overleaf/services/web/app/coffee/Features/UserMembership/UserMembershipAuthorization.coffee

AuthenticationController = require('../Authentication/AuthenticationController')
AuthorizationMiddlewear = require('../Authorization/AuthorizationMiddlewear')
UserMembershipHandler = require('./UserMembershipHandler')
EntityConfigs = require('./UserMembershipEntityConfigs')
Errors = require('../Errors/Errors')
logger = require("logger-sharelatex")
settings = require 'settings-sharelatex'
request = require 'request'

module.exports = UserMembershipAuthorization =
	requireTeamMetricsAccess: (req, res, next) ->
		requireAccessToEntity('team', req.params.id, req, res, next, 'groupMetrics')

	requireGroupManagementAccess: (req, res, next) ->
		requireAccessToEntity('group', req.params.id, req, res, next, 'groupManagement')

	requireGroupMetricsAccess:	(req, res, next) ->
		requireAccessToEntity('group', req.params.id, req, res, next, 'groupMetrics')

	requireGroupManagersManagementAccess: (req, res, next) ->
		requireAccessToEntity('groupManagers', req.params.id, req, res, next, 'groupManagement')

	requireInstitutionMetricsAccess:	(req, res, next) ->
		requireAccessToEntity('institution', req.params.id, req, res, next, 'institutionMetrics')

	requireInstitutionManagementAccess:	(req, res, next) ->
		requireAccessToEntity('institution', req.params.id, req, res, next, 'institutionManagement')

	requirePublisherMetricsAccess:	(req, res, next) ->
		requireAccessToEntity('publisher', req.params.id, req, res, next, 'publisherMetrics')

	requirePublisherManagementAccess:	(req, res, next) ->
		requireAccessToEntity('publisher', req.params.id, req, res, next, 'publisherManagement')

	requireTemplateMetricsAccess: (req, res, next) ->
		templateId = req.params.id
		request {
			baseUrl: settings.apis.v1.url
			url: "/api/v2/templates/#{templateId}"
			method: 'GET'
			auth:
				user: settings.apis.v1.user
				pass: settings.apis.v1.pass
				sendImmediately: true
		}, (error, response, body) =>
			if response.statusCode == 404
				return next(new Errors.NotFoundError())

			if response.statusCode != 200
				logger.err { templateId }, "[TemplateMetrics] Couldn't fetch template data from v1"
				return next(new Error("Couldn't fetch template data from v1"))

			return next(error) if error?
			try
				body = JSON.parse(body)
			catch error
				return next(error)

			req.template =
				id: body.id
				title: body.title
			if body?.brand?.slug
				req.params.id = body.brand.slug
				UserMembershipAuthorization.requirePublisherMetricsAccess(req, res, next)
			else
				AuthorizationMiddlewear.ensureUserIsSiteAdmin(req, res, next)

	requireGraphAccess: (req, res, next) ->
		req.params.id = req.query.resource_id
		if req.query.resource_type == 'template'
			return UserMembershipAuthorization.requireTemplateMetricsAccess(req, res, next)
		else if req.query.resource_type == 'institution'
			return UserMembershipAuthorization.requireInstitutionMetricsAccess(req, res, next)
		else if req.query.resource_type == 'group'
			return UserMembershipAuthorization.requireGroupMetricsAccess(req, res, next)
		else if req.query.resource_type == 'team'
			return UserMembershipAuthorization.requireTeamMetricsAccess(req, res, next)
		requireAccessToEntity(req.query.resource_type, req.query.resource_id, req, res, next)

requireAccessToEntity = (entityName, entityId, req, res, next, requiredStaffAccess=null) ->
	loggedInUser = AuthenticationController.getSessionUser(req)
	unless loggedInUser
		return AuthorizationMiddlewear.redirectToRestricted req, res, next

	getEntity entityName, entityId, loggedInUser, requiredStaffAccess, (error, entity, entityConfig, entityExists) ->
		return next(error) if error?

		if entity?
			req.entity = entity
			req.entityConfig = entityConfig
			return next()

		if entityExists # user doesn't have access to entity
			return AuthorizationMiddlewear.redirectToRestricted(req, res, next)

		if loggedInUser.isAdmin and entityConfig.canCreate
			# entity doesn't exists, admin can create it
			return res.redirect "/entities/#{entityName}/create/#{entityId}"

		next(new Errors.NotFoundError())

getEntity = (entityName, entityId, user, requiredStaffAccess, callback = (error, entity, entityConfig, entityExists)->) ->
	entityConfig = EntityConfigs[entityName]
	unless entityConfig
		return callback(new Errors.NotFoundError("No such entity: #{entityName}"))

	UserMembershipHandler.getEntity entityId, entityConfig, user, requiredStaffAccess, (error, entity)->
		return callback(error) if error?
		return callback(null, entity, entityConfig, true) if entity?

