access controls: promisification

`getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to
`true` or `false` as appropriate, and throwing an exception if there's an
error.

The two call sites (padreadonly.js and importexport.js) updated to match.
This commit is contained in:
Ray Bellis 2019-01-23 16:29:36 +00:00
parent 34fdaa4e8c
commit d5d28717c4
3 changed files with 39 additions and 70 deletions

View file

@ -5,12 +5,11 @@ var importHandler = require('../../handler/ImportHandler');
var padManager = require("../../db/PadManager");
exports.expressCreateServer = function (hook_name, args, cb) {
args.app.get('/p/:pad/:rev?/export/:type', function(req, res, next) {
args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
//send a 404 if we don't support this filetype
if (types.indexOf(req.params.type) == -1) {
next();
return;
return next();
}
// if abiword is disabled, and this is a format we only support with abiword, output a message
@ -22,28 +21,26 @@ exports.expressCreateServer = function (hook_name, args, cb) {
res.header("Access-Control-Allow-Origin", "*");
hasPadAccess(req, res, function() {
if (await hasPadAccess(req, res)) {
console.log('req.params.pad', req.params.pad);
padManager.doesPadExists(req.params.pad, function(err, exists) {
if (!exists) {
return next();
}
let exists = await padManager.doesPadExists(req.params.pad);
if (!exists) {
return next();
}
exportHandler.doExport(req, res, req.params.pad, req.params.type);
});
});
exportHandler.doExport(req, res, req.params.pad, req.params.type);
}
});
// handle import requests
args.app.post('/p/:pad/import', function(req, res, next) {
hasPadAccess(req, res, function() {
padManager.doesPadExists(req.params.pad, function(err, exists) {
if (!exists) {
return next();
}
args.app.post('/p/:pad/import', async function(req, res, next) {
if (await hasPadAccess(req, res)) {
let exists = await padManager.doesPadExists(req.params.pad);
if (!exists) {
return next();
}
importHandler.doImport(req, res, req.params.pad);
});
});
importHandler.doImport(req, res, req.params.pad);
}
});
}

View file

@ -1,57 +1,26 @@
var async = require('async');
var ERR = require("async-stacktrace");
var readOnlyManager = require("../../db/ReadOnlyManager");
var hasPadAccess = require("../../padaccess");
var exporthtml = require("../../utils/ExportHtml");
exports.expressCreateServer = function (hook_name, args, cb) {
// serve read only pad
args.app.get('/ro/:id', function(req, res) {
var html;
var padId;
args.app.get('/ro/:id', async function(req, res) {
async.series([
// translate the read only pad to a padId
function(callback) {
readOnlyManager.getPadId(req.params.id, function(err, _padId) {
if(ERR(err, callback)) return;
// translate the read only pad to a padId
let padId = await readOnlyManager.getPadId(req.params.id);
if (padId == null) {
res.status(404).send('404 - Not Found');
return;
}
padId = _padId;
// we need that to tell hasPadAcess about the pad
req.params.pad = padId;
// we need that to tell hasPadAcess about the pad
req.params.pad = padId;
callback();
});
},
if (await hasPadAccess(req, res)) {
// render the html document
function(callback) {
// return if the there is no padId
if(padId == null) {
callback("notfound");
return;
}
hasPadAccess(req, res, function() {
// render the html document
exporthtml.getPadHTMLDocument(padId, null, function(err, _html) {
if(ERR(err, callback)) return;
html = _html;
callback();
});
});
}
],
function(err) {
// throw any unexpected error
if(err && err != "notfound")
ERR(err);
if(err == "notfound")
res.status(404).send('404 - Not Found');
else
res.send(html);
});
html = await exporthtml.getPadHTMLDocument(padId, null);
res.send(html);
}
});
}

View file

@ -1,17 +1,20 @@
var ERR = require("async-stacktrace");
var securityManager = require('./db/SecurityManager');
// checks for padAccess
module.exports = function (req, res, callback) {
securityManager.checkAccess(req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, function(err, accessObj) {
if (ERR(err, callback)) return;
module.exports = async function (req, res) {
try {
let accessObj = await securityManager.checkAccess(req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password);
if (accessObj.accessStatus === "grant") {
// there is access, continue
callback();
return true;
} else {
// no access
res.status(403).send("403 - Can't touch this");
return false;
}
});
} catch (err) {
// @TODO - send internal server error here?
throw err;
}
}