Added access check for write and manage actions
This commit is contained in:
parent
4625a302f6
commit
9578989b67
@ -32,7 +32,7 @@
|
|||||||
- [x] Facebook
|
- [x] Facebook
|
||||||
- [x] Access Rights
|
- [x] Access Rights
|
||||||
- [x] View
|
- [x] View
|
||||||
- [ ] Edit / Create
|
- [x] Edit / Create
|
||||||
- [x] Background Agent (git sync, cache purge, etc.)
|
- [x] Background Agent (git sync, cache purge, etc.)
|
||||||
- [x] Caching
|
- [x] Caching
|
||||||
- [x] Create Entry
|
- [x] Create Entry
|
||||||
@ -40,7 +40,7 @@
|
|||||||
- [x] Prerequisites
|
- [x] Prerequisites
|
||||||
- [x] Install
|
- [x] Install
|
||||||
- [ ] Authentication
|
- [ ] Authentication
|
||||||
- [ ] Git
|
- [x] Git
|
||||||
- [x] Upgrade
|
- [x] Upgrade
|
||||||
- [x] Edit Entry
|
- [x] Edit Entry
|
||||||
- [x] Git Management
|
- [x] Git Management
|
||||||
|
@ -12,10 +12,21 @@ router.get('/', (req, res) => {
|
|||||||
});
|
});
|
||||||
|
|
||||||
router.get('/profile', (req, res) => {
|
router.get('/profile', (req, res) => {
|
||||||
|
|
||||||
|
if(res.locals.isGuest) {
|
||||||
|
return res.render('error-forbidden');
|
||||||
|
}
|
||||||
|
|
||||||
res.render('pages/admin/profile', { adminTab: 'profile' });
|
res.render('pages/admin/profile', { adminTab: 'profile' });
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
router.get('/stats', (req, res) => {
|
router.get('/stats', (req, res) => {
|
||||||
|
|
||||||
|
if(res.locals.isGuest) {
|
||||||
|
return res.render('error-forbidden');
|
||||||
|
}
|
||||||
|
|
||||||
Promise.all([
|
Promise.all([
|
||||||
db.Entry.count(),
|
db.Entry.count(),
|
||||||
db.UplFile.count(),
|
db.UplFile.count(),
|
||||||
@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
|
|||||||
}).catch((err) => {
|
}).catch((err) => {
|
||||||
throw err;
|
throw err;
|
||||||
});
|
});
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
router.get('/users', (req, res) => {
|
router.get('/users', (req, res) => {
|
||||||
|
|
||||||
|
if(!res.locals.rights.manage) {
|
||||||
|
return res.render('error-forbidden');
|
||||||
|
}
|
||||||
|
|
||||||
res.render('pages/admin/users', { adminTab: 'users' });
|
res.render('pages/admin/users', { adminTab: 'users' });
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
router.get('/settings', (req, res) => {
|
router.get('/settings', (req, res) => {
|
||||||
|
|
||||||
|
if(!res.locals.rights.manage) {
|
||||||
|
return res.render('error-forbidden');
|
||||||
|
}
|
||||||
|
|
||||||
res.render('pages/admin/settings', { adminTab: 'settings' });
|
res.render('pages/admin/settings', { adminTab: 'settings' });
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
module.exports = router;
|
module.exports = router;
|
@ -13,6 +13,10 @@ var _ = require('lodash');
|
|||||||
*/
|
*/
|
||||||
router.get('/edit/*', (req, res, next) => {
|
router.get('/edit/*', (req, res, next) => {
|
||||||
|
|
||||||
|
if(!res.locals.rights.write) {
|
||||||
|
return res.render('error-forbidden');
|
||||||
|
}
|
||||||
|
|
||||||
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
|
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
|
||||||
|
|
||||||
entries.fetchOriginal(safePath, {
|
entries.fetchOriginal(safePath, {
|
||||||
@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
|
|||||||
|
|
||||||
router.put('/edit/*', (req, res, next) => {
|
router.put('/edit/*', (req, res, next) => {
|
||||||
|
|
||||||
|
if(!res.locals.rights.write) {
|
||||||
|
return res.json({
|
||||||
|
ok: false,
|
||||||
|
error: 'Forbidden'
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
|
let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
|
||||||
|
|
||||||
entries.update(safePath, req.body.markdown).then(() => {
|
entries.update(safePath, req.body.markdown).then(() => {
|
||||||
@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
|
|||||||
|
|
||||||
router.get('/create/*', (req, res, next) => {
|
router.get('/create/*', (req, res, next) => {
|
||||||
|
|
||||||
|
if(!res.locals.rights.write) {
|
||||||
|
return res.render('error-forbidden');
|
||||||
|
}
|
||||||
|
|
||||||
if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
|
if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
|
||||||
return res.render('error', {
|
return res.render('error', {
|
||||||
message: 'You cannot create a document with this name as it is reserved by the system.',
|
message: 'You cannot create a document with this name as it is reserved by the system.',
|
||||||
@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
|
|||||||
|
|
||||||
router.put('/create/*', (req, res, next) => {
|
router.put('/create/*', (req, res, next) => {
|
||||||
|
|
||||||
|
if(!res.locals.rights.write) {
|
||||||
|
return res.json({
|
||||||
|
ok: false,
|
||||||
|
error: 'Forbidden'
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
|
