liz/wikijs-fork
liz/wikijs-fork
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added access check for write and manage actions

Browse Source
This commit is contained in:
NGPixel 2017-01-02 23:32:16 -05:00
parent 4625a302f6
commit 9578989b67
7 changed files with 93 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -32,7 +32,7 @@
- [x] Facebook - [x] Facebook
- [x] Access Rights - [x] Access Rights
- [x] View - [x] View
- [ ] Edit / Create - [x] Edit / Create
- [x] Background Agent (git sync, cache purge, etc.) - [x] Background Agent (git sync, cache purge, etc.)
- [x] Caching - [x] Caching
- [x] Create Entry - [x] Create Entry
@ -40,7 +40,7 @@
- [x] Prerequisites - [x] Prerequisites
- [x] Install - [x] Install
- [ ] Authentication - [ ] Authentication
- [ ] Git - [x] Git
- [x] Upgrade - [x] Upgrade
- [x] Edit Entry - [x] Edit Entry
- [x] Git Management - [x] Git Management

24
controllers/admin.js
View File

@ -12,10 +12,21 @@ router.get('/', (req, res) => {
}); });
router.get('/profile', (req, res) => { router.get('/profile', (req, res) => {
if(res.locals.isGuest) {
return res.render('error-forbidden');
}
res.render('pages/admin/profile', { adminTab: 'profile' }); res.render('pages/admin/profile', { adminTab: 'profile' });
}); });
router.get('/stats', (req, res) => { router.get('/stats', (req, res) => {
if(res.locals.isGuest) {
return res.render('error-forbidden');
}
Promise.all([ Promise.all([
db.Entry.count(), db.Entry.count(),
db.UplFile.count(), db.UplFile.count(),
@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
}).catch((err) => { }).catch((err) => {
throw err; throw err;
}); });
}); });
router.get('/users', (req, res) => { router.get('/users', (req, res) => {
if(!res.locals.rights.manage) {
return res.render('error-forbidden');
}
res.render('pages/admin/users', { adminTab: 'users' }); res.render('pages/admin/users', { adminTab: 'users' });
}); });
router.get('/settings', (req, res) => { router.get('/settings', (req, res) => {
if(!res.locals.rights.manage) {
return res.render('error-forbidden');
}
res.render('pages/admin/settings', { adminTab: 'settings' }); res.render('pages/admin/settings', { adminTab: 'settings' });
}); });
module.exports = router; module.exports = router;

31
controllers/pages.js
View File

@ -13,6 +13,10 @@ var _ = require('lodash');
*/ */
router.get('/edit/*', (req, res, next) => { router.get('/edit/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.render('error-forbidden');
}
let safePath = entries.parsePath(_.replace(req.path, '/edit', '')); let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
entries.fetchOriginal(safePath, { entries.fetchOriginal(safePath, {
@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
router.put('/edit/*', (req, res, next) => { router.put('/edit/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(_.replace(req.path, '/edit', '')); let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
entries.update(safePath, req.body.markdown).then(() => { entries.update(safePath, req.body.markdown).then(() => {
@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
router.get('/create/*', (req, res, next) => { router.get('/create/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.render('error-forbidden');
}
if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) { if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
return res.render('error', { return res.render('error', {
message: 'You cannot create a document with this name as it is reserved by the system.', message: 'You cannot create a document with this name as it is reserved by the system.',
@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
router.put('/create/*', (req, res, next) => { router.put('/create/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(_.replace(req.path, '/create', '')); let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
entries.create(safePath, req.body.markdown).then(() => { entries.create(safePath, req.body.markdown).then(() => {
@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
ok: true ok: true
}) || true; }) || true;
}).catch((err) => { }).catch((err) => {
res.json({ return res.json({
ok: false, ok: false,
error: err.message error: err.message
}); });
@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
*/ */
router.put('/*', (req, res, next) => { router.put('/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(req.path); let safePath = entries.parsePath(req.path);
if(_.isEmpty(req.body.move)) { if(_.isEmpty(req.body.move)) {

1
server.js
View File

@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));
var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig); var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
global.rights = require(CORE_PATH + 'core-libs/rights'); global.rights = require(CORE_PATH + 'core-libs/rights');
rights.init();
var sessionStore = new sessionMongoStore({ var sessionStore = new sessionMongoStore({
mongooseConnection: db.connection, mongooseConnection: db.connection,

1
views/pages/admin/_layout.pug
View File

@ -41,6 +41,7 @@ block content
a(href='/admin/stats') a(href='/admin/stats')
i.icon-bar-graph-2 i.icon-bar-graph-2
span Stats span Stats
if rights.manage
li li
a(href='/admin/users') a(href='/admin/users')
i.icon-users i.icon-users

2
views/pages/source.pug
View File

@ -6,12 +6,14 @@ block rootNavCenter
block rootNavRight block rootNavRight
i.nav-item#notifload i.nav-item#notifload
span.nav-item span.nav-item
if rights.write
a.button.is-outlined.btn-move-prompt.is-hidden a.button.is-outlined.btn-move-prompt.is-hidden
i.icon-shuffle i.icon-shuffle
span Move span Move
a.button.is-outlined(href='/' + pageData.meta.path) a.button.is-outlined(href='/' + pageData.meta.path)
i.icon-loader i.icon-loader
span Normal View span Normal View
if rights.write
a.button.is-orange(href='/edit/' + pageData.meta.path) a.button.is-orange(href='/edit/' + pageData.meta.path)
i.fa.fa-edit i.fa.fa-edit
span Edit span Edit

3
views/pages/view.pug
View File

@ -11,12 +11,14 @@ mixin tocMenu(ti)
block rootNavRight block rootNavRight
i.nav-item#notifload i.nav-item#notifload
.nav-item .nav-item
if rights.write
a.button.is-outlined.btn-move-prompt.is-hidden a.button.is-outlined.btn-move-prompt.is-hidden
i.icon-shuffle i.icon-shuffle
span Move span Move
a.button.is-outlined(href='/source/' + pageData.meta.path) a.button.is-outlined(href='/source/' + pageData.meta.path)
i.icon-loader i.icon-loader
span Source span Source
if rights.write
a.button(href='/edit/' + pageData.meta.path) a.button(href='/edit/' + pageData.meta.path)
i.icon-document-text i.icon-document-text
span Edit span Edit
@ -46,6 +48,7 @@ block content
a(href='/' + pageData.parent.path) a(href='/' + pageData.parent.path)
i.icon-reply i.icon-reply
span= pageData.parent.title span= pageData.parent.title
if !isGuest
li li
a(href='/admin') a(href='/admin')
i.icon-head i.icon-head