overleaf/services/web/app/coffee/Features/TokenAccess/TokenAccessHandler.coffee

Project = require('../../models/Project').Project
PublicAccessLevels = require '../Authorization/PublicAccessLevels'
PrivilegeLevels = require '../Authorization/PrivilegeLevels'
ObjectId = require("mongojs").ObjectId
Settings = require('settings-sharelatex')

module.exports = TokenAccessHandler =

	ANONYMOUS_READ_AND_WRITE_ENABLED:
		Settings.allowAnonymousReadAndWriteSharing == true

	findProjectWithReadOnlyToken: (token, callback=(err, project)->) ->
		Project.findOne {
			'tokens.readOnly': token,
			'publicAccesLevel': PublicAccessLevels.TOKEN_BASED
		}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback

	findProjectWithReadAndWriteToken: (token, callback=(err, project)->) ->
		Project.findOne {
			'tokens.readAndWrite': token,
			'publicAccesLevel': PublicAccessLevels.TOKEN_BASED
		}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback

	findPrivateOverleafProjectWithReadAndWriteToken: (token, callback=(err, project)->) ->
		Project.findOne {
			'tokens.readAndWrite': token,
			'publicAccesLevel': PublicAccessLevels.PRIVATE,
			'overleaf.id': {'$exists': true}
		}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback

	addReadOnlyUserToProject: (userId, projectId, callback=(err)->) ->
		userId = ObjectId(userId.toString())
		projectId = ObjectId(projectId.toString())
		Project.update {
			_id: projectId
		}, {
			$addToSet: {tokenAccessReadOnly_refs: userId}
		}, callback

	addReadAndWriteUserToProject: (userId, projectId, callback=(err)->) ->
		userId = ObjectId(userId.toString())
		projectId = ObjectId(projectId.toString())
		Project.update {
			_id: projectId
		}, {
			$addToSet: {tokenAccessReadAndWrite_refs: userId}
		}, callback

	grantSessionTokenAccess: (req, projectId, token) ->
		if req.session?
			if !req.session.anonTokenAccess?
				req.session.anonTokenAccess = {}
			req.session.anonTokenAccess[projectId.toString()] = token.toString()

	getRequestToken: (req, projectId) ->
		token = (
			req?.session?.anonTokenAccess?[projectId.toString()] or
			req?.headers['x-sl-anon-token']
		)
		return token

	isValidToken: (projectId, token, callback=(err, isValidReadAndWrite, isValidReadOnly)->) ->
		if !token
			return callback null, false, false
		_validate = (project) ->
			project? and
			project.publicAccesLevel == PublicAccessLevels.TOKEN_BASED and
			project._id.toString() == projectId.toString()
		TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, readAndWriteProject) ->
			return callback(err) if err?
			isValidReadAndWrite = _validate(readAndWriteProject)
			TokenAccessHandler.findProjectWithReadOnlyToken token, (err, readOnlyProject) ->
				return callback(err) if err?
				isValidReadOnly = _validate(readOnlyProject)
				callback null, isValidReadAndWrite, isValidReadOnly

	protectTokens: (project, privilegeLevel) ->
		if project? && project.tokens?
			if privilegeLevel == PrivilegeLevels.OWNER
				return
			if privilegeLevel != PrivilegeLevels.READ_AND_WRITE
				project.tokens.readAndWrite = ''
			if privilegeLevel != PrivilegeLevels.READ_ONLY
				project.tokens.readOnly = ''
Add token-access routes 2017-09-22 09:54:35 -04:00			`Project = require('../../models/Project').Project`
			`PublicAccessLevels = require '../Authorization/PublicAccessLevels'`
Abstract away the token-protection logic 2017-10-19 11:26:01 -04:00			`PrivilegeLevels = require '../Authorization/PrivilegeLevels'`
Add token-access routes 2017-09-22 09:54:35 -04:00			`ObjectId = require("mongojs").ObjectId`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`Settings = require('settings-sharelatex')`
Add token-access routes 2017-09-22 09:54:35 -04:00
			`module.exports = TokenAccessHandler =`

Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`ANONYMOUS_READ_AND_WRITE_ENABLED:`
			`Settings.allowAnonymousReadAndWriteSharing == true`

