Added access check for write and manage actions

7 years ago · 9578989b67
7 changed files with 93 additions and 33 deletions
--- a/README.md
+++ b/README.md
@ -32,7 +32,7 @@
 		- [x] Facebook
 	- [x] Access Rights
 		- [x] View
-		- [ ] Edit / Create
+		- [x] Edit / Create
 - [x] Background Agent (git sync, cache purge, etc.)
 - [x] Caching
 - [x] Create Entry
@ -40,7 +40,7 @@
 	- [x] Prerequisites
 	- [x] Install
 	- [ ] Authentication
-	- [ ] Git
+	- [x] Git
 	- [x] Upgrade
 - [x] Edit Entry
 - [x] Git Management
--- a/controllers/admin.js
+++ b/controllers/admin.js
@ -12,10 +12,21 @@ router.get('/', (req, res) => {
 });

 router.get('/profile', (req, res) => {
+
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/profile', { adminTab: 'profile' });
+
 });

 router.get('/stats', (req, res) => {
+
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
+
 	Promise.all([
 		db.Entry.count(),
 		db.UplFile.count(),
@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
 	}).catch((err) => {
 		throw err;
 	});
+
 });

 router.get('/users', (req, res) => {
+
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/users', { adminTab: 'users' });
+
 });

 router.get('/settings', (req, res) => {
+
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/settings', { adminTab: 'settings' });
+
 });

 module.exports = router;
--- a/controllers/pages.js
+++ b/controllers/pages.js
@ -13,6 +13,10 @@ var _ = require('lodash');
 */
 router.get('/edit/*', (req, res, next) => {

+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));

 	entries.fetchOriginal(safePath, {
@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {

 router.put('/edit/*', (req, res, next) => {

+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));

 	entries.update(safePath, req.body.markdown).then(() => {
@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {

 router.get('/create/*', (req, res, next) => {

+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
+
 	if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
 		return res.render('error', {
 			message: 'You cannot create a document with this name as it is reserved by the system.',
@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {

 router.put('/create/*', (req, res, next) => {

+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/create', ''));

 	entries.create(safePath, req.body.markdown).then(() => {
@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
 			ok: true
 		}) || true;
 	}).catch((err) => {
-		res.json({
+		return res.json({
 			ok: false,
 			error: err.message
 		});
@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
 */
 router.put('/*', (req, res, next) => {

+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(req.path);

 	if(_.isEmpty(req.body.move)) {
--- a/server.js
+++ b/server.js
@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));

 var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
 global.rights = require(CORE_PATH + 'core-libs/rights');
+rights.init();

 var sessionStore = new sessionMongoStore({
  mongooseConnection: db.connection,
--- a/views/pages/admin/_layout.pug
+++ b/views/pages/admin/_layout.pug
@ -41,14 +41,15 @@ block content
 								a(href='/admin/stats')
 									i.icon-bar-graph-2
 									span Stats
-							li
-								a(href='/admin/users')
-									i.icon-users
-									span Users
-							li
-								a(href='/admin/settings')
-									i.icon-cog
-									span Site Settings
+							if rights.manage
+								li
+									a(href='/admin/users')
+										i.icon-users
+										span Users
+								li
+									a(href='/admin/settings')
+										i.icon-cog
+										span Site Settings
 							li
 								a(href='/logout')
 									i.icon-delete2
--- a/views/pages/source.pug
+++ b/views/pages/source.pug
@ -6,18 +6,20 @@ block rootNavCenter
 block rootNavRight
 	i.nav-item#notifload
 	span.nav-item
-		a.button.is-outlined.btn-move-prompt.is-hidden
-			i.icon-shuffle
-			span Move
+		if rights.write
+			a.button.is-outlined.btn-move-prompt.is-hidden
+				i.icon-shuffle
+				span Move
 		a.button.is-outlined(href='/' + pageData.meta.path)
 			i.icon-loader
 			span Normal View
-		a.button.is-orange(href='/edit/' + pageData.meta.path)
-			i.fa.fa-edit
-			span Edit
-		a.button.is-blue.btn-create-prompt
-			i.fa.fa-plus
-			span Create
+		if rights.write
+			a.button.is-orange(href='/edit/' + pageData.meta.path)
+				i.fa.fa-edit
+				span Edit
+			a.button.is-blue.btn-create-prompt
+				i.fa.fa-plus
+				span Create

 block content

--- a/views/pages/view.pug
+++ b/views/pages/view.pug
@ -11,18 +11,20 @@ mixin tocMenu(ti)
 block rootNavRight
 	i.nav-item#notifload
 	.nav-item
-		a.button.is-outlined.btn-move-prompt.is-hidden
-			i.icon-shuffle
-			span Move
+		if rights.write
+			a.button.is-outlined.btn-move-prompt.is-hidden
+				i.icon-shuffle
+				span Move
 		a.button.is-outlined(href='/source/' + pageData.meta.path)
 			i.icon-loader
 			span Source
-		a.button(href='/edit/' + pageData.meta.path)
-			i.icon-document-text
-			span Edit
-		a.button.btn-create-prompt
-			i.icon-plus
-			span Create
+		if rights.write
+			a.button(href='/edit/' + pageData.meta.path)
+				i.icon-document-text
+				span Edit
+			a.button.btn-create-prompt
+				i.icon-plus
+				span Create

 block content

@ -46,10 +48,11 @@ block content
 									a(href='/' + pageData.parent.path)
 										i.icon-reply
 										span= pageData.parent.title
-							li
-								a(href='/admin')
-									i.icon-head
-									span Account
+							if !isGuest
+								li
+									a(href='/admin')
+										i.icon-head
+										span Account
 					aside.stickyscroll(data-margin-top=40)
 						.sidebar-label
 							i.icon-th-list