overleaf/services/web/app/coffee/Features/Editor/EditorRouter.coffee

EditorHttpController = require('./EditorHttpController')
AuthenticationController = require "../Authentication/AuthenticationController"
AuthorizationMiddleware = require('../Authorization/AuthorizationMiddleware')
RateLimiterMiddleware = require('../Security/RateLimiterMiddleware')

module.exports =
	apply: (webRouter, apiRouter) ->
		webRouter.post   '/project/:Project_id/doc', AuthorizationMiddleware.ensureUserCanWriteProjectContent,
			RateLimiterMiddleware.rateLimit({
				endpointName: "add-doc-to-project"
				params: ["Project_id"]
				maxRequests: 30
				timeInterval: 60
			}), EditorHttpController.addDoc
		webRouter.post   '/project/:Project_id/folder', AuthorizationMiddleware.ensureUserCanWriteProjectContent,
			RateLimiterMiddleware.rateLimit({
				endpointName: "add-folder-to-project"
				params: ["Project_id"]
				maxRequests: 60
				timeInterval: 60
			}), EditorHttpController.addFolder

		webRouter.post   '/project/:Project_id/:entity_type/:entity_id/rename', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.renameEntity
		webRouter.post   '/project/:Project_id/:entity_type/:entity_id/move', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.moveEntity

		webRouter.delete '/project/:Project_id/file/:entity_id', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.deleteFile
		webRouter.delete '/project/:Project_id/doc/:entity_id', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.deleteDoc
		webRouter.delete '/project/:Project_id/folder/:entity_id', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.deleteFolder

		# Called by the real-time API to load up the current project state.
		# This is a post request because it's more than just a getting of data. We take actions
		# whenever a user joins a project, like updating the deleted status.
		apiRouter.post '/project/:Project_id/join', AuthenticationController.httpAuth,
			RateLimiterMiddleware.rateLimit({
				endpointName: "join-project"
				params: ["Project_id"]
				maxRequests: 30
				timeInterval: 60
			}), EditorHttpController.joinProject
Add and remove collaborators with HTTP requests, not websockets 2014-11-06 06:53:59 -05:00			`EditorHttpController = require('./EditorHttpController')`
Add in option for global login requirement (defaults to on) 2015-04-15 06:14:38 -04:00			`AuthenticationController = require "../Authentication/AuthenticationController"`
Merge pull request #1581 from sharelatex/spd-wearing-middle Fix spelling of "middleware" GitOrigin-RevId: d2b2b20ad8a6871cd6366303e75b340f0f2f2dda 2019-03-04 07:02:28 -05:00			`AuthorizationMiddleware = require('../Authorization/AuthorizationMiddleware')`
			`RateLimiterMiddleware = require('../Security/RateLimiterMiddleware')`
Add and remove collaborators with HTTP requests, not websockets 2014-11-06 06:53:59 -05:00
			`module.exports =`
split site into 2 routers, webRouter and apiRouter web router has things like sessions etc added onto it. Api router is minimal, doesn't include things like csrf 2015-06-30 09:38:32 -04:00			`apply: (webRouter, apiRouter) ->`
Merge pull request #1581 from sharelatex/spd-wearing-middle Fix spelling of "middleware" GitOrigin-RevId: d2b2b20ad8a6871cd6366303e75b340f0f2f2dda 2019-03-04 07:02:28 -05:00			`webRouter.post '/project/:Project_id/doc', AuthorizationMiddleware.ensureUserCanWriteProjectContent,`
			`RateLimiterMiddleware.rateLimit({`
Merge pull request #1406 from sharelatex/spd-more-rate-limits Add additional rate limits to prevent resource-exhaustion attacks GitOrigin-RevId: 428cf8a16e062267dd92e7fba73ef5c192a8e668 2019-01-18 05:10:09 -05:00			`endpointName: "add-doc-to-project"`
			`params: ["Project_id"]`
			`maxRequests: 30`
			`timeInterval: 60`
			`}), EditorHttpController.addDoc`
Merge pull request #1581 from sharelatex/spd-wearing-middle Fix spelling of "middleware" GitOrigin-RevId: d2b2b20ad8a6871cd6366303e75b340f0f2f2dda 2019-03-04 07:02:28 -05:00			`webRouter.post '/project/:Project_id/folder', AuthorizationMiddleware.ensureUserCanWriteProjectContent,`
			`RateLimiterMiddleware.rateLimit({`
Merge pull request #1406 from sharelatex/spd-more-rate-limits Add additional rate limits to prevent resource-exhaustion attacks GitOrigin-RevId: 428cf8a16e062267dd92e7fba73ef5c192a8e668 2019-01-18 05:10:09 -05:00			`endpointName: "add-folder-to-project"`
			`params: ["Project_id"]`
			`maxRequests: 60`
			`timeInterval: 60`
			`}), EditorHttpController.addFolder`
Add and remove collaborators with HTTP requests, not websockets 2014-11-06 06:53:59 -05:00
Merge pull request #1581 from sharelatex/spd-wearing-middle Fix spelling of "middleware" GitOrigin-RevId: d2b2b20ad8a6871cd6366303e75b340f0f2f2dda 2019-03-04 07:02:28 -05:00			`webRouter.post '/project/:Project_id/:entity_type/:entity_id/rename', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.renameEntity`
			`webRouter.post '/project/:Project_id/:entity_type/:entity_id/move', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.moveEntity`
Add and remove collaborators with HTTP requests, not websockets 2014-11-06 06:53:59 -05:00
Merge pull request #1581 from sharelatex/spd-wearing-middle Fix spelling of "middleware" GitOrigin-RevId: d2b2b20ad8a6871cd6366303e75b340f0f2f2dda 2019-03-04 07:02:28 -05:00			`webRouter.delete '/project/:Project_id/file/:entity_id', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.deleteFile`
			`webRouter.delete '/project/:Project_id/doc/:entity_id', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.deleteDoc`
			`webRouter.delete '/project/:Project_id/folder/:entity_id', AuthorizationMiddleware.ensureUserCanWriteProjectContent, EditorHttpController.deleteFolder`
Add and remove collaborators with HTTP requests, not websockets 2014-11-06 06:53:59 -05:00
Factor out common joinProject logic to provide and HTTP end point for the real-time API 2014-11-07 07:31:47 -05:00			`# Called by the real-time API to load up the current project state.`
			`# This is a post request because it's more than just a getting of data. We take actions`
			`# whenever a user joins a project, like updating the deleted status.`
Merge pull request #1657 from sharelatex/sk-rate-limit-join-project Add a rate-limit to joinProject GitOrigin-RevId: 27edd8b56ae80868b5fcd0b803d0e042dce26f31 2019-04-12 05:39:04 -04:00			`apiRouter.post '/project/:Project_id/join', AuthenticationController.httpAuth,`
			`RateLimiterMiddleware.rateLimit({`
			`endpointName: "join-project"`
			`params: ["Project_id"]`
			`maxRequests: 30`
			`timeInterval: 60`
			`}), EditorHttpController.joinProject`