Add token-access routes 2017-09-22 09:54:35 -04:00			`findProjectWithReadOnlyToken: (token, callback=(err, project)->) ->`
			`Project.findOne {`
			`'tokens.readOnly': token,`
			`'publicAccesLevel': PublicAccessLevels.TOKEN_BASED`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback`
Add token-access routes 2017-09-22 09:54:35 -04:00
			`findProjectWithReadAndWriteToken: (token, callback=(err, project)->) ->`
			`Project.findOne {`
			`'tokens.readAndWrite': token,`
			`'publicAccesLevel': PublicAccessLevels.TOKEN_BASED`
If user is project owner, don't add them as a token user 2017-10-16 11:44:20 -04:00			`}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback`
Add token-access routes 2017-09-22 09:54:35 -04:00
If a token-based project not found, check private overleaf project 2017-10-16 08:20:15 -04:00			`findPrivateOverleafProjectWithReadAndWriteToken: (token, callback=(err, project)->) ->`
			`Project.findOne {`
			`'tokens.readAndWrite': token,`
			`'publicAccesLevel': PublicAccessLevels.PRIVATE,`
			`'overleaf.id': {'$exists': true}`
			`}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback`

Add token-access routes 2017-09-22 09:54:35 -04:00			`addReadOnlyUserToProject: (userId, projectId, callback=(err)->) ->`
			`userId = ObjectId(userId.toString())`
			`projectId = ObjectId(projectId.toString())`
			`Project.update {`
			`_id: projectId`
			`}, {`
			`$addToSet: {tokenAccessReadOnly_refs: userId}`
Tidy up callbacks 2017-10-03 09:14:22 -04:00			`}, callback`
Add token-access routes 2017-09-22 09:54:35 -04:00
			`addReadAndWriteUserToProject: (userId, projectId, callback=(err)->) ->`
			`userId = ObjectId(userId.toString())`
			`projectId = ObjectId(projectId.toString())`
			`Project.update {`
			`_id: projectId`
			`}, {`
			`$addToSet: {tokenAccessReadAndWrite_refs: userId}`
Tidy up callbacks 2017-10-03 09:14:22 -04:00			`}, callback`
Add token-access routes 2017-09-22 09:54:35 -04:00
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`grantSessionTokenAccess: (req, projectId, token) ->`
Add token-access routes 2017-09-22 09:54:35 -04:00			`if req.session?`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`if !req.session.anonTokenAccess?`
			`req.session.anonTokenAccess = {}`
			`req.session.anonTokenAccess[projectId.toString()] = token.toString()`
Add token-access routes 2017-09-22 09:54:35 -04:00
Refactor to not pass `req` down into Auth modules 2017-10-13 06:20:57 -04:00			`getRequestToken: (req, projectId) ->`
Working token-based access 2017-09-27 09:01:52 -04:00			`token = (`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`req?.session?.anonTokenAccess?[projectId.toString()] or`
Refactor to not pass `req` down into Auth modules 2017-10-13 06:20:57 -04:00			`req?.headers['x-sl-anon-token']`
Working token-based access 2017-09-27 09:01:52 -04:00			`)`
Refactor to not pass `req` down into Auth modules 2017-10-13 06:20:57 -04:00			`return token`

Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`isValidToken: (projectId, token, callback=(err, isValidReadAndWrite, isValidReadOnly)->) ->`
Working token-based access 2017-09-27 09:01:52 -04:00			`if !token`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`return callback null, false, false`
			`_validate = (project) ->`
			`project? and`
			`project.publicAccesLevel == PublicAccessLevels.TOKEN_BASED and`
			`project._id.toString() == projectId.toString()`
			`TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, readAndWriteProject) ->`
Working token-based access 2017-09-27 09:01:52 -04:00			`return callback(err) if err?`
Add a setting to enable anonymous read-and-write link sharing 2017-10-18 08:04:37 -04:00			`isValidReadAndWrite = _validate(readAndWriteProject)`
			`TokenAccessHandler.findProjectWithReadOnlyToken token, (err, readOnlyProject) ->`
			`return callback(err) if err?`
			`isValidReadOnly = _validate(readOnlyProject)`
			`callback null, isValidReadAndWrite, isValidReadOnly`
Abstract away the token-protection logic 2017-10-19 11:26:01 -04:00
			`protectTokens: (project, privilegeLevel) ->`
			`if project? && project.tokens?`
			`if privilegeLevel == PrivilegeLevels.OWNER`
			`return`
			`if privilegeLevel != PrivilegeLevels.READ_AND_WRITE`
			`project.tokens.readAndWrite = ''`
			`if privilegeLevel != PrivilegeLevels.READ_ONLY`
			`project.tokens.readOnly = ''`