidden(req, res)`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`async function ensureUserIsSiteAdmin(req, res, next) {`
			`const userId = _getUserId(req)`
			`const isAdmin = await AuthorizationManager.promises.isUserSiteAdmin(userId)`
			`if (isAdmin) {`
			`logger.log({ userId }, 'allowing user admin access to site')`
			`return next()`
			`}`
			`logger.log({ userId }, 'denying user admin access to site')`
			`_redirectToRestricted(req, res, next)`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`function _getProjectId(req) {`
			`const projectId = req.params.project_id \|\| req.params.Project_id`
			`if (!projectId) {`
			`throw new Error('Expected project_id in request parameters')`
			`}`
			`if (!ObjectId.isValid(projectId)) {`
			throw new Errors.NotFoundError(`invalid projectId: ${projectId}`)
			`}`
			`return projectId`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`function _getUserId(req) {`
			`return (`
			`SessionManager.getLoggedInUserId(req.session) \|\|`
			`(req.oauth_user && req.oauth_user._id) \|\|`
			`null`
			`)`
			`}`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00
Merge pull request #4947 from overleaf/em-project-rename-for-owners-only Prevent collaborators from renaming a project GitOrigin-RevId: 94d12e25592fea55b84427aeae78f7bb2a544a58 2021-09-13 09:43:46 -04:00			`function _redirectToRestricted(req, res, next) {`
			`// TODO: move this to throwing ForbiddenError`
			res.redirect(`/restricted?from=${encodeURIComponent(res.locals.currentUrl)}`)
			`}`

			`function restricted(req, res, next) {`
			`if (SessionManager.isUserLoggedIn(req.session)) {`
			`return res.render('user/restricted', { title: 'restricted' })`
			`}`
			`const { from } = req.query`
			`logger.log({ from }, 'redirecting to login')`
			`if (from) {`
			`AuthenticationController.setRedirectInSession(req, from)`
			`}`
			`res.redirect('/login')`
			`}`

			`module.exports = {`
			`ensureUserCanReadMultipleProjects: expressify(`
			`ensureUserCanReadMultipleProjects`
			`),`
			`blockRestrictedUserFromProject: expressify(blockRestrictedUserFromProject),`
			`ensureUserCanReadProject: expressify(ensureUserCanReadProject),`
			`ensureUserCanWriteProjectSettings: expressify(`
			`ensureUserCanWriteProjectSettings`
			`),`
			`ensureUserCanWriteProjectContent: expressify(`
			`ensureUserCanWriteProjectContent`
			`),`
			`ensureUserCanAdminProject: expressify(ensureUserCanAdminProject),`
			`ensureUserIsSiteAdmin: expressify(ensureUserIsSiteAdmin),`
			`restricted,`
Merge pull request #1717 from overleaf/as-decaffeinate-backend Decaffeinate backend GitOrigin-RevId: 4ca9f94fc809cab6f47cec8254cacaf1bb3806fa 2019-05-29 05:21:06 -04:00			`}`