Skip to content

Commit

Permalink
(api) refactor checkBoxIdOwner to checkPrivilege for management routes
Browse files Browse the repository at this point in the history
  • Loading branch information
@ubergesundheit
ubergesundheit committed Apr 11, 2018
1 parent 116fe44 commit a6da20a
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 16 deletions.
3 changes: 3 additions & 0 deletions config/config.example.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@
// If not specified, Slack integration is disabled
// No default
"slack_url": "https://hooks.slack.com/services/A1...7/Z.....K/r....g",
// Users with this role are allowed to management access to the API
// Default: "admin"
"management_role": "manager",
// Routes configuration. Use this to customize your urls. These keys should
// always start with a slash (/)
"routes": {
Expand Down
1 change: 1 addition & 0 deletions config/default.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ const defaults = {
'api_url': '', // if not set, generated from api_protocol and api_base_domain
'honeybadger_apikey': '',
'slack_url': '',
'management_role': 'admin',
'routes': {
'boxes': '/boxes',
'users': '/users',
Expand Down
8 changes: 4 additions & 4 deletions packages/api/lib/controllers/boxesController.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ const
retrieveParameters,
parseAndValidateTimeParamsForFindAllBoxes,
validateFromToTimeParams,
checkBoxIdOwner
checkPrivilege
} = require('../helpers/userParamHelpers'),
handleError = require('../helpers/errorHandler'),
jsonstringify = require('stringify-stream');
Expand Down Expand Up @@ -430,14 +430,14 @@ module.exports = {
{ predef: 'boxId', required: true },
{ predef: 'password' }
]),
checkBoxIdOwner,
checkPrivilege,
deleteBox
],
getSketch: [
retrieveParameters([
{ predef: 'boxId', required: true },
]),
checkBoxIdOwner,
checkPrivilege,
getSketch
],
updateBox: [
Expand All @@ -456,7 +456,7 @@ module.exports = {
{ name: 'addons', dataType: 'object' },
{ predef: 'location' }
]),
checkBoxIdOwner,
checkPrivilege,
updateBox
],
// no auth required
Expand Down
4 changes: 2 additions & 2 deletions packages/api/lib/controllers/sensorsController.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

const { Box } = require('@sensebox/opensensemap-api-models'),
{ checkContentType } = require('../helpers/apiUtils'),
{ retrieveParameters, validateFromToTimeParams, checkBoxIdOwner } = require('../helpers/userParamHelpers'),
{ retrieveParameters, validateFromToTimeParams, checkPrivilege } = require('../helpers/userParamHelpers'),
handleError = require('../helpers/errorHandler');

/**
Expand Down Expand Up @@ -62,7 +62,7 @@ module.exports = {
{ predef: 'fromDateNoDefault' }
]),
validateFromToTimeParams,
checkBoxIdOwner,
checkPrivilege,
deleteSensorData
]
};
28 changes: 18 additions & 10 deletions packages/api/lib/helpers/userParamHelpers.js
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
'use strict';

const { BadRequestError, UnprocessableEntityError, InvalidArgumentError } = require('restify-errors'),
const { BadRequestError, UnprocessableEntityError, InvalidArgumentError, ForbiddenError } = require('restify-errors'),
{ utils: { parseAndValidateTimestamp }, db: { mongoose }, decoding: { validators: { transformAndValidateCoords } } } = require('@sensebox/opensensemap-api-models'),
moment = require('moment'),
isemail = require('isemail'),
handleModelError = require('./errorHandler'),
area = require('@turf/area');

area = require('@turf/area'),
config = require('config');

const decodeBase64Image = function (dataString) {
const matches = dataString.match(/^data:(?:image\/(jpeg|png|gif));base64,(.+)$/m);
Expand Down Expand Up @@ -489,20 +489,28 @@ const parseAndValidateTimeParamsForFindAllBoxes = function parseAndValidateTimeP
next();
};

const checkBoxIdOwner = function checkBoxIdOwner (req, res, next) {
try {
req.user.checkBoxOwner(req._userParams.boxId);

const checkPrivilege = function checkPrivilege (req, res, next) {
if (req.user && req.user.role === config.get('management_role')) {
return next();
} catch (err) {
handleModelError(err, next);
}

if (req._userParams.boxId) {
try {
req.user.checkBoxOwner(req._userParams.boxId);

return next();
} catch (err) {
return handleModelError(err, next);
}
}

return next(new ForbiddenError('Not signed in or not authorized to access.'));
};

module.exports = {
validateFromToTimeParams,
retrieveParameters,
initUserParams,
parseAndValidateTimeParamsForFindAllBoxes,
checkBoxIdOwner
checkPrivilege
};

0 comments on commit a6da20a

Please sign in to comment.