Add permission level checks
Florian Hartwich
parent
a215d41ec3
commit
9b8bcd0722
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
const jwt = require('jsonwebtoken');
|
||||
const config = require('../config/config');
|
||||
const AppUser = require('../models/app-user');
|
||||
|
||||
const apiAuthentication = (req, res, next) => {
|
||||
|
||||
|
|
@ -18,7 +19,16 @@ const apiAuthentication = (req, res, next) => {
|
|||
} else {
|
||||
// if everything is good, save to request for use in other routes
|
||||
req.decoded = decoded;
|
||||
next();
|
||||
AppUser.findById(decoded.sub, (err, item) => {
|
||||
if (err) {
|
||||
return res.status(403).send({
|
||||
success: false,
|
||||
message: 'token is not associated to any actual user'
|
||||
});
|
||||
}
|
||||
req.user = item;
|
||||
next();
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,20 @@
|
|||
"use strict";
|
||||
|
||||
|
||||
let check = (requiredPermission, actualPermission, res, next) => {
|
||||
if (actualPermission >= requiredPermission) {
|
||||
return next();
|
||||
}
|
||||
|
||||
return res.status(403).send({
|
||||
success: false,
|
||||
message: 'permission denied'
|
||||
});
|
||||
};
|
||||
|
||||
module.exports = {
|
||||
checkSql: (req, res, next) => { check(1, req.user.permission, res, next) },
|
||||
checkHl: (req, res, next) => { check(2, req.user.permission, res, next) },
|
||||
checkMT: (req, res, next) => { check(3, req.user.permission, res, next) },
|
||||
checkAdmin: (req, res, next) => { check(4, req.user.permission, res, next) }
|
||||
};
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
"use strict"
|
||||
"use strict";
|
||||
|
||||
const sortCollectionBy = (collection, key) => {
|
||||
collection.sort((a, b) => {
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ const AppUserSchema = new Schema({
|
|||
get: v => Math.round(v),
|
||||
set: v => Math.round(v),
|
||||
min: 0,
|
||||
max: 3,
|
||||
max: 4,
|
||||
default: 0
|
||||
}
|
||||
}, {
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ const logger = require('debug')('cc:decorations');
|
|||
const codes = require('./http-codes');
|
||||
|
||||
const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
|
||||
const checkHl = require('../middleware/permission-check').checkHl;
|
||||
const routerHandling = require('../middleware/router-handling');
|
||||
|
||||
// Mongoose Model using mongoDB
|
||||
|
|
@ -46,7 +47,7 @@ decoration.route('/')
|
|||
});
|
||||
})
|
||||
|
||||
.post(apiAuthenticationMiddleware, upload.single('image'), (req, res, next) => {
|
||||
.post(apiAuthenticationMiddleware, checkHl, upload.single('image'), (req, res, next) => {
|
||||
const decoration = new DecorationModel(req.body);
|
||||
// timestamp and default are set automatically by Mongoose Schema Validation
|
||||
decoration.save((err) => {
|
||||
|
|
@ -86,7 +87,7 @@ decoration.route('/:id')
|
|||
});
|
||||
})
|
||||
|
||||
.patch(apiAuthenticationMiddleware, upload.single('image'), (req, res, next) => {
|
||||
.patch(apiAuthenticationMiddleware, checkHl, upload.single('image'), (req, res, next) => {
|
||||
if (!req.body || (req.body._id && req.body._id !== req.params.id)) {
|
||||
// little bit different as in PUT. :id does not need to be in data, but if the _id and url id must match
|
||||
const err = new Error('id of PATCH resource and send JSON body are not equal ' + req.params.id + " " + req.body._id);
|
||||
|
|
@ -125,7 +126,7 @@ decoration.route('/:id')
|
|||
})
|
||||
})
|
||||
|
||||
.delete(apiAuthenticationMiddleware, (req, res, next) => {
|
||||
.delete(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
|
||||
DecorationModel.findByIdAndRemove(req.params.id, (err, item) => {
|
||||
if (err) {
|
||||
err.status = codes.wrongrequest;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ const logger = require('debug')('cc:ranks');
|
|||
const codes = require('./http-codes');
