feat: All Pages - Limit to user access rights

7 years ago · 864a070163
3 changed files with 23 additions and 15 deletions
--- a/server/controllers/ws.js
+++ b/server/controllers/ws.js
@ -25,7 +25,7 @@ module.exports = (socket) => {
  if (socket.request.user.logged_in) {
    socket.on('treeFetch', (data, cb) => {
      cb = cb || _.noop
-      entries.getFromTree(data.basePath).then((f) => {
+      entries.getFromTree(data.basePath, socket.request.user).then((f) => {
        return cb(f) || true
      })
    })
--- a/server/libs/entries.js
+++ b/server/libs/entries.js
@ -300,10 +300,10 @@ module.exports = {
  /**
   * Create a new document
   *
-   * @param      {String}            entryPath  The entry path
-   * @param      {String}            contents   The markdown-formatted contents
+   * @param {String} entryPath The entry path
+   * @param {String}  contents The markdown-formatted contents
   * @param {Object} author The author user object
-   * @return     {Promise<Boolean>}  True on success, false on failure
+   * @return {Promise<Boolean>} True on success, false on failure
   */
  create (entryPath, contents, author) {
    let self = this
@ -327,10 +327,10 @@ module.exports = {
  /**
   * Makes a document persistent to disk and git repository
   *
-   * @param      {String}            entryPath  The entry path
-   * @param      {String}            contents   The markdown-formatted contents
+   * @param {String} entryPath The entry path
+   * @param {String} contents The markdown-formatted contents
   * @param {Object} author The author user object
-   * @return     {Promise<Boolean>}  True on success, false on failure
+   * @return {Promise<Boolean>} True on success, false on failure
   */
  makePersistent (entryPath, contents, author) {
    let fpath = entryHelper.getFullPath(entryPath)
@ -343,10 +343,10 @@ module.exports = {
  /**
   * Move a document
   *
-   * @param      {String}   entryPath     The current entry path
-   * @param      {String}   newEntryPath  The new entry path
+   * @param {String} entryPath The current entry path
+   * @param {String} newEntryPath  The new entry path
   * @param {Object} author The author user object
-   * @return     {Promise}  Promise of the operation
+   * @return {Promise} Promise of the operation
   */
  move (entryPath, newEntryPath, author) {
    let self = this
@ -393,9 +393,15 @@ module.exports = {
   * Get all entries from base path
   *
   * @param {String} basePath Path to list from
+   * @param {Object} usr Current user
   * @return {Promise<Array>} List of entries
   */
-  getFromTree (basePath) {
-    return db.Entry.find({ parentPath: basePath }, 'title parentPath isDirectory isEntry').sort({ title: 'asc' })
+  getFromTree (basePath, usr) {
+    return db.Entry.find({ parentPath: basePath }, 'title parentPath isDirectory isEntry').sort({ title: 'asc' }).then(results => {
+      return _.filter(results, r => {
+        console.log(r._id, rights.checkRole(r._id, usr.rights, 'read'))
+        return rights.checkRole('/' + r._id, usr.rights, 'read')
+      })
+    })
  }
 }
--- a/server/libs/rights.js
+++ b/server/libs/rights.js
@ -58,15 +58,15 @@ module.exports = {
    let rt = []
    let p = _.chain(req.originalUrl).toLower().trim().value()

-    // Load User Rights
+    // Load user rights

    if (_.isArray(req.user.rights)) {
      rt = req.user.rights
    }

-    // Is admin?
+    // Check rights

-    if (_.find(rt, { role: 'admin' })) {
+    if (self.checkRole(p, rt, 'admin')) {
      perm.read = true
      perm.write = true
      perm.manage = true
@ -89,6 +89,8 @@ module.exports = {
   * @return     {boolean}        True if authorized
   */
  checkRole (p, rt, role) {
+    if (_.find(rt, { role: 'admin' })) { return true }
+
    // Check specific role on path

    let filteredRights = _.filter(rt, (r) => {