(api) refactor checkBoxIdOwner to checkPrivilege for management routes

ubergesundheit · ubergesundheit · commit a6da20a727d4 · 2018-04-11T11:15:16.000+02:00
diff --git a/config/config.example.json b/config/config.example.json
@@ -27,6 +27,9 @@
   // If not specified, Slack integration is disabled
   // No default
   "slack_url": "https://hooks.slack.com/services/A1...7/Z.....K/r....g",
+  // Users with this role are allowed to management access to the API
+  // Default: "admin"
+  "management_role": "manager",
   // Routes configuration. Use this to customize your urls. These keys should
   // always start with a slash (/)
   "routes": {
diff --git a/config/default.js b/config/default.js
@@ -13,6 +13,7 @@ const defaults = {
   'api_url': '', // if not set, generated from api_protocol and api_base_domain
   'honeybadger_apikey': '',
   'slack_url': '',
+  'management_role': 'admin',
   'routes': {
     'boxes': '/boxes',
     'users': '/users',
diff --git a/packages/api/lib/controllers/boxesController.js b/packages/api/lib/controllers/boxesController.js
@@ -45,7 +45,7 @@ const
     retrieveParameters,
     parseAndValidateTimeParamsForFindAllBoxes,
     validateFromToTimeParams,
-    checkBoxIdOwner
+    checkPrivilege
   } = require('../helpers/userParamHelpers'),
   handleError = require('../helpers/errorHandler'),
   jsonstringify = require('stringify-stream');
@@ -430,14 +430,14 @@ module.exports = {
       { predef: 'boxId', required: true },
       { predef: 'password' }
     ]),
-    checkBoxIdOwner,
+    checkPrivilege,
     deleteBox
   ],
   getSketch: [
     retrieveParameters([
       { predef: 'boxId', required: true },
     ]),
-    checkBoxIdOwner,
+    checkPrivilege,
     getSketch
   ],
   updateBox: [
@@ -456,7 +456,7 @@ module.exports = {
       { name: 'addons', dataType: 'object' },
       { predef: 'location' }
     ]),
-    checkBoxIdOwner,
+    checkPrivilege,
     updateBox
   ],
   // no auth required
diff --git a/packages/api/lib/controllers/sensorsController.js b/packages/api/lib/controllers/sensorsController.js
@@ -2,7 +2,7 @@
 
 const { Box } = require('@sensebox/opensensemap-api-models'),
   { checkContentType } = require('../helpers/apiUtils'),
-  { retrieveParameters, validateFromToTimeParams, checkBoxIdOwner } = require('../helpers/userParamHelpers'),
+  { retrieveParameters, validateFromToTimeParams, checkPrivilege } = require('../helpers/userParamHelpers'),
   handleError = require('../helpers/errorHandler');
 
 /**
@@ -62,7 +62,7 @@ module.exports = {
       { predef: 'fromDateNoDefault' }
     ]),
     validateFromToTimeParams,
-    checkBoxIdOwner,
+    checkPrivilege,
     deleteSensorData
   ]
 };
diff --git a/packages/api/lib/helpers/userParamHelpers.js b/packages/api/lib/helpers/userParamHelpers.js
@@ -1,12 +1,12 @@
 'use strict';
 
-const { BadRequestError, UnprocessableEntityError, InvalidArgumentError } = require('restify-errors'),
+const { BadRequestError, UnprocessableEntityError, InvalidArgumentError, ForbiddenError } = require('restify-errors'),
   { utils: { parseAndValidateTimestamp }, db: { mongoose }, decoding: { validators: { transformAndValidateCoords } } } = require('@sensebox/opensensemap-api-models'),
   moment = require('moment'),
   isemail = require('isemail'),
   handleModelError = require('./errorHandler'),
-  area = require('@turf/area');
-
+  area = require('@turf/area'),
+  config = require('config');
 
 const decodeBase64Image = function (dataString) {
   const matches = dataString.match(/^data:(?:image\/(jpeg|png|gif));base64,(.+)$/m);
@@ -489,20 +489,28 @@ const parseAndValidateTimeParamsForFindAllBoxes = function parseAndValidateTimeP
   next();
 };
 
-const checkBoxIdOwner = function checkBoxIdOwner (req, res, next) {
-  try {
-    req.user.checkBoxOwner(req._userParams.boxId);
-
+const checkPrivilege = function checkPrivilege (req, res, next) {
+  if (req.user && req.user.role === config.get('management_role')) {
     return next();
-  } catch (err) {
-    handleModelError(err, next);
   }
+
+  if (req._userParams.boxId) {
+    try {
+      req.user.checkBoxOwner(req._userParams.boxId);
+
+      return next();
+    } catch (err) {
+      return handleModelError(err, next);
+    }
+  }
+
+  return next(new ForbiddenError('Not signed in or not authorized to access.'));
 };
 
 module.exports = {
   validateFromToTimeParams,
   retrieveParameters,
   initUserParams,
   parseAndValidateTimeParamsForFindAllBoxes,
-  checkBoxIdOwner
+  checkPrivilege
 };