		# no access to entity. Check if entity exists
		UserMembershipHandler.getEntityWithoutAuthorizationCheck entityId, entityConfig, (error, entity)->
			return callback(error) if error?
			callback(null, null, entityConfig, entity?)
Merge pull request #1042 from sharelatex/ta-user-membership-access User Membership Access Refactor GitOrigin-RevId: 23e8d342bc4829450625146213ff92cb042550dd 2018-10-24 09:50:34 -04:00			`AuthenticationController = require('../Authentication/AuthenticationController')`
			`AuthorizationMiddlewear = require('../Authorization/AuthorizationMiddlewear')`
			`UserMembershipHandler = require('./UserMembershipHandler')`
			`EntityConfigs = require('./UserMembershipEntityConfigs')`
			`Errors = require('../Errors/Errors')`
			`logger = require("logger-sharelatex")`
Merge pull request #1193 from sharelatex/ta-template-metrics Template Metrics GitOrigin-RevId: 0a8648aec3a9446426c70cd8220bb1f776313303 2018-12-05 09:54:00 -05:00			`settings = require 'settings-sharelatex'`
			`request = require 'request'`
Merge pull request #1042 from sharelatex/ta-user-membership-access User Membership Access Refactor GitOrigin-RevId: 23e8d342bc4829450625146213ff92cb042550dd 2018-10-24 09:50:34 -04:00
Merge pull request #1193 from sharelatex/ta-template-metrics Template Metrics GitOrigin-RevId: 0a8648aec3a9446426c70cd8220bb1f776313303 2018-12-05 09:54:00 -05:00			`module.exports = UserMembershipAuthorization =`
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`requireTeamMetricsAccess: (req, res, next) ->`
			`requireAccessToEntity('team', req.params.id, req, res, next, 'groupMetrics')`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`requireGroupManagementAccess: (req, res, next) ->`
			`requireAccessToEntity('group', req.params.id, req, res, next, 'groupManagement')`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`requireGroupMetricsAccess: (req, res, next) ->`
			`requireAccessToEntity('group', req.params.id, req, res, next, 'groupMetrics')`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`requireGroupManagersManagementAccess: (req, res, next) ->`
			`requireAccessToEntity('groupManagers', req.params.id, req, res, next, 'groupManagement')`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`requireInstitutionMetricsAccess: (req, res, next) ->`
			`requireAccessToEntity('institution', req.params.id, req, res, next, 'institutionMetrics')`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`requireInstitutionManagementAccess: (req, res, next) ->`
			`requireAccessToEntity('institution', req.params.id, req, res, next, 'institutionManagement')`

			`requirePublisherMetricsAccess: (req, res, next) ->`
			`requireAccessToEntity('publisher', req.params.id, req, res, next, 'publisherMetrics')`

			`requirePublisherManagementAccess: (req, res, next) ->`
			`requireAccessToEntity('publisher', req.params.id, req, res, next, 'publisherManagement')`

			`requireTemplateMetricsAccess: (req, res, next) ->`
Merge pull request #1193 from sharelatex/ta-template-metrics Template Metrics GitOrigin-RevId: 0a8648aec3a9446426c70cd8220bb1f776313303 2018-12-05 09:54:00 -05:00			`templateId = req.params.id`
			`request {`
			`baseUrl: settings.apis.v1.url`
			`url: "/api/v2/templates/#{templateId}"`
			`method: 'GET'`
			`auth:`
			`user: settings.apis.v1.user`
			`pass: settings.apis.v1.pass`
			`sendImmediately: true`
			`}, (error, response, body) =>`
			`if response.statusCode == 404`
			`return next(new Errors.NotFoundError())`

			`if response.statusCode != 200`
			`logger.err { templateId }, "[TemplateMetrics] Couldn't fetch template data from v1"`
			`return next(new Error("Couldn't fetch template data from v1"))`

			`return next(error) if error?`
			`try`
			`body = JSON.parse(body)`
			`catch error`
			`return next(error)`

