Added access check for write and manage actions

9578989b · NGPixel · 4625a302 · 9578989b · 9578989b · 9578989b
Commit 9578989b authored Jan 02, 2017 by NGPixel
7 changed files
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@
 		- [x] Facebook
 	- [x] Access Rights
 		- [x] View
-		- [ ] Edit / Create
+		- [x] Edit / Create
 - [x] Background Agent (git sync, cache purge, etc.)
 - [x] Caching
 - [x] Create Entry
@@ -40,7 +40,7 @@
 	- [x] Prerequisites
 	- [x] Install
 	- [ ] Authentication
-	- [ ] Git
+	- [x] Git
 	- [x] Upgrade
 - [x] Edit Entry
 - [x] Git Management

--- a/controllers/admin.js
+++ b/controllers/admin.js
@@ -12,10 +12,21 @@ router.get('/', (req, res) => {
 });
 router.get('/profile', (req, res) => {
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
 	res.render('pages/admin/profile', { adminTab: 'profile' });
 });
 router.get('/stats', (req, res) => {
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
 	Promise.all([
 		db.Entry.count(),
 		db.UplFile.count(),
@@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
 	}).catch((err) => {
 		throw err;
 	});
 });
 router.get('/users', (req, res) => {
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
 	res.render('pages/admin/users', { adminTab: 'users' });
 });
 router.get('/settings', (req, res) => {
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
 	res.render('pages/admin/settings', { adminTab: 'settings' });
 });
 module.exports = router;
\ No newline at end of file
--- a/controllers/pages.js
+++ b/controllers/pages.js
@@ -13,6 +13,10 @@ var _ = require('lodash');
 */
 router.get('/edit/*', (req, res, next) => {
+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
 	entries.fetchOriginal(safePath, {
@@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
 router.put('/edit/*', (req, res, next) => {
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
 	entries.update(safePath, req.body.markdown).then(() => {
@@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
 router.get('/create/*', (req, res, next) => {
+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
 	if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
 		return res.render('error', {
 			message: 'You cannot create a document with this name as it is reserved by the system.',
@@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
 router.put('/create/*', (req, res, next) => {
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
 	let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
 	entries.create(safePath, req.body.markdown).then(() => {
@@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
 			ok: true
 		}) || true;
 	}).catch((err) => {
-		res.json({
+		return res.json({
 			ok: false,
 			error: err.message
 		});
@@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
 */
 router.put('/*', (req, res, next) => {
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
 	let safePath = entries.parsePath(req.path);
 	if(_.isEmpty(req.body.move)) {

--- a/server.js
+++ b/server.js
@@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));
 var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
 global.rights = require(CORE_PATH + 'core-libs/rights');
+rights.init();
 var sessionStore = new sessionMongoStore({
  mongooseConnection: db.connection,

--- a/views/pages/admin/_layout.pug
+++ b/views/pages/admin/_layout.pug
@@ -41,14 +41,15 @@ block content
 								a(href='/admin/stats')
 									i.icon-bar-graph-2
 									span Stats
-							li
+							if rights.manage
-								a(href='/admin/users')
+								li
-									i.icon-users
+									a(href='/admin/users')
-									span Users
+										i.icon-users
-							li
+										span Users
-								a(href='/admin/settings')
+								li
-									i.icon-cog
+									a(href='/admin/settings')
-									span Site Settings
+										i.icon-cog
+										span Site Settings
 							li
 								a(href='/logout')
 									i.icon-delete2

--- a/views/pages/source.pug
+++ b/views/pages/source.pug
@@ -6,18 +6,20 @@ block rootNavCenter
 block rootNavRight
 	i.nav-item#notifload
 	span.nav-item
-		a.button.is-outlined.btn-move-prompt.is-hidden
+		if rights.write
-			i.icon-shuffle
+			a.button.is-outlined.btn-move-prompt.is-hidden
-			span Move
+				i.icon-shuffle
+				span Move
 		a.button.is-outlined(href='/' + pageData.meta.path)
 			i.icon-loader
 			span Normal View
-		a.button.is-orange(href='/edit/' + pageData.meta.path)
+		if rights.write
-			i.fa.fa-edit
+			a.button.is-orange(href='/edit/' + pageData.meta.path)
-			span Edit
+				i.fa.fa-edit
-		a.button.is-blue.btn-create-prompt
+				span Edit
-			i.fa.fa-plus
+			a.button.is-blue.btn-create-prompt
-			span Create
+				i.fa.fa-plus
+				span Create
 block content

--- a/views/pages/view.pug
+++ b/views/pages/view.pug
@@ -11,18 +11,20 @@ mixin tocMenu(ti)
 block rootNavRight
 	i.nav-item#notifload
 	.nav-item
-		a.button.is-outlined.btn-move-prompt.is-hidden
+		if rights.write
-			i.icon-shuffle
+			a.button.is-outlined.btn-move-prompt.is-hidden
-			span Move
+				i.icon-shuffle
+				span Move
 		a.button.is-outlined(href='/source/' + pageData.meta.path)
 			i.icon-loader
 			span Source
-		a.button(href='/edit/' + pageData.meta.path)
+		if rights.write
-			i.icon-document-text
+			a.button(href='/edit/' + pageData.meta.path)
-			span Edit
+				i.icon-document-text
-		a.button.btn-create-prompt
+				span Edit
-			i.icon-plus
+			a.button.btn-create-prompt
-			span Create
+				i.icon-plus
+				span Create
 block content
@@ -46,10 +48,11 @@ block content
 									a(href='/' + pageData.parent.path)
 										i.icon-reply
 										span= pageData.parent.title
-							li
+							if !isGuest
-								a(href='/admin')
+								li
-									i.icon-head
+									a(href='/admin')
-									span Account
+										i.icon-head
+										span Account
 					aside.stickyscroll(data-margin-top=40)
 						.sidebar-label
 							i.icon-th-list