hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: remove usage of middlewares

Browse Source 
Specifically, middleware.isAdmin|exposePrivilegeSet|exposePrivileges
v1.18.x
Julian Lam 4 years ago
parent bff53de03f
commit 266d7587b2
8 changed files with 50 additions and 19 deletions
Show Stats Download Patch File Download Diff File

5
src/controllers/write/admin.js
Unescape Escape View File

@ -1,13 +1,16 @@
'use strict'; 'use strict';
const meta = require('../../meta'); const meta = require('../../meta');
const privileges = require('../../privileges');
const helpers = require('../helpers'); const helpers = require('../helpers');
const Admin = module.exports; const Admin = module.exports;
Admin.updateSetting = async (req, res) => { Admin.updateSetting = async (req, res) => {
if (!res.locals.privileges['admin:settings']) { const ok = await privileges.admin.can('admin:settings', req.uid);
if (!ok) {
return helpers.formatApiResponse(403, res); return helpers.formatApiResponse(403, res);
} }

14
src/controllers/write/categories.js
Unescape Escape View File

@ -1,5 +1,6 @@
'use strict'; 'use strict';
const privileges = require('../../privileges');
const categories = require('../../categories'); const categories = require('../../categories');
const api = require('../../api'); const api = require('../../api');
@ -7,12 +8,23 @@ const helpers = require('../helpers');
const Categories = module.exports; const Categories = module.exports;
const hasAdminPrivilege = async (uid) => {
const ok = await privileges.admin.can(`admin:categories`, uid);
if (!ok) {
throw new Error('[[error:no-privileges]]');
}
};
Categories.create = async (req, res) => { Categories.create = async (req, res) => {
await hasAdminPrivilege(req.uid);
const response = await api.categories.create(req, req.body); const response = await api.categories.create(req, req.body);
helpers.formatApiResponse(200, res, response); helpers.formatApiResponse(200, res, response);
}; };
Categories.update = async (req, res) => { Categories.update = async (req, res) => {
await hasAdminPrivilege(req.uid);
const payload = {}; const payload = {};
payload[req.params.cid] = req.body; payload[req.params.cid] = req.body;
await api.categories.update(req, payload); await api.categories.update(req, payload);
@ -21,6 +33,8 @@ Categories.update = async (req, res) => {
}; };
Categories.delete = async (req, res) => { Categories.delete = async (req, res) => {
await hasAdminPrivilege(req.uid);
await api.categories.delete(req, { cid: req.params.cid }); await api.categories.delete(req, { cid: req.params.cid });
helpers.formatApiResponse(200, res); helpers.formatApiResponse(200, res);
}; };

22
src/controllers/write/users.js
Unescape Escape View File

@ -2,13 +2,22 @@
const api = require('../../api'); const api = require('../../api');
const meta = require('../../meta'); const meta = require('../../meta');
const privileges = require('../../privileges');
const utils = require('../../utils'); const utils = require('../../utils');
const helpers = require('../helpers'); const helpers = require('../helpers');
const Users = module.exports; const Users = module.exports;
const hasAdminPrivilege = async (uid, privilege) => {
const ok = await privileges.admin.can(`admin:${privilege}`, uid);
if (!ok) {
throw new Error('[[error:no-privileges]]');
}
};
Users.create = async (req, res) => { Users.create = async (req, res) => {
await hasAdminPrivilege(req.uid, 'users');
const userObj = await api.users.create(req, req.body); const userObj = await api.users.create(req, req.body);
helpers.formatApiResponse(200, res, userObj); helpers.formatApiResponse(200, res, userObj);
}; };
@ -24,6 +33,7 @@ Users.delete = async (req, res) => {
}; };
Users.deleteMany = async (req, res) => { Users.deleteMany = async (req, res) => {
await hasAdminPrivilege(req.uid, 'users');
await api.users.deleteMany(req, req.body); await api.users.deleteMany(req, req.body);
helpers.formatApiResponse(200, res); helpers.formatApiResponse(200, res);
}; };
@ -49,19 +59,20 @@ Users.unfollow = async (req, res) => {
}; };
Users.ban = async (req, res) => { Users.ban = async (req, res) => {
await hasAdminPrivilege(req.uid, 'users');
await api.users.ban(req, { ...req.body, uid: req.params.uid }); await api.users.ban(req, { ...req.body, uid: req.params.uid });
helpers.formatApiResponse(200, res); helpers.formatApiResponse(200, res);
}; };
Users.unban = async (req, res) => { Users.unban = async (req, res) => {
await hasAdminPrivilege(req.uid, 'users');
await api.users.unban(req, { ...req.body, uid: req.params.uid }); await api.users.unban(req, { ...req.body, uid: req.params.uid });
helpers.formatApiResponse(200, res); helpers.formatApiResponse(200, res);
}; };
Users.generateToken = async (req, res) => { Users.generateToken = async (req, res) => {
if (!res.locals.privileges['admin:settings']) { await hasAdminPrivilege(req.uid, 'settings');
return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]')); if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
} else if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
return helpers.formatApiResponse(401, res); return helpers.formatApiResponse(401, res);
} }
@ -80,9 +91,8 @@ Users.generateToken = async (req, res) => {
}; };
Users.deleteToken = async (req, res) => { Users.deleteToken = async (req, res) => {
if (!res.locals.privileges['admin:settings']) { await hasAdminPrivilege(req.uid, 'settings');
return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]')); if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
} else if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
return helpers.formatApiResponse(401, res); return helpers.formatApiResponse(401, res);
} }

