overleaf/services/web/app/coffee/Features/Authorization/AuthorizationMiddlewear.coffee

123 lines
5.2 KiB
CoffeeScript
Raw Normal View History

AuthorizationManager = require("./AuthorizationManager")
async = require "async"
logger = require "logger-sharelatex"
ObjectId = require("mongojs").ObjectId
Errors = require "../Errors/Errors"
2016-09-05 10:58:31 -04:00
AuthenticationController = require "../Authentication/AuthenticationController"
TokenAccessHandler = require '../TokenAccess/TokenAccessHandler'
module.exports = AuthorizationMiddlewear =
ensureUserCanReadMultipleProjects: (req, res, next) ->
project_ids = (req.query.project_ids or "").split(",")
AuthorizationMiddlewear._getUserId req, (error, user_id) ->
return next(error) if error?
# Remove the projects we have access to. Note rejectSeries doesn't use
# errors in callbacks
async.rejectSeries project_ids, (project_id, cb) ->
token = TokenAccessHandler.getRequestToken(req, project_id)
AuthorizationManager.canUserReadProject user_id, project_id, token, (error, canRead) ->
return next(error) if error?
cb(canRead)
, (unauthorized_project_ids) ->
if unauthorized_project_ids.length > 0
AuthorizationMiddlewear.redirectToRestricted req, res, next
else
next()
2016-09-05 10:58:31 -04:00
ensureUserCanReadProject: (req, res, next) ->
AuthorizationMiddlewear._getUserAndProjectId req, (error, user_id, project_id) ->
return next(error) if error?
token = TokenAccessHandler.getRequestToken(req, project_id)
AuthorizationManager.canUserReadProject user_id, project_id, token, (error, canRead) ->
return next(error) if error?
if canRead
logger.log {user_id, project_id}, "allowing user read access to project"
next()
else
logger.log {user_id, project_id}, "denying user read access to project"
if req.headers?['accept']?.match(/^application\/json.*$/)
res.sendStatus(403)
else
AuthorizationMiddlewear.redirectToRestricted req, res, next
2016-09-05 10:58:31 -04:00
ensureUserCanWriteProjectSettings: (req, res, next) ->
AuthorizationMiddlewear._getUserAndProjectId req, (error, user_id, project_id) ->
return next(error) if error?
token = TokenAccessHandler.getRequestToken(req, project_id)
AuthorizationManager.canUserWriteProjectSettings user_id, project_id, token, (error, canWrite) ->
return next(error) if error?
if canWrite
logger.log {user_id, project_id}, "allowing user write access to project settings"
next()
else
logger.log {user_id, project_id}, "denying user write access to project settings"
AuthorizationMiddlewear.redirectToRestricted req, res, next
2016-09-05 10:58:31 -04:00
ensureUserCanWriteProjectContent: (req, res, next) ->
AuthorizationMiddlewear._getUserAndProjectId req, (error, user_id, project_id) ->
return next(error) if error?
token = TokenAccessHandler.getRequestToken(req, project_id)
AuthorizationManager.canUserWriteProjectContent user_id, project_id, token, (error, canWrite) ->
return next(error) if error?
if canWrite
logger.log {user_id, project_id}, "allowing user write access to project content"
next()
else
logger.log {user_id, project_id}, "denying user write access to project settings"
AuthorizationMiddlewear.redirectToRestricted req, res, next
2016-09-05 10:58:31 -04:00
ensureUserCanAdminProject: (req, res, next) ->
AuthorizationMiddlewear._getUserAndProjectId req, (error, user_id, project_id) ->
return next(error) if error?
token = TokenAccessHandler.getRequestToken(req, project_id)
AuthorizationManager.canUserAdminProject user_id, project_id, token, (error, canAdmin) ->
return next(error) if error?
if canAdmin
logger.log {user_id, project_id}, "allowing user admin access to project"
next()
else
logger.log {user_id, project_id}, "denying user admin access to project"
AuthorizationMiddlewear.redirectToRestricted req, res, next
2016-09-05 10:58:31 -04:00
ensureUserIsSiteAdmin: (req, res, next) ->
AuthorizationMiddlewear._getUserId req, (error, user_id) ->
return next(error) if error?
AuthorizationManager.isUserSiteAdmin user_id, (error, isAdmin) ->
return next(error) if error?
if isAdmin
logger.log {user_id}, "allowing user admin access to site"
next()
else
logger.log {user_id}, "denying user admin access to site"
AuthorizationMiddlewear.redirectToRestricted req, res, next
_getUserAndProjectId: (req, callback = (error, user_id, project_id) ->) ->
project_id = req.params?.project_id or req.params?.Project_id
if !project_id?
return callback(new Error("Expected project_id in request parameters"))
if !ObjectId.isValid(project_id)
return callback(new Errors.NotFoundError("invalid project_id: #{project_id}"))
AuthorizationMiddlewear._getUserId req, (error, user_id) ->
return callback(error) if error?
callback(null, user_id, project_id)
2016-09-05 10:58:31 -04:00
_getUserId: (req, callback = (error, user_id) ->) ->
user_id = AuthenticationController.getLoggedInUserId(req) || req?.oauth_user?._id || null
2016-09-05 10:58:31 -04:00
return callback(null, user_id)
redirectToRestricted: (req, res, next) ->
# TODO: move this to throwing ForbiddenError
res.redirect "/restricted?from=#{encodeURIComponent(req.url)}"
2016-09-05 10:58:31 -04:00
restricted : (req, res, next)->
2016-09-07 11:40:49 -04:00
if AuthenticationController.isUserLoggedIn(req)
res.render 'user/restricted',
title:'restricted'
else
from = req.query.from
logger.log {from: from}, "redirecting to login"
redirect_to = "/login"
if from?
AuthenticationController.setRedirectInSession(req, from)
res.redirect redirect_to