coop-cloud-chaos-patchs/outline
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added more structure and tests to our authorization code

Browse Source
This commit is contained in:
Tom Moor
2018-02-18 00:11:48 -08:00
parent b53749c95c
commit 2f81eb5e87
9 changed files with 138 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
server/api/documents.js
View File

@ -6,12 +6,9 @@ import auth from './middlewares/authentication';
import pagination from './middlewares/pagination';
import { presentDocument, presentRevision } from '../presenters';
import { Document, Collection, Star, View, Revision } from '../models';
import policy from '../policies';
const authDocumentForUser = (ctx, document) => {
const user = ctx.state.user;
if (!document || document.teamId !== user.teamId) throw httpErrors.NotFound();
};
const { authorize } = policy;
const router = new Router();
router.post('documents.list', auth(), pagination(), async ctx => {
@ -110,7 +107,7 @@ router.post('documents.info', auth(), async ctx => {
ctx.assertPresent(id, 'id is required');
const document = await Document.findById(id);
authDocumentForUser(ctx, document);
authorize(ctx.state.user, 'read', document);
ctx.body = {
data: await presentDocument(ctx, document),
@ -123,7 +120,7 @@ router.post('documents.revisions', auth(), pagination(), async ctx => {
ctx.assertPresent(id, 'id is required');
const document = await Document.findById(id);
authDocumentForUser(ctx, document);
authorize(ctx.state.user, 'read', document);
const revisions = await Revision.findAll({
where: { documentId: id },
@ -170,7 +167,7 @@ router.post('documents.star', auth(), async ctx => {
const user = await ctx.state.user;
const document = await Document.findById(id);
authDocumentForUser(ctx, document);
authorize(ctx.state.user, 'read', document);
await Star.findOrCreate({
where: { documentId: document.id, userId: user.id },
@ -183,7 +180,7 @@ router.post('documents.unstar', auth(), async ctx => {
const user = await ctx.state.user;
const document = await Document.findById(id);
authDocumentForUser(ctx, document);
authorize(ctx.state.user, 'read', document);
await Star.destroy({
where: { documentId: document.id, userId: user.id },
@ -254,20 +251,20 @@ router.post('documents.update', auth(), async ctx => {
const user = ctx.state.user;
const document = await Document.findById(id);
const collection = document.collection;
authorize(ctx.state.user, 'update', document);
if (lastRevision && lastRevision !== document.revisionCount) {
throw httpErrors.BadRequest('Document has changed since last revision');
}
authDocumentForUser(ctx, document);
// Update document
if (title) document.title = title;
if (text) document.text = text;
document.lastModifiedById = user.id;
await document.save();
const collection = document.collection;
if (collection.type === 'atlas') {
await collection.updateDocument(document);
}
@ -287,10 +284,9 @@ router.post('documents.move', auth(), async ctx => {
if (index) ctx.assertPositiveInteger(index, 'index must be an integer (>=0)');
const document = await Document.findById(id);
const collection = await Collection.findById(document.atlasId);
authDocumentForUser(ctx, document);
authorize(ctx.state.user, 'update', document);
const collection = document.collection;
if (collection.type !== 'atlas')
throw httpErrors.BadRequest("This document can't be moved");
@ -324,10 +320,9 @@ router.post('documents.delete', auth(), async ctx => {
ctx.assertPresent(id, 'id is required');
const document = await Document.findById(id);
const collection = await Collection.findById(document.atlasId);
authDocumentForUser(ctx, document);
authorize(ctx.state.user, 'delete', document);
const collection = document.collection;
if (collection.type === 'atlas') {
// Don't allow deletion of root docs
if (collection.documentStructure.length === 1) {