Added access check for write and manage actions

controllers/pages.js

@@ -13,6 +13,10 @@ var _ = require('lodash');
  */
 router.get('/edit/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
 
 	entries.fetchOriginal(safePath, {
@@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
 
 router.put('/edit/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
 
 	entries.update(safePath, req.body.markdown).then(() => {
@@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
 
 router.get('/create/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
+
 	if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
 		return res.render('error', {
 			message: 'You cannot create a document with this name as it is reserved by the system.',
@@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
 
 router.put('/create/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
 
 	entries.create(safePath, req.body.markdown).then(() => {
@@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
 			ok: true
 		}) || true;
 	}).catch((err) => {
-		res.json({
+		return res.json({
 			ok: false,
 			error: err.message
 		});
@@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
  */
 router.put('/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(req.path);
 
 	if(_.isEmpty(req.body.move)) {