1
src/middleware/user.js
Unescape Escape View File

@ -201,6 +201,7 @@ module.exports = function (middleware) {
middleware.isAdmin = helpers.try(async function isAdmin(req, res, next) { middleware.isAdmin = helpers.try(async function isAdmin(req, res, next) {
const isAdmin = await user.isAdministrator(req.uid); const isAdmin = await user.isAdministrator(req.uid);
if (!isAdmin) { if (!isAdmin) {
return controllers.helpers.notAllowed(req, res); return controllers.helpers.notAllowed(req, res);
} }

7
src/privileges/admin.js
Unescape Escape View File

@ -158,8 +158,11 @@ module.exports = function (privileges) {
}; };
privileges.admin.can = async function (privilege, uid) { privileges.admin.can = async function (privilege, uid) {
const isUserAllowedTo = await helpers.isUserAllowedTo(privilege, uid, [0]); const [isUserAllowedTo, isAdministrator] = await Promise.all([
return isUserAllowedTo[0]; helpers.isUserAllowedTo(privilege, uid, [0]),
user.isAdministrator(uid),
]);
return isAdministrator || isUserAllowedTo[0];
}; };
// privileges.admin.canGroup = async function (privilege, groupName) { // privileges.admin.canGroup = async function (privilege, groupName) {

2
src/routes/write/admin.js
Unescape Escape View File

@ -10,7 +10,7 @@ const setupApiRoute = routeHelpers.setupApiRoute;
module.exports = function () { module.exports = function () {
const middlewares = [middleware.authenticate]; const middlewares = [middleware.authenticate];
setupApiRoute(router, 'put', '/settings/:setting', [...middlewares, middleware.checkRequired.bind(null, ['value']), middleware.exposePrivilegeSet], controllers.write.admin.updateSetting); setupApiRoute(router, 'put', '/settings/:setting', [...middlewares, middleware.checkRequired.bind(null, ['value'])], controllers.write.admin.updateSetting);
return router; return router;
}; };

6
src/routes/write/categories.js
Unescape Escape View File

@ -10,9 +10,9 @@ const setupApiRoute = routeHelpers.setupApiRoute;
module.exports = function () { module.exports = function () {
const middlewares = [middleware.authenticate]; const middlewares = [middleware.authenticate];
setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['name']), middleware.isAdmin], controllers.write.categories.create); setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['name'])], controllers.write.categories.create);
setupApiRoute(router, 'put', '/:cid', [...middlewares, middleware.isAdmin], controllers.write.categories.update); setupApiRoute(router, 'put', '/:cid', [...middlewares], controllers.write.categories.update);
setupApiRoute(router, 'delete', '/:cid', [...middlewares, middleware.isAdmin], controllers.write.categories.delete); setupApiRoute(router, 'delete', '/:cid', [...middlewares], controllers.write.categories.delete);
return router; return router;
}; };

12
src/routes/write/users.js
Unescape Escape View File

@ -15,8 +15,8 @@ function guestRoutes() {
function authenticatedRoutes() { function authenticatedRoutes() {
const middlewares = [middleware.authenticate]; const middlewares = [middleware.authenticate];
setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['username']), middleware.isAdmin], controllers.write.users.create); setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['username'])], controllers.write.users.create);
setupApiRoute(router, 'delete', '/', [...middlewares, middleware.checkRequired.bind(null, ['uids']), middleware.isAdmin, middleware.exposePrivileges], controllers.write.users.deleteMany); setupApiRoute(router, 'delete', '/', [...middlewares, middleware.checkRequired.bind(null, ['uids'])], controllers.write.users.deleteMany);
setupApiRoute(router, 'put', '/:uid', [...middlewares, middleware.assert.user], controllers.write.users.update); setupApiRoute(router, 'put', '/:uid', [...middlewares, middleware.assert.user], controllers.write.users.update);
setupApiRoute(router, 'delete', '/:uid', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.delete); setupApiRoute(router, 'delete', '/:uid', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.delete);
@ -28,11 +28,11 @@ function authenticatedRoutes() {
setupApiRoute(router, 'put', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.follow); setupApiRoute(router, 'put', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.follow);
setupApiRoute(router, 'delete', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.unfollow); setupApiRoute(router, 'delete', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.unfollow);
setupApiRoute(router, 'put', '/:uid/ban', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.ban); setupApiRoute(router, 'put', '/:uid/ban', [...middlewares, middleware.assert.user], controllers.write.users.ban);
setupApiRoute(router, 'delete', '/:uid/ban', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.unban); setupApiRoute(router, 'delete', '/:uid/ban', [...middlewares, middleware.assert.user], controllers.write.users.unban);
setupApiRoute(router, 'post', '/:uid/tokens', [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], controllers.write.users.generateToken); setupApiRoute(router, 'post', '/:uid/tokens', [...middlewares, middleware.assert.user], controllers.write.users.generateToken);
setupApiRoute(router, 'delete', '/:uid/tokens/:token', [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], controllers.write.users.deleteToken); setupApiRoute(router, 'delete', '/:uid/tokens/:token', [...middlewares, middleware.assert.user], controllers.write.users.deleteToken);
} }
module.exports = function () { module.exports = function () {

Write Preview
Loading…
Cancel
Save