access controls: promisification
`getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match.
This commit is contained in:
Ray Bellis
parent
34fdaa4e8c
commit
d5d28717c4
3 changed files with 39 additions and 70 deletions
|
|
@ -5,12 +5,11 @@ var importHandler = require('../../handler/ImportHandler');
|
|||
var padManager = require("../../db/PadManager");
|
||||
|
||||
exports.expressCreateServer = function (hook_name, args, cb) {
|
||||
args.app.get('/p/:pad/:rev?/export/:type', function(req, res, next) {
|
||||
args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
|
||||
var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
|
||||
//send a 404 if we don't support this filetype
|
||||
if (types.indexOf(req.params.type) == -1) {
|
||||
next();
|
||||
return;
|
||||
return next();
|
||||
}
|
||||
|
||||
// if abiword is disabled, and this is a format we only support with abiword, output a message
|
||||
|
|
@ -22,28 +21,26 @@ exports.expressCreateServer = function (hook_name, args, cb) {
|
|||
|
||||
res.header("Access-Control-Allow-Origin", "*");
|
||||
|
||||
hasPadAccess(req, res, function() {
|
||||
if (await hasPadAccess(req, res)) {
|
||||
console.log('req.params.pad', req.params.pad);
|
||||
padManager.doesPadExists(req.params.pad, function(err, exists) {
|
||||
if (!exists) {
|
||||
return next();
|
||||
}
|
||||
let exists = await padManager.doesPadExists(req.params.pad);
|
||||
if (!exists) {
|
||||
return next();
|
||||
}
|
||||
|
||||
exportHandler.doExport(req, res, req.params.pad, req.params.type);
|
||||
});
|
||||
});
|
||||
exportHandler.doExport(req, res, req.params.pad, req.params.type);
|
||||
}
|
||||
});
|
||||
|
||||
// handle import requests
|
||||
args.app.post('/p/:pad/import', function(req, res, next) {
|
||||
hasPadAccess(req, res, function() {
|
||||
padManager.doesPadExists(req.params.pad, function(err, exists) {
|
||||
if (!exists) {
|
||||
return next();
|
||||
}
|
||||
args.app.post('/p/:pad/import', async function(req, res, next) {
|
||||
if (await hasPadAccess(req, res)) {
|
||||
let exists = await padManager.doesPadExists(req.params.pad);
|
||||
if (!exists) {
|
||||
return next();
|
||||
}
|
||||
|
||||
importHandler.doImport(req, res, req.params.pad);
|
||||
});
|
||||
});
|
||||
importHandler.doImport(req, res, req.params.pad);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,57 +1,26 @@
|
|||
var async = require('async');
|
||||
var ERR = require("async-stacktrace");
|
||||
var readOnlyManager = require("../../db/ReadOnlyManager");
|
||||
var hasPadAccess = require("../../padaccess");
|
||||
var exporthtml = require("../../utils/ExportHtml");
|
||||
|
||||
exports.expressCreateServer = function (hook_name, args, cb) {
|
||||
// serve read only pad
|
||||
args.app.get('/ro/:id', function(req, res) {
|
||||
var html;
|
||||
var padId;
|
||||
args.app.get('/ro/:id', async function(req, res) {
|
||||
|
||||
async.series([
|
||||
// translate the read only pad to a padId
|
||||
function(callback) {
|
||||
readOnlyManager.getPadId(req.params.id, function(err, _padId) {
|
||||
if(ERR(err, callback)) return;
|
||||
// translate the read only pad to a padId
|
||||
let padId = await readOnlyManager.getPadId(req.params.id);
|
||||
if (padId == null) {
|
||||
res.status(404).send('404 - Not Found');
|
||||
return;
|
||||
}
|
||||
|
||||
padId = _padId;
|
||||
// we need that to tell hasPadAcess about the pad
|
||||
req.params.pad = padId;
|
||||
|
||||
// we need that to tell hasPadAcess about the pad
|
||||
req.params.pad = padId;
|
||||
|
||||
callback();
|
||||
});
|
||||
},
|
||||
if (await hasPadAccess(req, res)) {
|
||||
// render the html document
|
||||
function(callback) {
|
||||
// return if the there is no padId
|
||||
if(padId == null) {
|
||||
callback("notfound");
|
||||
return;
|
||||
}
|
||||
|
||||
hasPadAccess(req, res, function() {
|
||||
// render the html document
|
||||
exporthtml.getPadHTMLDocument(padId, null, function(err, _html) {
|
||||
if(ERR(err, callback)) return;
|
||||
html = _html;
|
||||
callback();
|
||||
});
|
||||
});
|
||||
}
|
||||
],
|
||||
function(err) {
|
||||
// throw any unexpected error
|
||||
if(err && err != "notfound")
|
||||
ERR(err);
|
||||
|
||||
if(err == "notfound")
|
||||
res.status(404).send('404 - Not Found');
|
||||
else
|
||||
res.send(html);
|
||||
});
|
||||
html = await exporthtml.getPadHTMLDocument(padId, null);
|
||||
res.send(html);
|
||||
}
|
||||
});
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,17 +1,20 @@
|
|||
var ERR = require("async-stacktrace");
|
||||
var securityManager = require('./db/SecurityManager');
|
||||
|
||||
// checks for padAccess
|
||||
module.exports = function (req, res, callback) {
|
||||
securityManager.checkAccess(req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, function(err, accessObj) {
|
||||
if (ERR(err, callback)) return;
|
||||
module.exports = async function (req, res) {
|
||||
try {
|
||||
let accessObj = await securityManager.checkAccess(req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password);
|
||||
|
||||
if (accessObj.accessStatus === "grant") {
|
||||
// there is access, continue
|
||||
callback();
|
||||
return true;
|
||||
} else {
|
||||
// no access
|
||||
res.status(403).send("403 - Can't touch this");
|
||||
return false;
|
||||
}
|
||||
});
|
||||
} catch (err) {
|
||||
// @TODO - send internal server error here?
|
||||
throw err;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue