Skip to content

Commit a6da20a

Browse files
ubergesundheitubergesundheit
committed
(api) refactor checkBoxIdOwner to checkPrivilege for management routes
1 parent 116fe44 commit a6da20a

File tree

5 files changed

+28
-16
lines changed

5 files changed

+28
-16
lines changed

config/config.example.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@
2727
// If not specified, Slack integration is disabled
2828
// No default
2929
"slack_url": "https://hooks.slack.com/services/A1...7/Z.....K/r....g",
30+
// Users with this role are allowed to management access to the API
31+
// Default: "admin"
32+
"management_role": "manager",
3033
// Routes configuration. Use this to customize your urls. These keys should
3134
// always start with a slash (/)
3235
"routes": {

config/default.js

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ const defaults = {
1313
'api_url': '', // if not set, generated from api_protocol and api_base_domain
1414
'honeybadger_apikey': '',
1515
'slack_url': '',
16+
'management_role': 'admin',
1617
'routes': {
1718
'boxes': '/boxes',
1819
'users': '/users',

packages/api/lib/controllers/boxesController.js

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ const
4545
retrieveParameters,
4646
parseAndValidateTimeParamsForFindAllBoxes,
4747
validateFromToTimeParams,
48-
checkBoxIdOwner
48+
checkPrivilege
4949
} = require('../helpers/userParamHelpers'),
5050
handleError = require('../helpers/errorHandler'),
5151
jsonstringify = require('stringify-stream');
@@ -430,14 +430,14 @@ module.exports = {
430430
{ predef: 'boxId', required: true },
431431
{ predef: 'password' }
432432
]),
433-
checkBoxIdOwner,
433+
checkPrivilege,
434434
deleteBox
435435
],
436436
getSketch: [
437437
retrieveParameters([
438438
{ predef: 'boxId', required: true },
439439
]),
440-
checkBoxIdOwner,
440+
checkPrivilege,
441441
getSketch
442442
],
443443
updateBox: [
@@ -456,7 +456,7 @@ module.exports = {
456456
{ name: 'addons', dataType: 'object' },
457457
{ predef: 'location' }
458458
]),
459-
checkBoxIdOwner,
459+
checkPrivilege,
460460
updateBox
461461
],
462462
// no auth required

packages/api/lib/controllers/sensorsController.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
const { Box } = require('@sensebox/opensensemap-api-models'),
44
{ checkContentType } = require('../helpers/apiUtils'),
5-
{ retrieveParameters, validateFromToTimeParams, checkBoxIdOwner } = require('../helpers/userParamHelpers'),
5+
{ retrieveParameters, validateFromToTimeParams, checkPrivilege } = require('../helpers/userParamHelpers'),
66
handleError = require('../helpers/errorHandler');
77

88
/**
@@ -62,7 +62,7 @@ module.exports = {
6262
{ predef: 'fromDateNoDefault' }
6363
]),
6464
validateFromToTimeParams,
65-
checkBoxIdOwner,
65+
checkPrivilege,
6666
deleteSensorData
6767
]
6868
};

packages/api/lib/helpers/userParamHelpers.js

Lines changed: 18 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
'use strict';
22

3-
const { BadRequestError, UnprocessableEntityError, InvalidArgumentError } = require('restify-errors'),
3+
const { BadRequestError, UnprocessableEntityError, InvalidArgumentError, ForbiddenError } = require('restify-errors'),
44
{ utils: { parseAndValidateTimestamp }, db: { mongoose }, decoding: { validators: { transformAndValidateCoords } } } = require('@sensebox/opensensemap-api-models'),
55
moment = require('moment'),
66
isemail = require('isemail'),
77
handleModelError = require('./errorHandler'),
8-
area = require('@turf/area');
9-
8+
area = require('@turf/area'),
9+
config = require('config');
1010

1111
const decodeBase64Image = function (dataString) {
1212
const matches = dataString.match(/^data:(?:image\/(jpeg|png|gif));base64,(.+)$/m);
@@ -489,20 +489,28 @@ const parseAndValidateTimeParamsForFindAllBoxes = function parseAndValidateTimeP
489489
next();
490490
};
491491

492-
const checkBoxIdOwner = function checkBoxIdOwner (req, res, next) {
493-
try {
494-
req.user.checkBoxOwner(req._userParams.boxId);
495-
492+
const checkPrivilege = function checkPrivilege (req, res, next) {
493+
if (req.user && req.user.role === config.get('management_role')) {
496494
return next();
497-
} catch (err) {
498-
handleModelError(err, next);
499495
}
496+
497+
if (req._userParams.boxId) {
498+
try {
499+
req.user.checkBoxOwner(req._userParams.boxId);
500+
501+
return next();
502+
} catch (err) {
503+
return handleModelError(err, next);
504+
}
505+
}
506+
507+
return next(new ForbiddenError('Not signed in or not authorized to access.'));
500508
};
501509

502510
module.exports = {
503511
validateFromToTimeParams,
504512
retrieveParameters,
505513
initUserParams,
506514
parseAndValidateTimeParamsForFindAllBoxes,
507-
checkBoxIdOwner
515+
checkPrivilege
508516
};

0 commit comments

Comments
 (0)