Added access check for write and manage actions
This commit is contained in:
NGPixel
parent
4625a302f6
commit
9578989b67
@ -32,7 +32,7 @@
|
||||
- [x] Facebook
|
||||
- [x] Access Rights
|
||||
- [x] View
|
||||
- [ ] Edit / Create
|
||||
- [x] Edit / Create
|
||||
- [x] Background Agent (git sync, cache purge, etc.)
|
||||
- [x] Caching
|
||||
- [x] Create Entry
|
||||
@ -40,7 +40,7 @@
|
||||
- [x] Prerequisites
|
||||
- [x] Install
|
||||
- [ ] Authentication
|
||||
- [ ] Git
|
||||
- [x] Git
|
||||
- [x] Upgrade
|
||||
- [x] Edit Entry
|
||||
- [x] Git Management
|
||||
|
||||
@ -12,10 +12,21 @@ router.get('/', (req, res) => {
|
||||
});
|
||||
|
||||
router.get('/profile', (req, res) => {
|
||||
|
||||
if(res.locals.isGuest) {
|
||||
return res.render('error-forbidden');
|
||||
}
|
||||
|
||||
res.render('pages/admin/profile', { adminTab: 'profile' });
|
||||
|
||||
});
|
||||
|
||||
router.get('/stats', (req, res) => {
|
||||
|
||||
if(res.locals.isGuest) {
|
||||
return res.render('error-forbidden');
|
||||
}
|
||||
|
||||
Promise.all([
|
||||
db.Entry.count(),
|
||||
db.UplFile.count(),
|
||||
@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
|
||||
}).catch((err) => {
|
||||
throw err;
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
router.get('/users', (req, res) => {
|
||||
|
||||
if(!res.locals.rights.manage) {
|
||||
return res.render('error-forbidden');
|
||||
}
|
||||
|
||||
res.render('pages/admin/users', { adminTab: 'users' });
|
||||
|
||||
});
|
||||
|
||||
router.get('/settings', (req, res) => {
|
||||
|
||||
if(!res.locals.rights.manage) {
|
||||
return res.render('error-forbidden');
|
||||
}
|
||||
|
||||
res.render('pages/admin/settings', { adminTab: 'settings' });
|
||||
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
@ -13,6 +13,10 @@ var _ = require('lodash');
|
||||
*/
|
||||
router.get('/edit/*', (req, res, next) => {
|
||||
|
||||
if(!res.locals.rights.write) {
|
||||
return res.render('error-forbidden');
|
||||
}
|
||||
|
||||
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
|
||||
|
||||
entries.fetchOriginal(safePath, {
|
||||
@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
|
||||
|
||||
router.put('/edit/*', (req, res, next) => {
|
||||
|
||||
if(!res.locals.rights.write) {
|
||||
return res.json({
|
||||
ok: false,
|
||||
error: 'Forbidden'
|
||||
});
|
||||
}
|
||||
|
||||
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
|
||||
|
||||
entries.update(safePath, req.body.markdown).then(() => {
|
||||
@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
|
||||
|
||||
router.get('/create/*', (req, res, next) => {
|
||||
|
||||
if(!res.locals.rights.write) {
|
||||
return res.render('error-forbidden');
|
||||
}
|
||||
|
||||
if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
|
||||
return res.render('error', {
|
||||
message: 'You cannot create a document with this name as it is reserved by the system.',
|
||||
@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
|
||||
|
||||
router.put('/create/*', (req, res, next) => {
|
||||
|
||||
if(!res.locals.rights.write) {
|
||||
return res.json({
|
||||
ok: false,
|
||||
error: 'Forbidden'
|
||||
});
|
||||
}
|
||||
|
||||
let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
|
||||
|
||||
entries.create(safePath, req.body.markdown).then(() => {
|
||||
@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
|
||||
ok: true
|
||||
}) || true;
|
||||
}).catch((err) => {
|