			`req.template =`
			`id: body.id`
			`title: body.title`
Merge pull request #1234 from sharelatex/ta-teamplate-without-brand-metrics Handle Access for Template Without Brands GitOrigin-RevId: f1127298fcede8075b31f6b1bc7161f474817a7e 2018-12-06 08:52:41 -05:00			`if body?.brand?.slug`
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`req.params.id = body.brand.slug`
			`UserMembershipAuthorization.requirePublisherMetricsAccess(req, res, next)`
Merge pull request #1234 from sharelatex/ta-teamplate-without-brand-metrics Handle Access for Template Without Brands GitOrigin-RevId: f1127298fcede8075b31f6b1bc7161f474817a7e 2018-12-06 08:52:41 -05:00			`else`
			`AuthorizationMiddlewear.ensureUserIsSiteAdmin(req, res, next)`
Merge pull request #1193 from sharelatex/ta-template-metrics Template Metrics GitOrigin-RevId: 0a8648aec3a9446426c70cd8220bb1f776313303 2018-12-05 09:54:00 -05:00
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00			`requireGraphAccess: (req, res, next) ->`
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`req.params.id = req.query.resource_id`
Merge pull request #1193 from sharelatex/ta-template-metrics Template Metrics GitOrigin-RevId: 0a8648aec3a9446426c70cd8220bb1f776313303 2018-12-05 09:54:00 -05:00			`if req.query.resource_type == 'template'`
Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`return UserMembershipAuthorization.requireTemplateMetricsAccess(req, res, next)`
			`else if req.query.resource_type == 'institution'`
			`return UserMembershipAuthorization.requireInstitutionMetricsAccess(req, res, next)`
			`else if req.query.resource_type == 'group'`
			`return UserMembershipAuthorization.requireGroupMetricsAccess(req, res, next)`
			`else if req.query.resource_type == 'team'`
			`return UserMembershipAuthorization.requireTeamMetricsAccess(req, res, next)`
			`requireAccessToEntity(req.query.resource_type, req.query.resource_id, req, res, next)`

			`requireAccessToEntity = (entityName, entityId, req, res, next, requiredStaffAccess=null) ->`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00			`loggedInUser = AuthenticationController.getSessionUser(req)`
			`unless loggedInUser`
			`return AuthorizationMiddlewear.redirectToRestricted req, res, next`

Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`getEntity entityName, entityId, loggedInUser, requiredStaffAccess, (error, entity, entityConfig, entityExists) ->`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00			`return next(error) if error?`
Merge pull request #1192 from sharelatex/ta-publisher-create Add Interface to Create Publishers GitOrigin-RevId: 50af2d1c05821d20b1ec33e8f68a05d824e55c46 2018-12-06 05:52:54 -05:00
			`if entity?`
			`req.entity = entity`
			`req.entityConfig = entityConfig`
			`return next()`

			`if entityExists # user doesn't have access to entity`
Merge branch 'master' into dcl-i1207 GitOrigin-RevId: c947041ca99860d4afb62ecfd28ba6fe1c717bfc 2018-11-30 08:03:35 -05:00			`return AuthorizationMiddlewear.redirectToRestricted(req, res, next)`

Merge pull request #1192 from sharelatex/ta-publisher-create Add Interface to Create Publishers GitOrigin-RevId: 50af2d1c05821d20b1ec33e8f68a05d824e55c46 2018-12-06 05:52:54 -05:00			`if loggedInUser.isAdmin and entityConfig.canCreate`
			`# entity doesn't exists, admin can create it`
			`return res.redirect "/entities/#{entityName}/create/#{entityId}"`
Merge pull request #1042 from sharelatex/ta-user-membership-access User Membership Access Refactor GitOrigin-RevId: 23e8d342bc4829450625146213ff92cb042550dd 2018-10-24 09:50:34 -04:00
Merge pull request #1192 from sharelatex/ta-publisher-create Add Interface to Create Publishers GitOrigin-RevId: 50af2d1c05821d20b1ec33e8f68a05d824e55c46 2018-12-06 05:52:54 -05:00			`next(new Errors.NotFoundError())`

Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`getEntity = (entityName, entityId, user, requiredStaffAccess, callback = (error, entity, entityConfig, entityExists)->) ->`
Merge pull request #1042 from sharelatex/ta-user-membership-access User Membership Access Refactor GitOrigin-RevId: 23e8d342bc4829450625146213ff92cb042550dd 2018-10-24 09:50:34 -04:00			`entityConfig = EntityConfigs[entityName]`
			`unless entityConfig`
			`return callback(new Errors.NotFoundError("No such entity: #{entityName}"))`

Merge pull request #1275 from sharelatex/hb-authorization-flags Authorization flags for metrics GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5 2019-01-11 09:17:27 -05:00			`UserMembershipHandler.getEntity entityId, entityConfig, user, requiredStaffAccess, (error, entity)->`
Merge pull request #1042 from sharelatex/ta-user-membership-access User Membership Access Refactor GitOrigin-RevId: 23e8d342bc4829450625146213ff92cb042550dd 2018-10-24 09:50:34 -04:00			`return callback(error) if error?`
Merge pull request #1192 from sharelatex/ta-publisher-create Add Interface to Create Publishers GitOrigin-RevId: 50af2d1c05821d20b1ec33e8f68a05d824e55c46 2018-12-06 05:52:54 -05:00			`return callback(null, entity, entityConfig, true) if entity?`

			`# no access to entity. Check if entity exists`
			`UserMembershipHandler.getEntityWithoutAuthorizationCheck entityId, entityConfig, (error, entity)->`
			`return callback(error) if error?`
			`callback(null, null, entityConfig, entity?)`