|
||||
|
||||
const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
|
||||
const checkHl = require('../middleware/permission-check').checkHl;
|
||||
const routerHandling = require('../middleware/router-handling');
|
||||
|
||||
// Mongoose Model using mongoDB
|
||||
|
|
@ -49,7 +50,7 @@ ranks.route('/')
|
|||
});
|
||||
})
|
||||
|
||||
.post(apiAuthenticationMiddleware, upload.single('image'), (req, res, next) => {
|
||||
.post(apiAuthenticationMiddleware, checkHl, upload.single('image'), (req, res, next) => {
|
||||
const rank = new RankModel(req.body);
|
||||
// timestamp and default are set automatically by Mongoose Schema Validation
|
||||
rank.save((err) => {
|
||||
|
|
@ -89,7 +90,7 @@ ranks.route('/:id')
|
|||
});
|
||||
})
|
||||
|
||||
.patch(apiAuthenticationMiddleware, upload.single('image'), (req, res, next) => {
|
||||
.patch(apiAuthenticationMiddleware, checkHl, upload.single('image'), (req, res, next) => {
|
||||
|
||||
if (!req.body || (req.body._id && req.body._id !== req.params.id)) {
|
||||
// little bit different as in PUT. :id does not need to be in data, but if the _id and url id must match
|
||||
|
|
@ -130,7 +131,7 @@ ranks.route('/:id')
|
|||
})
|
||||
})
|
||||
|
||||
.delete(apiAuthenticationMiddleware, (req, res, next) => {
|
||||
.delete(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
|
||||
RankModel.findByIdAndRemove(req.params.id, (err, item) => {
|
||||
if (err) {
|
||||
err.status = codes.wrongrequest;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ const logger = require('debug')('cc:squads');
|
|||
const codes = require('./http-codes');
|
||||
|
||||
const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
|
||||
const checkHl = require('../middleware/permission-check').checkHl;
|
||||
const routerHandling = require('../middleware/router-handling');
|
||||
|
||||
// Mongoose Model using mongoDB
|
||||
|
|
@ -44,7 +45,7 @@ squads.route('/')
|
|||
});
|
||||
})
|
||||
|
||||
.post(apiAuthenticationMiddleware, upload.single('image'), (req, res, next) => {
|
||||
.post(apiAuthenticationMiddleware, checkHl, upload.single('image'), (req, res, next) => {
|
||||
const squad = new SquadModel(req.body);
|
||||
// timestamp and default are set automatically by Mongoose Schema Validation
|
||||
if (req.file) {
|
||||
|
|
@ -89,7 +90,7 @@ squads.route('/:id')
|
|||
});
|
||||
})
|
||||
|
||||
.patch(apiAuthenticationMiddleware, upload.single('image'), (req, res, next) => {
|
||||
.patch(apiAuthenticationMiddleware, checkHl, upload.single('image'), (req, res, next) => {
|
||||
|
||||
if (!req.body || (req.body._id && req.body._id !== req.params.id)) {
|
||||
// little bit different as in PUT. :id does not need to be in data, but if the _id and url id must match
|
||||
|
|
@ -129,7 +130,7 @@ squads.route('/:id')
|
|||
})
|
||||
})
|
||||
|
||||
.delete(apiAuthenticationMiddleware, (req, res, next) => {
|
||||
.delete(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
|
||||
SquadModel.findByIdAndRemove(req.params.id, (err, item) => {
|
||||
if (err) {
|
||||
err.status = codes.wrongrequest;
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ const logger = require('debug')('me2u5:users');
|
|||
const codes = require('./http-codes');
|
||||
|
||||
const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
|
||||
const checkHl = require('../middleware/permission-check').checkHl;
|
||||
const sortCollectionBy = require('../middleware/util').sortCollection;
|
||||
const routerHandling = require('../middleware/router-handling');
|
||||
|
||||
|
|
@ -84,7 +85,7 @@ users.route('/')
|
|||
}
|
||||
})
|
||||
|
||||
.post(apiAuthenticationMiddleware, (req, res, next) => {
|
||||
.post(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
|
||||
const user = new UserModel(req.body);
|
||||
// timestamp and default are set automatically by Mongoose Schema Validation
