overleaf/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee

CollaboratorsHandler = require("../Collaborators/CollaboratorsHandler")
Project = require("../../models/Project").Project
User = require("../../models/User").User
PrivilegeLevels = require("./PrivilegeLevels")
PublicAccessLevels = require("./PublicAccessLevels")
Errors = require("../Errors/Errors")

module.exports = AuthorizationManager =
	# Get the privilege level that the user has for the project
	# Returns:
	#	* privilegeLevel: "owner", "readAndWrite", of "readOnly" if the user has
	#	  access. false if the user does not have access
	#   * becausePublic: true if the access level is only because the project is public.
	getPrivilegeLevelForProject: (user_id, project_id, callback = (error, privilegeLevel, becausePublic) ->) ->
		getPublicAccessLevel = () ->
			Project.findOne { _id: project_id }, { publicAccesLevel: 1 }, (error, project) ->
				return callback(error) if error?
				if !project?
					return callback new Errors.NotFoundError("no project found with id #{project_id}")
				if project.publicAccesLevel == PublicAccessLevels.READ_ONLY
					return callback null, PrivilegeLevels.READ_ONLY, true
				else if project.publicAccesLevel == PublicAccessLevels.READ_AND_WRITE
					return callback null, PrivilegeLevels.READ_AND_WRITE, true
				else
					return callback null, PrivilegeLevels.NONE, false
		
		if !user_id?
			getPublicAccessLevel()
		else
			CollaboratorsHandler.getMemberIdPrivilegeLevel user_id, project_id, (error, privilegeLevel) ->
				return callback(error) if error?
				if privilegeLevel? and privilegeLevel != PrivilegeLevels.NONE
					# The user has direct access
					callback null, privilegeLevel, false
				else
					AuthorizationManager.isUserSiteAdmin user_id, (error, isAdmin) ->
						return callback(error) if error?
						if isAdmin
							callback null, PrivilegeLevels.OWNER, false
						else
							getPublicAccessLevel()

	canUserReadProject: (user_id, project_id, callback = (error, canRead) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel) ->
			return callback(error) if error?
			return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE, PrivilegeLevels.READ_ONLY])
		
	canUserWriteProjectContent: (user_id, project_id, callback = (error, canWriteContent) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel) ->
			return callback(error) if error?
			return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE])
		
	canUserWriteProjectSettings: (user_id, project_id, callback = (error, canWriteSettings) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel, becausePublic) ->
			return callback(error) if error?
			if privilegeLevel == PrivilegeLevels.OWNER
				return callback null, true
			else if privilegeLevel == PrivilegeLevels.READ_AND_WRITE and !becausePublic
				return callback null, true
			else
				return callback null, false
	
	canUserAdminProject: (user_id, project_id, callback = (error, canAdmin) ->) ->
		AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel) ->
			return callback(error) if error?
			return callback null, (privilegeLevel == PrivilegeLevels.OWNER)
	
	isUserSiteAdmin: (user_id, callback = (error, isAdmin) ->) ->
		if !user_id?
			return callback null, false
		User.findOne { _id: user_id }, { isAdmin: 1 }, (error, user) ->
			return callback(error) if error?
			return callback null, (user?.isAdmin == true)
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`CollaboratorsHandler = require("../Collaborators/CollaboratorsHandler")`
			`Project = require("../../models/Project").Project`
			`User = require("../../models/User").User`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`PrivilegeLevels = require("./PrivilegeLevels")`
			`PublicAccessLevels = require("./PublicAccessLevels")`
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00			`Errors = require("../Errors/Errors")`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00
			`module.exports = AuthorizationManager =`
			`# Get the privilege level that the user has for the project`
			`# Returns:`
			`# * privilegeLevel: "owner", "readAndWrite", of "readOnly" if the user has`
			`# access. false if the user does not have access`
			`# * becausePublic: true if the access level is only because the project is public.`
			`getPrivilegeLevelForProject: (user_id, project_id, callback = (error, privilegeLevel, becausePublic) ->) ->`
			`getPublicAccessLevel = () ->`
			`Project.findOne { _id: project_id }, { publicAccesLevel: 1 }, (error, project) ->`
			`return callback(error) if error?`
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00			`if !project?`
			`return callback new Errors.NotFoundError("no project found with id #{project_id}")`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`if project.publicAccesLevel == PublicAccessLevels.READ_ONLY`
Improve error reporting and show 404 when project ids are malformed 2016-03-18 11:59:03 -04:00			`return callback null, PrivilegeLevels.READ_ONLY, true`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`else if project.publicAccesLevel == PublicAccessLevels.READ_AND_WRITE`
			`return callback null, PrivilegeLevels.READ_AND_WRITE, true`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`else`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`return callback null, PrivilegeLevels.NONE, false`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`if !user_id?`
			`getPublicAccessLevel()`
			`else`
			`CollaboratorsHandler.getMemberIdPrivilegeLevel user_id, project_id, (error, privilegeLevel) ->`
			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`if privilegeLevel? and privilegeLevel != PrivilegeLevels.NONE`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`# The user has direct access`
			`callback null, privilegeLevel, false`
			`else`
Allow admin access to projects 2016-03-21 13:03:31 -04:00			`AuthorizationManager.isUserSiteAdmin user_id, (error, isAdmin) ->`
			`return callback(error) if error?`
			`if isAdmin`
			`callback null, PrivilegeLevels.OWNER, false`
			`else`
			`getPublicAccessLevel()`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00			`canUserReadProject: (user_id, project_id, callback = (error, canRead) ->) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel) ->`
			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE, PrivilegeLevels.READ_ONLY])`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00
			`canUserWriteProjectContent: (user_id, project_id, callback = (error, canWriteContent) ->) ->`
			`AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel) ->`
			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`return callback null, (privilegeLevel in [PrivilegeLevels.OWNER, PrivilegeLevels.READ_AND_WRITE])`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00
			`canUserWriteProjectSettings: (user_id, project_id, callback = (error, canWriteSettings) ->) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel, becausePublic) ->`
			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`if privilegeLevel == PrivilegeLevels.OWNER`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback null, true`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`else if privilegeLevel == PrivilegeLevels.READ_AND_WRITE and !becausePublic`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`return callback null, true`
			`else`
			`return callback null, false`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00
			`canUserAdminProject: (user_id, project_id, callback = (error, canAdmin) ->) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`AuthorizationManager.getPrivilegeLevelForProject user_id, project_id, (error, privilegeLevel) ->`
			`return callback(error) if error?`
Convert privilege levels to an enum 2016-03-15 10:35:01 -04:00			`return callback null, (privilegeLevel == PrivilegeLevels.OWNER)`
Delete SecurityManager and replace with (unwritten) AuthorizationManager 2016-03-10 12:17:26 -05:00
			`isUserSiteAdmin: (user_id, callback = (error, isAdmin) ->) ->`
Implement authorization guards in Authorization{Manager,Controller} 2016-03-14 13:06:57 -04:00			`if !user_id?`
			`return callback null, false`
			`User.findOne { _id: user_id }, { isAdmin: 1 }, (error, user) ->`
			`return callback(error) if error?`
			`return callback null, (user?.isAdmin == true)`