let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
|
||||||
|
|
||||||
entries.create(safePath, req.body.markdown).then(() => {
|
entries.create(safePath, req.body.markdown).then(() => {
|
||||||
@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
|
|||||||
ok: true
|
ok: true
|
||||||
}) || true;
|
}) || true;
|
||||||
}).catch((err) => {
|
}).catch((err) => {
|
||||||
res.json({
|
return res.json({
|
||||||
ok: false,
|
ok: false,
|
||||||
error: err.message
|
error: err.message
|
||||||
});
|
});
|
||||||
@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
|
|||||||
*/
|
*/
|
||||||
router.put('/*', (req, res, next) => {
|
router.put('/*', (req, res, next) => {
|
||||||
|
|
||||||
|
if(!res.locals.rights.write) {
|
||||||
|
return res.json({
|
||||||
|
ok: false,
|
||||||
|
error: 'Forbidden'
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
let safePath = entries.parsePath(req.path);
|
let safePath = entries.parsePath(req.path);
|
||||||
|
|
||||||
if(_.isEmpty(req.body.move)) {
|
if(_.isEmpty(req.body.move)) {
|
||||||
|
@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));
|
|||||||
|
|
||||||
var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
|
var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
|
||||||
global.rights = require(CORE_PATH + 'core-libs/rights');
|
global.rights = require(CORE_PATH + 'core-libs/rights');
|
||||||
|
rights.init();
|
||||||
|
|
||||||
var sessionStore = new sessionMongoStore({
|
var sessionStore = new sessionMongoStore({
|
||||||
mongooseConnection: db.connection,
|
mongooseConnection: db.connection,
|
||||||
|
@ -41,14 +41,15 @@ block content
|
|||||||
a(href='/admin/stats')
|
a(href='/admin/stats')
|
||||||
i.icon-bar-graph-2
|
i.icon-bar-graph-2
|
||||||
span Stats
|
span Stats
|
||||||
li
|
if rights.manage
|
||||||
a(href='/admin/users')
|
li
|
||||||
i.icon-users
|
a(href='/admin/users')
|
||||||
span Users
|
i.icon-users
|
||||||
li
|
span Users
|
||||||
a(href='/admin/settings')
|
li
|
||||||
i.icon-cog
|
a(href='/admin/settings')
|
||||||
span Site Settings
|
i.icon-cog
|
||||||
|
span Site Settings
|
||||||
li
|
li
|
||||||
a(href='/logout')
|
a(href='/logout')
|
||||||
i.icon-delete2
|
i.icon-delete2
|
||||||
|
@ -6,18 +6,20 @@ block rootNavCenter
|
|||||||
block rootNavRight
|
block rootNavRight
|
||||||
i.nav-item#notifload
|
i.nav-item#notifload
|
||||||
span.nav-item
|
span.nav-item
|
||||||
a.button.is-outlined.btn-move-prompt.is-hidden
|
if rights.write
|
||||||
i.icon-shuffle
|
a.button.is-outlined.btn-move-prompt.is-hidden
|
||||||
span Move
|
i.icon-shuffle
|
||||||
|
span Move
|
||||||
a.button.is-outlined(href='/' + pageData.meta.path)
|
a.button.is-outlined(href='/' + pageData.meta.path)
|
||||||
i.icon-loader
|
i.icon-loader
|
||||||
span Normal View
|
span Normal View
|
||||||
a.button.is-orange(href='/edit/' + pageData.meta.path)
|
if rights.write
|
||||||
i.fa.fa-edit
|
a.button.is-orange(href='/edit/' + pageData.meta.path)
|
||||||
span Edit
|
i.fa.fa-edit
|
||||||
a.button.is-blue.btn-create-prompt
|
span Edit
|
||||||
i.fa.fa-plus
|
a.button.is-blue.btn-create-prompt
|
||||||
span Create
|
i.fa.fa-plus
|
||||||
|
span Create
|
||||||
|
|
||||||
block content
|
block content
|
||||||
|
|
||||||
|
@ -11,18 +11,20 @@ mixin tocMenu(ti)
|
|||||||
block rootNavRight
|
block rootNavRight
|
||||||
i.nav-item#notifload
|
i.nav-item#notifload
|
||||||
.nav-item
|
.nav-item
|
||||||
a.button.is-outlined.btn-move-prompt.is-hidden
|
if rights.write
|
||||||
i.icon-shuffle
|
a.button.is-outlined.btn-move-prompt.is-hidden
|
||||||
span Move
|
i.icon-shuffle
|
||||||
|
span Move
|
||||||
a.button.is-outlined(href='/source/' + pageData.meta.path)
|
a.button.is-outlined(href='/source/' + pageData.meta.path)
|
||||||
i.icon-loader
|
i.icon-loader
|
||||||
span Source
|
span Source
|
||||||
a.button(href='/edit/' + pageData.meta.path)
|
if rights.write
|
||||||
i.icon-document-text
|
a.button(href='/edit/' + pageData.meta.path)
|
||||||
span Edit
|
i.icon-document-text
|
||||||
a.button.btn-create-prompt
|
span Edit
|
||||||
i.icon-plus
|
a.button.btn-create-prompt
|
||||||
span Create
|
i.icon-plus
|
||||||
|
span Create
|
||||||
|
|
||||||
block content
|
block content
|
||||||
|
|
||||||
@ -46,10 +48,11 @@ block content
|
|||||||
a(href='/' + pageData.parent.path)
|
a(href='/' + pageData.parent.path)
|
||||||
i.icon-reply
|
i.icon-reply
|
||||||
span= pageData.parent.title
|
span= pageData.parent.title
|
||||||
li
|
if !isGuest
|
||||||
a(href='/admin')
|
li
|
||||||
i.icon-head
|
a(href='/admin')
|
||||||
span Account
|
i.icon-head
|
||||||
|
span Account
|
||||||
aside.stickyscroll(data-margin-top=40)
|
aside.stickyscroll(data-margin-top=40)
|
||||||
.sidebar-label
|
.sidebar-label
|
||||||
i.icon-th-list
|
i.icon-th-list
|
||||||
|
Loading…
Reference in New Issue
Block a user