overleaf/services/web/app/coffee/Features/UserMembership/UserMembershipAuthorization.coffee
Simon Detheridge da6711dc99 Merge pull request #1275 from sharelatex/hb-authorization-flags
Authorization flags for metrics

GitOrigin-RevId: 651587c11317bfc8bb7b1e8143e8c2c820683cb5
2019-01-11 14:44:17 +00:00

114 lines
4.6 KiB
CoffeeScript

AuthenticationController = require('../Authentication/AuthenticationController')
AuthorizationMiddlewear = require('../Authorization/AuthorizationMiddlewear')
UserMembershipHandler = require('./UserMembershipHandler')
EntityConfigs = require('./UserMembershipEntityConfigs')
Errors = require('../Errors/Errors')
logger = require("logger-sharelatex")
settings = require 'settings-sharelatex'
request = require 'request'
module.exports = UserMembershipAuthorization =
requireTeamMetricsAccess: (req, res, next) ->
requireAccessToEntity('team', req.params.id, req, res, next, 'groupMetrics')
requireGroupManagementAccess: (req, res, next) ->
requireAccessToEntity('group', req.params.id, req, res, next, 'groupManagement')
requireGroupMetricsAccess: (req, res, next) ->
requireAccessToEntity('group', req.params.id, req, res, next, 'groupMetrics')
requireGroupManagersManagementAccess: (req, res, next) ->
requireAccessToEntity('groupManagers', req.params.id, req, res, next, 'groupManagement')
requireInstitutionMetricsAccess: (req, res, next) ->
requireAccessToEntity('institution', req.params.id, req, res, next, 'institutionMetrics')
requireInstitutionManagementAccess: (req, res, next) ->
requireAccessToEntity('institution', req.params.id, req, res, next, 'institutionManagement')
requirePublisherMetricsAccess: (req, res, next) ->
requireAccessToEntity('publisher', req.params.id, req, res, next, 'publisherMetrics')
requirePublisherManagementAccess: (req, res, next) ->
requireAccessToEntity('publisher', req.params.id, req, res, next, 'publisherManagement')
requireTemplateMetricsAccess: (req, res, next) ->
templateId = req.params.id
request {
baseUrl: settings.apis.v1.url
url: "/api/v2/templates/#{templateId}"
method: 'GET'
auth:
user: settings.apis.v1.user
pass: settings.apis.v1.pass
sendImmediately: true
}, (error, response, body) =>
if response.statusCode == 404
return next(new Errors.NotFoundError())
if response.statusCode != 200
logger.err { templateId }, "[TemplateMetrics] Couldn't fetch template data from v1"
return next(new Error("Couldn't fetch template data from v1"))
return next(error) if error?
try
body = JSON.parse(body)
catch error
return next(error)
req.template =
id: body.id
title: body.title
if body?.brand?.slug
req.params.id = body.brand.slug
UserMembershipAuthorization.requirePublisherMetricsAccess(req, res, next)
else
AuthorizationMiddlewear.ensureUserIsSiteAdmin(req, res, next)
requireGraphAccess: (req, res, next) ->
req.params.id = req.query.resource_id
if req.query.resource_type == 'template'
return UserMembershipAuthorization.requireTemplateMetricsAccess(req, res, next)
else if req.query.resource_type == 'institution'
return UserMembershipAuthorization.requireInstitutionMetricsAccess(req, res, next)
else if req.query.resource_type == 'group'
return UserMembershipAuthorization.requireGroupMetricsAccess(req, res, next)
else if req.query.resource_type == 'team'
return UserMembershipAuthorization.requireTeamMetricsAccess(req, res, next)
requireAccessToEntity(req.query.resource_type, req.query.resource_id, req, res, next)
requireAccessToEntity = (entityName, entityId, req, res, next, requiredStaffAccess=null) ->
loggedInUser = AuthenticationController.getSessionUser(req)
unless loggedInUser
return AuthorizationMiddlewear.redirectToRestricted req, res, next
getEntity entityName, entityId, loggedInUser, requiredStaffAccess, (error, entity, entityConfig, entityExists) ->
return next(error) if error?
if entity?
req.entity = entity
req.entityConfig = entityConfig
return next()
if entityExists # user doesn't have access to entity
return AuthorizationMiddlewear.redirectToRestricted(req, res, next)
if loggedInUser.isAdmin and entityConfig.canCreate
# entity doesn't exists, admin can create it
return res.redirect "/entities/#{entityName}/create/#{entityId}"
next(new Errors.NotFoundError())
getEntity = (entityName, entityId, user, requiredStaffAccess, callback = (error, entity, entityConfig, entityExists)->) ->
entityConfig = EntityConfigs[entityName]
unless entityConfig
return callback(new Errors.NotFoundError("No such entity: #{entityName}"))
UserMembershipHandler.getEntity entityId, entityConfig, user, requiredStaffAccess, (error, entity)->
return callback(error) if error?
return callback(null, entity, entityConfig, true) if entity?
# no access to entity. Check if entity exists
UserMembershipHandler.getEntityWithoutAuthorizationCheck entityId, entityConfig, (error, entity)->
return callback(error) if error?
callback(null, null, entityConfig, entity?)