mirror of
https://github.com/overleaf/overleaf.git
synced 2024-11-30 04:15:25 -05:00
Merge pull request #1580 from sharelatex/ta-entity-create-form-fix-2
Fix Publisher Creation Form Take2 GitOrigin-RevId: a51512cc48067f50ba05fa371ed1d759d3fca985
This commit is contained in:
parent
a1e16c9676
commit
e4c684786d
3 changed files with 23 additions and 4 deletions
|
@ -77,6 +77,12 @@ module.exports = UserMembershipAuthorization =
|
|||
return UserMembershipAuthorization.requireTeamMetricsAccess(req, res, next)
|
||||
requireAccessToEntity(req.query.resource_type, req.query.resource_id, req, res, next)
|
||||
|
||||
requireEntityCreationAccess: (req, res, next) ->
|
||||
loggedInUser = AuthenticationController.getSessionUser(req)
|
||||
unless loggedInUser and hasEntityCreationAccess(loggedInUser)
|
||||
return AuthorizationMiddlewear.redirectToRestricted req, res, next
|
||||
next()
|
||||
|
||||
requireAccessToEntity = (entityName, entityId, req, res, next, requiredStaffAccess=null) ->
|
||||
loggedInUser = AuthenticationController.getSessionUser(req)
|
||||
unless loggedInUser
|
||||
|
@ -93,7 +99,7 @@ requireAccessToEntity = (entityName, entityId, req, res, next, requiredStaffAcce
|
|||
if entityExists # user doesn't have access to entity
|
||||
return AuthorizationMiddleware.redirectToRestricted(req, res, next)
|
||||
|
||||
if loggedInUser.isAdmin and entityConfig.canCreate
|
||||
if hasEntityCreationAccess(loggedInUser) and entityConfig.canCreate
|
||||
# entity doesn't exists, admin can create it
|
||||
return res.redirect "/entities/#{entityName}/create/#{entityId}"
|
||||
|
||||
|
@ -112,3 +118,8 @@ getEntity = (entityName, entityId, user, requiredStaffAccess, callback = (error,
|
|||
UserMembershipHandler.getEntityWithoutAuthorizationCheck entityId, entityConfig, (error, entity)->
|
||||
return callback(error) if error?
|
||||
callback(null, null, entityConfig, entity?)
|
||||
|
||||
hasEntityCreationAccess = (user) ->
|
||||
user.isAdmin or
|
||||
user.staffAccess?['institutionManagement'] or
|
||||
user.staffAccess?['publisherManagement']
|
||||
|
|
|
@ -2,7 +2,6 @@ UserMembershipAuthorization = require './UserMembershipAuthorization'
|
|||
UserMembershipController = require './UserMembershipController'
|
||||
SubscriptionGroupController = require '../Subscription/SubscriptionGroupController'
|
||||
TeamInvitesController = require '../Subscription/TeamInvitesController'
|
||||
AuthorizationMiddleware = require('../Authorization/AuthorizationMiddleware')
|
||||
RateLimiterMiddleware = require('../Security/RateLimiterMiddleware')
|
||||
|
||||
module.exports =
|
||||
|
@ -69,8 +68,8 @@ module.exports =
|
|||
|
||||
# create new entitites
|
||||
webRouter.get "/entities/:name/create/:id",
|
||||
UserMembershipAuthorization.requirePublisherManagementAccess,
|
||||
UserMembershipAuthorization.requireEntityCreationAccess,
|
||||
UserMembershipController.new
|
||||
webRouter.post "/entities/:name/create/:id",
|
||||
UserMembershipAuthorization.requirePublisherManagementAccess,
|
||||
UserMembershipAuthorization.requireEntityCreationAccess,
|
||||
UserMembershipController.create
|
||||
|
|
|
@ -67,6 +67,15 @@ describe "UserMembershipAuthorization", ->
|
|||
expect(path).to.match /create/
|
||||
done()
|
||||
|
||||
it 'handle entity not found a non-admin can create', (done) ->
|
||||
@user.staffAccess = { institutionManagement: true }
|
||||
@UserMembershipHandler.getEntity.yields(null, null)
|
||||
@UserMembershipHandler.getEntityWithoutAuthorizationCheck.yields(null, null)
|
||||
@UserMembershipAuthorization.requirePublisherMetricsAccess @req, redirect: (path) =>
|
||||
expect(path).to.extist
|
||||
expect(path).to.match /create/
|
||||
done()
|
||||
|
||||
it 'handle entity not found an admin cannot create', (done) ->
|
||||
@user.isAdmin = true
|
||||
@UserMembershipHandler.getEntity.yields(null, null)
|
||||
|
|
Loading…
Reference in a new issue