overleaf/services/web/app/coffee/Features/TokenAccess/TokenAccessHandler.coffee
Alasdair Smith 9d600afdf8 Fix failing tests for token access
If project was changed from token access to private, then we want to
404 on v2 (not redirect to v1). So the logic was changed to check if the
project exists and if it does then a 404 is returned. If it does not
then it redirects to v1.
2018-09-13 12:09:19 +01:00

99 lines
3.4 KiB
CoffeeScript

Project = require('../../models/Project').Project
CollaboratorsHandler = require('../Collaborators/CollaboratorsHandler')
PublicAccessLevels = require '../Authorization/PublicAccessLevels'
PrivilegeLevels = require '../Authorization/PrivilegeLevels'
ObjectId = require("mongojs").ObjectId
Settings = require('settings-sharelatex')
module.exports = TokenAccessHandler =
ANONYMOUS_READ_AND_WRITE_ENABLED:
Settings.allowAnonymousReadAndWriteSharing == true
findProjectWithReadOnlyToken: (token, callback=(err, project)->) ->
Project.findOne {
'tokens.readOnly': token,
'publicAccesLevel': PublicAccessLevels.TOKEN_BASED
}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback
findProjectWithReadAndWriteToken: (token, callback=(err, project)->) ->
Project.findOne {
'tokens.readAndWrite': token,
'publicAccesLevel': PublicAccessLevels.TOKEN_BASED
}, {_id: 1, publicAccesLevel: 1, owner_ref: 1}, callback
findProjectWithHigherAccess: (token, userId, callback=(err, project, projectExists)->) ->
Project.findOne {
$or: [
{'tokens.readAndWrite': token},
{'tokens.readOnly': token}
]
}, {_id: 1}, (err, project) ->
if err?
return callback(err)
if !project?
return callback(null, null, false) # Project doesn't exist, so we handle differently
projectId = project._id
CollaboratorsHandler.isUserInvitedMemberOfProject userId, projectId, (err, isMember) ->
if err?
return callback(err)
callback(
null,
if isMember == true then project else null,
true # Project does exist, but user doesn't have access
)
addReadOnlyUserToProject: (userId, projectId, callback=(err)->) ->
userId = ObjectId(userId.toString())
projectId = ObjectId(projectId.toString())
Project.update {
_id: projectId
}, {
$addToSet: {tokenAccessReadOnly_refs: userId}
}, callback
addReadAndWriteUserToProject: (userId, projectId, callback=(err)->) ->
userId = ObjectId(userId.toString())
projectId = ObjectId(projectId.toString())
Project.update {
_id: projectId
}, {
$addToSet: {tokenAccessReadAndWrite_refs: userId}
}, callback
grantSessionTokenAccess: (req, projectId, token) ->
if req.session?
if !req.session.anonTokenAccess?
req.session.anonTokenAccess = {}
req.session.anonTokenAccess[projectId.toString()] = token.toString()
getRequestToken: (req, projectId) ->
token = (
req?.session?.anonTokenAccess?[projectId.toString()] or
req?.headers['x-sl-anonymous-access-token']
)
return token
isValidToken: (projectId, token, callback=(err, isValidReadAndWrite, isValidReadOnly)->) ->
if !token
return callback null, false, false
_validate = (project) ->
project? and
project.publicAccesLevel == PublicAccessLevels.TOKEN_BASED and
project._id.toString() == projectId.toString()
TokenAccessHandler.findProjectWithReadAndWriteToken token, (err, readAndWriteProject) ->
return callback(err) if err?
isValidReadAndWrite = _validate(readAndWriteProject)
TokenAccessHandler.findProjectWithReadOnlyToken token, (err, readOnlyProject) ->
return callback(err) if err?
isValidReadOnly = _validate(readOnlyProject)
callback null, isValidReadAndWrite, isValidReadOnly
protectTokens: (project, privilegeLevel) ->
if project? && project.tokens?
if privilegeLevel == PrivilegeLevels.OWNER
return
if privilegeLevel != PrivilegeLevels.READ_AND_WRITE
project.tokens.readAndWrite = ''
if privilegeLevel != PrivilegeLevels.READ_ONLY
project.tokens.readOnly = ''