|
||||
user.save((err) => {
|
||||
|
|
@ -129,7 +130,7 @@ users.route('/:id')
|
|||
});
|
||||
})
|
||||
|
||||
.patch(apiAuthenticationMiddleware, (req, res, next) => {
|
||||
.patch(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
|
||||
if (!req.body || (req.body._id && req.body._id !== req.params.id)) {
|
||||
// little bit different as in PUT. :id does not need to be in data, but if the _id and url id must match
|
||||
const err = new Error('id of PATCH resource and send JSON body are not equal ' + req.params.id + " " + req.body._id);
|
||||
|
|
@ -176,7 +177,7 @@ users.route('/:id')
|
|||
})
|
||||
})
|
||||
|
||||
.put(apiAuthenticationMiddleware, (req, res, next) => {
|
||||
.put(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
|
||||
// first check that the given element id is the same as the URL id
|
||||
if (!req.body || req.body._id !== req.params.id) {
|
||||
// the URL does not fit the given element
|
||||
|
|
@ -231,7 +232,7 @@ users.route('/:id')
|
|||
})
|
||||
})
|
||||
|
||||
.delete(apiAuthenticationMiddleware, (req, res, next) => {
|
||||
.delete(apiAuthenticationMiddleware, checkHl, (req, res, next) => {
|
||||
UserModel.findByIdAndRemove(req.params.id, (err, item) => {
|
||||
if (err) {
|
||||
err.status = codes.wrongrequest;
|
||||
|
|
|
|||
|
|
@ -15,6 +15,8 @@ const urls = require('./config/api-url');
|
|||
const restAPIchecks = require('./middleware/request-checks.js');
|
||||
const errorResponseWare = require('./middleware/error-response');
|
||||
const apiAuthenticationMiddleware = require('./middleware/auth-middleware');
|
||||
const checkHl = require('./middleware/permission-check').checkHl;
|
||||
const checkAdmin = require('./middleware/permission-check').checkAdmin;
|
||||
const signatureCronJob = require('./cron-job/update-signatures');
|
||||
|
||||
// router modules
|
||||
|
|
@ -54,7 +56,7 @@ app.use(restAPIchecks);
|
|||
// Routes ******************************************************
|
||||
app.use(urls.signatures, signatureRouter);
|
||||
|
||||
// initialize logging here to exclude /signature requests
|
||||
// initialize logging at this point to exclude /signature requests
|
||||
if (process.env.NODE_ENV === config.dev.env) {
|
||||
// development logging
|
||||
app.use(requestLogger('dev'));
|
||||
|
|
@ -69,8 +71,8 @@ app.use(urls.users, userRouter);
|
|||
app.use(urls.squads, squadRouter);
|
||||
app.use(urls.ranks, rankRouter);
|
||||
app.use(urls.decorations, decorationRouter);
|
||||
app.use(urls.awards, apiAuthenticationMiddleware, awardingRouter);
|
||||
app.use(urls.command, apiAuthenticationMiddleware, commandRouter);
|
||||
app.use(urls.awards, apiAuthenticationMiddleware, checkHl, awardingRouter);
|
||||
app.use(urls.command, apiAuthenticationMiddleware, checkAdmin, commandRouter);
|
||||
|
||||
// send index.html on all different paths
|
||||
app.use(function (req, res) {
|
||||
|
|
@ -105,13 +107,6 @@ if (process.env.NODE_ENV !== config.test.env) {
|
|||
});
|
||||
} else {
|
||||
mongoose.connect(config.database.uri + config.test.db);
|
||||
for (let collection in mongoose.connection.collections) {
|
||||
mongoose.connection.collections[collection].drop(function (err) {
|
||||
if (err) {
|
||||
console.log('Error while test-Db clean up: ' + err);
|
||||
}
|
||||
});
|
||||
}
|
||||
app.listen(config.test.port);
|
||||
console.log('Listening on port ' + config.test.port);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -51,7 +51,8 @@ describe('Users', () => {
|
|||
before(function (done) {
|
||||
let appUser = {
|
||||
username: 'testUsr',
|
||||
password: '$2a$10$i9cBC06uGJnnrqQCh8COkuZLMChLQqw5j4K0yfDQn1udTDAompHka'
|
||||
password: '$2a$10$i9cBC06uGJnnrqQCh8COkuZLMChLQqw5j4K0yfDQn1udTDAompHka',
|
||||
permission: 2
|
||||
};
|
||||
let appUserEncoded = {
|
||||
username: appUser.username,
|
||||
|
|
|
|||
Loading…
Reference in New Issue