Addresses #327 and various related issues

HashBrownCMS · Jan 13, 2020 · 34daf33 · 34daf33
1 parent b8ba0ef
commit 34daf33
Show file tree

Hide file tree

Showing 12 changed files with 226 additions and 160 deletions.
diff --git a/src/Client/Entity/View/Navigation/ResourceBrowser.js b/src/Client/Entity/View/Navigation/ResourceBrowser.js
@@ -74,7 +74,7 @@ class ResourceBrowser extends HashBrown.Entity.View.Navigation.NavigationBase {
 
         for(let panel of Object.values(HashBrown.Entity.View.Panel)) {
             if(panel === HashBrown.Entity.View.Panel.PanelBase) { continue; }
-            if(!HashBrown.Context.user.hasScope(HashBrown.Context.projecId, panel.category)) { continue; }
+            if(!HashBrown.Context.user.hasScope(HashBrown.Context.projectId, panel.category)) { continue; }
 
             this.state.panels.push(panel);
 

diff --git a/src/Common/Entity/Resource/User.js b/src/Common/Entity/Resource/User.js
@@ -68,7 +68,7 @@ class User extends HashBrown.Entity.Resource.ResourceBase {
      * @returns {Boolean} hasScope
      */
     hasScope(project, scope) {
-        if(this.isAdmin || scope === 'content' || scope === 'media') { return true; }
+        if(this.isAdmin) { return true; }
 
         if(!project) { return false; }
         if(!scope && !this.scopes[project]) { return false; }
@@ -77,9 +77,7 @@ class User extends HashBrown.Entity.Resource.ResourceBase {
             this.scopes[project] = [];
         }
 
-        if(!scope) {
-            return true;
-        }
+        if(!scope || scope === 'content' || scope === 'media') { return true; }
 
         return this.scopes[project].indexOf(scope) > -1;
     }

diff --git a/src/Server/Controller/ApiController.js b/src/Server/Controller/ApiController.js
@@ -68,15 +68,20 @@ class ApiController extends HashBrown.Controller.ControllerBase {
 
                     // Using authentication
                     if(settings.authenticate !== false) {
-                        req.user = await this.authenticate(token, req.project, settings.scope, settings.needsAdmin);
+                        req.user = await this.authenticate(token);
                     }
 
                 // Disregarding project parameter, but using authentication
                 } else if(settings.authenticate !== false) {
                     req.user = await this.authenticate(token, null, settings.scope, settings.needsAdmin);
 
                 }
-
+
+                // If a user is specified, authorise it
+                if(req.user) {
+                    this.authorize(req.user, req.project, settings.scope, settings.needsAdmin);
+                }
+
                 next();
 
             } catch(e) {

diff --git a/src/Server/Controller/ControllerBase.js b/src/Server/Controller/ControllerBase.js
@@ -17,13 +17,12 @@ class ControllerBase {
      * Authenticates a request
      *
      * @param {String} token
-     * @param {String} project
-     * @param {String} scope
-     * @param {Boolean} needsAdmin
      *
-     * @returns {Promise} User object
+     * @returns {HashBrown.Entity.Resource.User} User object
      */
-    static async authenticate(token, project, scope, needsAdmin) {
+    static async authenticate(token) {
+        checkParam(token, 'token', String);
+
         // No token was provided
         if(!token) {
             throw new Error('You need to be logged in to do that');
@@ -36,17 +35,42 @@ class ControllerBase {
             throw new Error('You need to be logged in to do that');
         }
 
+        return user;
+    }
+
+    /**
+     * Authorises a request
+     *
+     * @param {HashBrown.Entity.Resource.User} user
+     * @param {String} project
+     * @param {String} scope
+     * @param {Boolean} needsAdmin
+     */
+    static authorize(user, project = '', scope = '', needsAdmin = false) {
+        checkParam(user, 'user', HashBrown.Entity.Resource.User);
+        checkParam(project, 'project', String);
+        checkParam(scope, 'scope', String);
+        checkParam(needsAdmin, 'needsAdmin', Boolean);
+
+        // No user was found
+        if(!user) {
+            throw new Error('You need to be logged in to do that');
+        }
+
         // Admin is required, and user isn't admin
         if(needsAdmin && !user.isAdmin) {
             throw new Error('You need to be admin to do that');
         }
+
+        // A project is defined, and the user doesn't have it
+        if(project && !user.hasScope(project)) {
+            throw new Error('You do not have permission to use this project');
+        }
 
         // A scope is defined, and the user doesn't have it
-        if(project && scope && !user.hasScope(project, scope)) {
-            throw new Error('You need the "' + scope + '" scope to do that');
+        if(scope && !user.hasScope(project, scope)) {
+            throw new Error(`You do not have permission to use the "${scope}" scope in this project`);
         }
-
-        return user;
     }
 
     /**

diff --git a/src/Server/Controller/TestController.js b/src/Server/Controller/TestController.js
@@ -33,7 +33,7 @@ class TestController extends HashBrown.Controller.ApiController {
         }
 
         try {
-            let user = await TestController.authenticate(req.cookies.token, null, null, true);
+            let user = await TestController.authenticate(req.cookies.token);
 
             if(!user.isAdmin) {
                 throw new Error('The testing tool requires admin privileges');