coops-server-node/roles.js at master · foyt/coops-server-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
(function() {

  var db = require('./db');

  function checkFileRole(req, res, roles, next) {
    if (!req.user) {
      res.send("Unauthorized", 401);
    } else {
      if (req.user._id != req.params.userid) {
        res.send("User does not match logged user", 403);
      } else {
        var fileId = req.params.fileid;

        db.model.FileUser.findOne({fileId: fileId, userId: req.user._id}, function (err, fileUser) {
          if (err) {
            console.error(err);
            res.send("Internal Server Error", 500);
          }

          if (!fileUser) {
            res.send("User has no role in file", 403);
          } else {
            if (roles.indexOf(fileUser.role) == -1) {
              res.send("User lacks required role", 403);
            } else {
              next();
            }
          }
        });
      }
    }
  }

  module.exports.can = function (action) {
    return function(req, res, next) {
      switch (action) {
        case 'get-user-info':
          // User may view his/her own information

          if (!req.user) {
            res.send("Unauthorized", 401);
          }

          // TODO: Administrators may view information of other users

          if (req.user._id == req.params.userid) {
            next();
          } else {
            res.send("Forbidden", 403);
          }
        break;
        case 'create-new-file':
          // User may create new file for himself/herself

          if (!req.user) {
            res.send("Unauthorized", 401);
          }

          // TODO: Administrators may add files for other users

          if (req.user._id == req.params.userid) {
            next();
          } else {
            res.send("Forbidden", 403);
          }
        break;
        case 'list-files':
          // User may list his/her own files

          if (!req.user) {
            res.send("Unauthorized", 401);
          }

          // TODO: Administrators may list files of other users

          if (req.user._id == req.params.userid) {
            next();
          } else {
            res.send("Forbidden", 403);
          }
        break;
        case 'join-file':
          // User may join session if role of the user in file is either OWNER or WRITER
          checkFileRole(req, res, ['OWNER', 'WRITER'], next);
        break;
        case 'get-file':
          // User may view file if role of the user in file is either OWNER, WRITER or READER
          checkFileRole(req, res, ['OWNER', 'WRITER', 'READER'], next);
        break;
        case 'get-file-users':
          // User may list file users if role of the user in file is either OWNER, WRITER or READER
          checkFileRole(req, res, ['OWNER', 'WRITER', 'READER'], next);
        break;
        case 'get-file-revisions':
          // User may list file revisions, if role of the user in file is either OWNER, WRITER or READER
          checkFileRole(req, res, ['OWNER', 'WRITER', 'READER'], next);
        break;
        case 'update-file-users':
          // User may list file users if role of the user in file is either OWNER, WRITER or READER
          checkFileRole(req, res, ['OWNER', 'WRITER'], next);
        break;
        case 'save-file':
          // User may save a file if role of the user in file is either OWNER or WRITER
          checkFileRole(req, res, ['OWNER', 'WRITER'], next);
        break;
      };
    };
  };

}).call(this);