Added access check for write and manage actions

This commit is contained in:
NGPixel 2017-01-02 23:32:16 -05:00
parent 4625a302f6
commit 9578989b67
7 changed files with 93 additions and 33 deletions

View File

@ -32,7 +32,7 @@
- [x] Facebook - [x] Facebook
- [x] Access Rights - [x] Access Rights
- [x] View - [x] View
- [ ] Edit / Create - [x] Edit / Create
- [x] Background Agent (git sync, cache purge, etc.) - [x] Background Agent (git sync, cache purge, etc.)
- [x] Caching - [x] Caching
- [x] Create Entry - [x] Create Entry
@ -40,7 +40,7 @@
- [x] Prerequisites - [x] Prerequisites
- [x] Install - [x] Install
- [ ] Authentication - [ ] Authentication
- [ ] Git - [x] Git
- [x] Upgrade - [x] Upgrade
- [x] Edit Entry - [x] Edit Entry
- [x] Git Management - [x] Git Management

View File

@ -12,10 +12,21 @@ router.get('/', (req, res) => {
}); });
router.get('/profile', (req, res) => { router.get('/profile', (req, res) => {
if(res.locals.isGuest) {
return res.render('error-forbidden');
}
res.render('pages/admin/profile', { adminTab: 'profile' }); res.render('pages/admin/profile', { adminTab: 'profile' });
}); });
router.get('/stats', (req, res) => { router.get('/stats', (req, res) => {
if(res.locals.isGuest) {
return res.render('error-forbidden');
}
Promise.all([ Promise.all([
db.Entry.count(), db.Entry.count(),
db.UplFile.count(), db.UplFile.count(),
@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
}).catch((err) => { }).catch((err) => {
throw err; throw err;
}); });
}); });
router.get('/users', (req, res) => { router.get('/users', (req, res) => {
if(!res.locals.rights.manage) {
return res.render('error-forbidden');
}
res.render('pages/admin/users', { adminTab: 'users' }); res.render('pages/admin/users', { adminTab: 'users' });
}); });
router.get('/settings', (req, res) => { router.get('/settings', (req, res) => {
if(!res.locals.rights.manage) {
return res.render('error-forbidden');
}
res.render('pages/admin/settings', { adminTab: 'settings' }); res.render('pages/admin/settings', { adminTab: 'settings' });
}); });
module.exports = router; module.exports = router;

View File

@ -13,6 +13,10 @@ var _ = require('lodash');
*/ */
router.get('/edit/*', (req, res, next) => { router.get('/edit/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.render('error-forbidden');
}
let safePath = entries.parsePath(_.replace(req.path, '/edit', '')); let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
entries.fetchOriginal(safePath, { entries.fetchOriginal(safePath, {
@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
router.put('/edit/*', (req, res, next) => { router.put('/edit/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(_.replace(req.path, '/edit', '')); let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
entries.update(safePath, req.body.markdown).then(() => { entries.update(safePath, req.body.markdown).then(() => {
@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
router.get('/create/*', (req, res, next) => { router.get('/create/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.render('error-forbidden');
}
if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) { if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
return res.render('error', { return res.render('error', {
message: 'You cannot create a document with this name as it is reserved by the system.', message: 'You cannot create a document with this name as it is reserved by the system.',
@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
router.put('/create/*', (req, res, next) => { router.put('/create/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(_.replace(req.path, '/create', '')); let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
entries.create(safePath, req.body.markdown).then(() => { entries.create(safePath, req.body.markdown).then(() => {
@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
ok: true ok: true
}) || true; }) || true;
}).catch((err) => { }).catch((err) => {
res.json({ return res.json({
ok: false, ok: false,
error: err.message error: err.message
}); });
@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
*/ */
router.put('/*', (req, res, next) => { router.put('/*', (req, res, next) => {
if(!res.locals.rights.write) {
return res.json({
ok: false,
error: 'Forbidden'
});
}
let safePath = entries.parsePath(req.path); let safePath = entries.parsePath(req.path);
if(_.isEmpty(req.body.move)) { if(_.isEmpty(req.body.move)) {

View File

@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));
var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig); var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
global.rights = require(CORE_PATH + 'core-libs/rights'); global.rights = require(CORE_PATH + 'core-libs/rights');
rights.init();
var sessionStore = new sessionMongoStore({ var sessionStore = new sessionMongoStore({
mongooseConnection: db.connection, mongooseConnection: db.connection,

View File

@ -41,14 +41,15 @@ block content
a(href='/admin/stats') a(href='/admin/stats')
i.icon-bar-graph-2 i.icon-bar-graph-2
span Stats span Stats
li if rights.manage
a(href='/admin/users') li
i.icon-users a(href='/admin/users')
span Users i.icon-users
li span Users
a(href='/admin/settings') li
i.icon-cog a(href='/admin/settings')
span Site Settings i.icon-cog
span Site Settings
li li
a(href='/logout') a(href='/logout')
i.icon-delete2 i.icon-delete2

View File

@ -6,18 +6,20 @@ block rootNavCenter
block rootNavRight block rootNavRight
i.nav-item#notifload i.nav-item#notifload
span.nav-item span.nav-item
a.button.is-outlined.btn-move-prompt.is-hidden if rights.write
i.icon-shuffle a.button.is-outlined.btn-move-prompt.is-hidden
span Move i.icon-shuffle
span Move
a.button.is-outlined(href='/' + pageData.meta.path) a.button.is-outlined(href='/' + pageData.meta.path)
i.icon-loader i.icon-loader
span Normal View span Normal View
a.button.is-orange(href='/edit/' + pageData.meta.path) if rights.write
i.fa.fa-edit a.button.is-orange(href='/edit/' + pageData.meta.path)
span Edit i.fa.fa-edit
a.button.is-blue.btn-create-prompt span Edit
i.fa.fa-plus a.button.is-blue.btn-create-prompt
span Create i.fa.fa-plus
span Create
block content block content

View File

@ -11,18 +11,20 @@ mixin tocMenu(ti)
block rootNavRight block rootNavRight
i.nav-item#notifload i.nav-item#notifload
.nav-item .nav-item
a.button.is-outlined.btn-move-prompt.is-hidden if rights.write
i.icon-shuffle a.button.is-outlined.btn-move-prompt.is-hidden
span Move i.icon-shuffle
span Move
a.button.is-outlined(href='/source/' + pageData.meta.path) a.button.is-outlined(href='/source/' + pageData.meta.path)
i.icon-loader i.icon-loader
span Source span Source
a.button(href='/edit/' + pageData.meta.path) if rights.write
i.icon-document-text a.button(href='/edit/' + pageData.meta.path)
span Edit i.icon-document-text
a.button.btn-create-prompt span Edit
i.icon-plus a.button.btn-create-prompt
span Create i.icon-plus
span Create
block content block content
@ -46,10 +48,11 @@ block content
a(href='/' + pageData.parent.path) a(href='/' + pageData.parent.path)
i.icon-reply i.icon-reply
span= pageData.parent.title span= pageData.parent.title
li if !isGuest
a(href='/admin') li
i.icon-head a(href='/admin')
span Account i.icon-head
span Account
aside.stickyscroll(data-margin-top=40) aside.stickyscroll(data-margin-top=40)
.sidebar-label .sidebar-label
i.icon-th-list i.icon-th-list