||||
res.json({
|
||||
return res.json({
|
||||
ok: false,
|
||||
error: err.message
|
||||
});
|
||||
@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
|
||||
*/
|
||||
router.put('/*', (req, res, next) => {
|
||||
|
||||
if(!res.locals.rights.write) {
|
||||
return res.json({
|
||||
ok: false,
|
||||
error: 'Forbidden'
|
||||
});
|
||||
}
|
||||
|
||||
let safePath = entries.parsePath(req.path);
|
||||
|
||||
if(_.isEmpty(req.body.move)) {
|
||||
|
||||
@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));
|
||||
|
||||
var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
|
||||
global.rights = require(CORE_PATH + 'core-libs/rights');
|
||||
rights.init();
|
||||
|
||||
var sessionStore = new sessionMongoStore({
|
||||
mongooseConnection: db.connection,
|
||||
|
||||
@ -41,14 +41,15 @@ block content
|
||||
a(href='/admin/stats')
|
||||
i.icon-bar-graph-2
|
||||
span Stats
|
||||
li
|
||||
a(href='/admin/users')
|
||||
i.icon-users
|
||||
span Users
|
||||
li
|
||||
a(href='/admin/settings')
|
||||
i.icon-cog
|
||||
span Site Settings
|
||||
if rights.manage
|
||||
li
|
||||
a(href='/admin/users')
|
||||
i.icon-users
|
||||
span Users
|
||||
li
|
||||
a(href='/admin/settings')
|
||||
i.icon-cog
|
||||
span Site Settings
|
||||
li
|
||||
a(href='/logout')
|
||||
i.icon-delete2
|
||||
|
||||
@ -6,18 +6,20 @@ block rootNavCenter
|
||||
block rootNavRight
|
||||
i.nav-item#notifload
|
||||
span.nav-item
|
||||
a.button.is-outlined.btn-move-prompt.is-hidden
|
||||
i.icon-shuffle
|
||||
span Move
|
||||
if rights.write
|
||||
a.button.is-outlined.btn-move-prompt.is-hidden
|
||||
i.icon-shuffle
|
||||
span Move
|
||||
a.button.is-outlined(href='/' + pageData.meta.path)
|
||||
i.icon-loader
|
||||
span Normal View
|
||||
a.button.is-orange(href='/edit/' + pageData.meta.path)
|
||||
i.fa.fa-edit
|
||||
span Edit
|
||||
a.button.is-blue.btn-create-prompt
|
||||
i.fa.fa-plus
|
||||
span Create
|
||||
if rights.write
|
||||
a.button.is-orange(href='/edit/' + pageData.meta.path)
|
||||
i.fa.fa-edit
|
||||
span Edit
|
||||
a.button.is-blue.btn-create-prompt
|
||||
i.fa.fa-plus
|
||||
span Create
|
||||
|
||||
block content
|
||||
|
||||
|
||||
@ -11,18 +11,20 @@ mixin tocMenu(ti)
|
||||
block rootNavRight
|
||||
i.nav-item#notifload
|
||||
.nav-item
|
||||
a.button.is-outlined.btn-move-prompt.is-hidden
|
||||
i.icon-shuffle
|
||||
span Move
|
||||
if rights.write
|
||||
a.button.is-outlined.btn-move-prompt.is-hidden
|
||||
i.icon-shuffle
|
||||
span Move
|
||||
a.button.is-outlined(href='/source/' + pageData.meta.path)
|
||||
i.icon-loader
|
||||
span Source
|
||||
a.button(href='/edit/' + pageData.meta.path)
|
||||
i.icon-document-text
|
||||
span Edit
|
||||
a.button.btn-create-prompt
|
||||
i.icon-plus
|
||||
span Create
|
||||
if rights.write
|
||||
a.button(href='/edit/' + pageData.meta.path)
|
||||
i.icon-document-text
|
||||
span Edit
|
||||
a.button.btn-create-prompt
|
||||
i.icon-plus
|
||||
span Create
|
||||
|
||||
block content
|
||||
|
||||
@ -46,10 +48,11 @@ block content
|
||||
a(href='/' + pageData.parent.path)
|
||||
i.icon-reply
|
||||
span= pageData.parent.title
|
||||
li
|
||||
a(href='/admin')
|
||||
i.icon-head
|
||||
span Account
|
||||
if !isGuest
|
||||
li
|
||||
a(href='/admin')
|
||||
i.icon-head
|
||||
span Account
|
||||
aside.stickyscroll(data-margin-top=40)
|
||||
.sidebar-label
|
||||
i.icon-th-list
|
||||
|
||||
Loading…
Reference in New Issue
Block a user