From e22f3fcaf7c2e913ceb2e9654aad1a6dbbcfb608 Mon Sep 17 00:00:00 2001 From: Lyght Date: Tue, 4 Dec 2018 21:42:32 +0100 Subject: [PATCH 1/4] Fix states permissions --- src/api/controllers/state/add.state.js | 28 ++++++++++++------- .../controllers/state/set.spotlight.state.js | 22 +++++++++------ 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/src/api/controllers/state/add.state.js b/src/api/controllers/state/add.state.js index a51af4d..a1082c5 100644 --- a/src/api/controllers/state/add.state.js +++ b/src/api/controllers/state/add.state.js @@ -1,8 +1,9 @@ -const isAdmin = require('../../middlewares/isAdmin') +const isRespo = require('../../middlewares/isRespo') const errorHandler = require('../../utils/errorHandler') const isAuth = require('../../middlewares/isAuth') const { check } = require('express-validator/check') const validateBody = require('../../middlewares/validateBody') +const log = require('../../utils/log')(module) /** * GET /users @@ -13,8 +14,9 @@ const validateBody = require('../../middlewares/validateBody') * ] */ module.exports = app => { - app.post('/states', [isAuth(), isAdmin()]) - app.post('/states', [ + app.post('/states/:id', [isAuth(), isRespo()]) + + app.post('/states/:id', [ check('title') .exists() .matches(/^[A-zÀ-ÿ0-9 '#@!&\-$%]{3,}$/i), @@ -24,25 +26,31 @@ module.exports = app => { check('popover') .exists() .matches(/^[A-zÀ-ÿ0-9 '#@!&\-$%]{3,}$/i), - check('spotlightId') - .exists() - .matches(/\d/), validateBody() ]) - app.post('/states', async (req, res) => { + + app.post('/states/:id', async (req, res) => { const { State, Spotlight } = req.app.locals.models try { - const { title, desc, popover, spotlightId } = req.body + const spotlightId = req.params.id + const { title, desc, popover } = req.body + let spotlight = await Spotlight.findById(spotlightId) - if(!spotlight) return res.status(404).json({ error: 'NOT_FOUND' }).end() + if(!spotlight) { + return res + .status(404) + .json({ error: 'NOT_FOUND' }) + .end() + } + let state = await State.create({ title, desc, popover }) + await spotlight.addState(state) - await state.save() await spotlight.save() return res diff --git a/src/api/controllers/state/set.spotlight.state.js b/src/api/controllers/state/set.spotlight.state.js index 676242f..a672b1c 100644 --- a/src/api/controllers/state/set.spotlight.state.js +++ b/src/api/controllers/state/set.spotlight.state.js @@ -5,7 +5,7 @@ const { check } = require('express-validator/check') const validateBody = require('../../middlewares/validateBody') /** - * GET /users + * PUT /states/:id * * Response: * [ @@ -13,27 +13,33 @@ const validateBody = require('../../middlewares/validateBody') * ] */ module.exports = app => { - app.put('/spotlights/:id/state', [isAuth(), isRespo()]) - app.put('/spotlights/:id/state', [ + app.put('/states/:id', [isAuth(), isRespo()]) + app.put('/states/:id', [ check('value') .exists() .matches(/\d/), validateBody() ]) - app.put('/spotlights/:id/state', async (req, res) => { + app.put('/states/:id', async (req, res) => { const { Spotlight } = req.app.locals.models try { const { value } = req.body - const { id } = req.params - let spotlight = await Spotlight.findById(id) - if(!spotlight) return res.status(404).json({ error: 'NOT_FOUND' }) + const spotlightId = req.params.id + + let spotlight = await Spotlight.findById(spotlightId) + if(!spotlight) { + return res + .status(404) + .json({ error: 'NOT_FOUND' }) + .end() + } + spotlight.state = value await spotlight.save() return res .status(200) - .json(spotlight) .end() } catch (err) { errorHandler(err, res) From 14db6ba04aac1d989dffab8050cceee1c3fb8c78 Mon Sep 17 00:00:00 2001 From: Lyght Date: Tue, 4 Dec 2018 21:42:47 +0100 Subject: [PATCH 2/4] Add hasPermission middleware --- src/api/middlewares/hasPermission.js | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 src/api/middlewares/hasPermission.js diff --git a/src/api/middlewares/hasPermission.js b/src/api/middlewares/hasPermission.js new file mode 100644 index 0000000..83f97fc --- /dev/null +++ b/src/api/middlewares/hasPermission.js @@ -0,0 +1,28 @@ +const jwt = require('jsonwebtoken') +const { promisify } = require('util') +const log = require('../utils/log')(module) + +jwt.verify = promisify(jwt.verify) + +module.exports = route => async (req, res, next) => { + let authorized = false + + if(req.user && req.user.permission) { + if(req.user.permission.admin) { + authorized = true + } + else if(req.user.permission.respo && req.user.permission.respo.includes(req.params.id)) { + authorized = true + } + } + + if(authorized) { + next() + } + else { + return res + .status(401) + .json({ error: 'UNAUTHORIZED' }) + .end() + } +} From 2ada863472cc695784b6f8592db9fcd03eb31fb4 Mon Sep 17 00:00:00 2001 From: Lyght Date: Tue, 4 Dec 2018 21:56:58 +0100 Subject: [PATCH 3/4] Return all user permissions --- src/api/controllers/user/user.infos.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/api/controllers/user/user.infos.js b/src/api/controllers/user/user.infos.js index a0c0ec7..08572f9 100644 --- a/src/api/controllers/user/user.infos.js +++ b/src/api/controllers/user/user.infos.js @@ -65,7 +65,8 @@ module.exports = app => { if(permission) { permissionData = { admin: permission.admin, - respo: permission.respo + respo: permission.respo, + permission: permission.permission } } else { From 9c0dc0bb8ffe526251fdf975b2f9105800cce18f Mon Sep 17 00:00:00 2001 From: Lyght Date: Wed, 5 Dec 2018 13:34:26 +0100 Subject: [PATCH 4/4] Fix optional state popup --- src/api/controllers/state/add.state.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/api/controllers/state/add.state.js b/src/api/controllers/state/add.state.js index a1082c5..3734880 100644 --- a/src/api/controllers/state/add.state.js +++ b/src/api/controllers/state/add.state.js @@ -24,7 +24,6 @@ module.exports = app => { .exists() .matches(/^[A-zÀ-ÿ0-9 '#@!&\-$%]{3,}$/i), check('popover') - .exists() .matches(/^[A-zÀ-ÿ0-9 '#@!&\-$%]{3,}$/i), validateBody() ]) @@ -47,7 +46,7 @@ module.exports = app => { let state = await State.create({ title, desc, - popover + popover: popover || '' }) await spotlight.addState(state)