Skip to content

W
wiki-js
Switch branch/tag
Find file
BlameHistoryPermalink
rights.js 2.46 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 
'use strict'

/* global wiki */

const _ = require('lodash')

/**
 * Rights
 */
module.exports = {

  guest: {
    provider: 'local',
    email: 'guest',
    name: 'Guest',
    password: '',
    rights: [
      {
        role: 'read',
        path: '/',
        deny: false,
        exact: false
      }
    ]
  },

  /**
   * Initialize Rights module
   *
   * @return     {void}  Void
   */
  init () {
    let self = this

    wiki.db.onReady.then(() => {
      wiki.db.User.findOne({ provider: 'local', email: 'guest' }).then((u) => {
        if (u) {
          self.guest = u
        }
      })
    })
  },

  /**
   * Check user permissions for this request
   *
   * @param      {object}  req     The request object
   * @return     {object}  List of permissions for this request
   */
  check (req) {
    let self = this

    let perm = {
      read: false,
      write: false,
      manage: false
    }
    let rt = []
    let p = _.chain(req.originalUrl).toLower().trim().value()

    // Load user rights

    if (_.isArray(req.user.rights)) {
      rt = req.user.rights
    }

    // Check rights

    if (self.checkRole(p, rt, 'admin')) {
      perm.read = true
      perm.write = true
      perm.manage = true
    } else if (self.checkRole(p, rt, 'write')) {
      perm.read = true
      perm.write = true
    } else if (self.checkRole(p, rt, 'read')) {
      perm.read = true
    }

    return perm
  },

  /**
   * Check for a specific role based on list of user rights
   *
   * @param      {String}         p       Base path
   * @param      {array<object>}  rt      The user rights
   * @param      {string}         role    The minimum role required
   * @return     {boolean}        True if authorized
   */
  checkRole (p, rt, role) {
    if (_.find(rt, { role: 'admin' })) { return true }

    // Check specific role on path

    let filteredRights = _.filter(rt, (r) => {
      if (r.role === role || (r.role === 'write' && role === 'read')) {
        if ((!r.exact && _.startsWith(p, r.path)) || (r.exact && p === r.path)) {
          return true
        }
      }
      return false
    })

    // Check for deny scenario

    let isValid = false

    if (filteredRights.length > 1) {
      isValid = !_.chain(filteredRights).sortBy((r) => {
        return r.path.length + ((r.deny) ? 0.5 : 0)
      }).last().get('deny').value()
    } else if (filteredRights.length === 1 && filteredRights[0].deny === false) {
      isValid = true
    }

    // Deny by default

    return isValid
  }

}