diff --git a/README.md b/README.md index 602cf754..a232218a 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ - [x] Facebook - [x] Access Rights - [x] View - - [ ] Edit / Create + - [x] Edit / Create - [x] Background Agent (git sync, cache purge, etc.) - [x] Caching - [x] Create Entry @@ -40,7 +40,7 @@ - [x] Prerequisites - [x] Install - [ ] Authentication - - [ ] Git + - [x] Git - [x] Upgrade - [x] Edit Entry - [x] Git Management diff --git a/controllers/admin.js b/controllers/admin.js index 089fe97b..1388d0cf 100644 --- a/controllers/admin.js +++ b/controllers/admin.js @@ -12,10 +12,21 @@ router.get('/', (req, res) => { }); router.get('/profile', (req, res) => { + + if(res.locals.isGuest) { + return res.render('error-forbidden'); + } + res.render('pages/admin/profile', { adminTab: 'profile' }); + }); router.get('/stats', (req, res) => { + + if(res.locals.isGuest) { + return res.render('error-forbidden'); + } + Promise.all([ db.Entry.count(), db.UplFile.count(), @@ -28,14 +39,27 @@ router.get('/stats', (req, res) => { }).catch((err) => { throw err; }); + }); router.get('/users', (req, res) => { + + if(!res.locals.rights.manage) { + return res.render('error-forbidden'); + } + res.render('pages/admin/users', { adminTab: 'users' }); + }); router.get('/settings', (req, res) => { + + if(!res.locals.rights.manage) { + return res.render('error-forbidden'); + } + res.render('pages/admin/settings', { adminTab: 'settings' }); + }); module.exports = router; \ No newline at end of file diff --git a/controllers/pages.js b/controllers/pages.js index 88139f80..0a4bffc5 100644 --- a/controllers/pages.js +++ b/controllers/pages.js @@ -13,6 +13,10 @@ var _ = require('lodash'); */ router.get('/edit/*', (req, res, next) => { + if(!res.locals.rights.write) { + return res.render('error-forbidden'); + } + let safePath = entries.parsePath(_.replace(req.path, '/edit', '')); entries.fetchOriginal(safePath, { @@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => { router.put('/edit/*', (req, res, next) => { + if(!res.locals.rights.write) { + return res.json({ + ok: false, + error: 'Forbidden' + }); + } + let safePath = entries.parsePath(_.replace(req.path, '/edit', '')); entries.update(safePath, req.body.markdown).then(() => { @@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => { router.get('/create/*', (req, res, next) => { + if(!res.locals.rights.write) { + return res.render('error-forbidden'); + } + if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) { return res.render('error', { message: 'You cannot create a document with this name as it is reserved by the system.', @@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => { router.put('/create/*', (req, res, next) => { + if(!res.locals.rights.write) { + return res.json({ + ok: false, + error: 'Forbidden' + }); + } + let safePath = entries.parsePath(_.replace(req.path, '/create', '')); entries.create(safePath, req.body.markdown).then(() => { @@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => { ok: true }) || true; }).catch((err) => { - res.json({ + return res.json({ ok: false, error: err.message }); @@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => { */ router.put('/*', (req, res, next) => { + if(!res.locals.rights.write) { + return res.json({ + ok: false, + error: 'Forbidden' + }); + } + let safePath = entries.parsePath(req.path); if(_.isEmpty(req.body.move)) { diff --git a/server.js b/server.js index eaee3c8b..abb82824 100644 --- a/server.js +++ b/server.js @@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets'))); var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig); global.rights = require(CORE_PATH + 'core-libs/rights'); +rights.init(); var sessionStore = new sessionMongoStore({ mongooseConnection: db.connection, diff --git a/views/pages/admin/_layout.pug b/views/pages/admin/_layout.pug index d3ad3c70..27707e93 100644 --- a/views/pages/admin/_layout.pug +++ b/views/pages/admin/_layout.pug @@ -41,14 +41,15 @@ block content a(href='/admin/stats') i.icon-bar-graph-2 span Stats - li - a(href='/admin/users') - i.icon-users - span Users - li - a(href='/admin/settings') - i.icon-cog - span Site Settings + if rights.manage + li + a(href='/admin/users') + i.icon-users + span Users + li + a(href='/admin/settings') + i.icon-cog + span Site Settings li a(href='/logout') i.icon-delete2 diff --git a/views/pages/source.pug b/views/pages/source.pug index 16a972bc..e1048719 100644 --- a/views/pages/source.pug +++ b/views/pages/source.pug @@ -6,18 +6,20 @@ block rootNavCenter block rootNavRight i.nav-item#notifload span.nav-item - a.button.is-outlined.btn-move-prompt.is-hidden - i.icon-shuffle - span Move + if rights.write + a.button.is-outlined.btn-move-prompt.is-hidden + i.icon-shuffle + span Move a.button.is-outlined(href='/' + pageData.meta.path) i.icon-loader span Normal View - a.button.is-orange(href='/edit/' + pageData.meta.path) - i.fa.fa-edit - span Edit - a.button.is-blue.btn-create-prompt - i.fa.fa-plus - span Create + if rights.write + a.button.is-orange(href='/edit/' + pageData.meta.path) + i.fa.fa-edit + span Edit + a.button.is-blue.btn-create-prompt + i.fa.fa-plus + span Create block content diff --git a/views/pages/view.pug b/views/pages/view.pug index 02c79d3a..df5cda8a 100644 --- a/views/pages/view.pug +++ b/views/pages/view.pug @@ -11,18 +11,20 @@ mixin tocMenu(ti) block rootNavRight i.nav-item#notifload .nav-item - a.button.is-outlined.btn-move-prompt.is-hidden - i.icon-shuffle - span Move + if rights.write + a.button.is-outlined.btn-move-prompt.is-hidden + i.icon-shuffle + span Move a.button.is-outlined(href='/source/' + pageData.meta.path) i.icon-loader span Source - a.button(href='/edit/' + pageData.meta.path) - i.icon-document-text - span Edit - a.button.btn-create-prompt - i.icon-plus - span Create + if rights.write + a.button(href='/edit/' + pageData.meta.path) + i.icon-document-text + span Edit + a.button.btn-create-prompt + i.icon-plus + span Create block content @@ -46,10 +48,11 @@ block content a(href='/' + pageData.parent.path) i.icon-reply span= pageData.parent.title - li - a(href='/admin') - i.icon-head - span Account + if !isGuest + li + a(href='/admin') + i.icon-head + span Account aside.stickyscroll(data-margin-top=40) .sidebar-label i.icon-th-list