Skip to content

Commit

Permalink
refactor: middleware.assert.*
Browse files Browse the repository at this point in the history
  • Loading branch information
@julianlam
julianlam committed Oct 8, 2020
1 parent 41f55b7 commit 8ecef7b
Show file tree
Hide file tree
Showing 7 changed files with 93 additions and 93 deletions.
114 changes: 57 additions & 57 deletions src/middleware/assert.js
View file
Expand Up @@ -19,60 +19,60 @@ const posts = require('../posts');
const helpers = require('./helpers');
const controllerHelpers = require('../controllers/helpers');

module.exports = function (middleware) {
middleware.assertUser = helpers.try(async (req, res, next) => {
if (!await user.exists(req.params.uid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
}

next();
});

middleware.assertGroup = helpers.try(async (req, res, next) => {
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
if (!name || !await groups.exists(name)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
}

next();
});

middleware.assertTopic = helpers.try(async (req, res, next) => {
if (!await topics.exists(req.params.tid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}

next();
});

middleware.assertPost = helpers.try(async (req, res, next) => {
if (!await posts.exists(req.params.pid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}

next();
});

middleware.assertPath = helpers.try(async (req, res, next) => {
// file: URL support
if (req.body.path.startsWith('file:///')) {
req.body.path = new URL(req.body.path).pathname;
}

// Checks file exists and is within bounds of upload_path
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
res.locals.cleanedPath = pathToFile;

if (!pathToFile.startsWith(nconf.get('upload_path'))) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
}

try {
await fsPromises.access(pathToFile, fs.constants.F_OK);
} catch (e) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
}

next();
});
};
const Assert = module.exports;

Assert.user = helpers.try(async (req, res, next) => {
if (!await user.exists(req.params.uid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-user]]'));
}

next();
});

Assert.group = helpers.try(async (req, res, next) => {
const name = await groups.getGroupNameByGroupSlug(req.params.slug);
if (!name || !await groups.exists(name)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-group]]'));
}

next();
});

Assert.topic = helpers.try(async (req, res, next) => {
if (!await topics.exists(req.params.tid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}

next();
});

Assert.post = helpers.try(async (req, res, next) => {
if (!await posts.exists(req.params.pid)) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:no-topic]]'));
}

next();
});

Assert.path = helpers.try(async (req, res, next) => {
// file: URL support
if (req.body.path.startsWith('file:///')) {
req.body.path = new URL(req.body.path).pathname;
}

// Checks file exists and is within bounds of upload_path
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
res.locals.cleanedPath = pathToFile;

if (!pathToFile.startsWith(nconf.get('upload_path'))) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
}

try {
await fsPromises.access(pathToFile, fs.constants.F_OK);
} catch (e) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
}

next();
});
2 changes: 1 addition & 1 deletion src/middleware/index.js
View file
Expand Up @@ -60,7 +60,7 @@ require('./maintenance')(middleware);
require('./user')(middleware);
require('./headers')(middleware);
require('./expose')(middleware);
require('./assert')(middleware);
middleware.assert = require('./assert');

middleware.stripLeadingSlashes = function stripLeadingSlashes(req, res, next) {
var target = req.originalUrl.replace(nconf.get('relative_path'), '');
Expand Down
4 changes: 2 additions & 2 deletions src/routes/write/files.js
View file
Expand Up @@ -10,8 +10,8 @@ const setupApiRoute = routeHelpers.setupApiRoute;
module.exports = function () {
const middlewares = [middleware.authenticate];

// setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assertFolder], 'put', controllers.write.files.upload);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assertPath], 'delete', controllers.write.files.delete);
// setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assert.folder], 'put', controllers.write.files.upload);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['path']), middleware.assert.path], 'delete', controllers.write.files.delete);

return router;
};
6 changes: 3 additions & 3 deletions src/routes/write/groups.js
View file
Expand Up @@ -11,9 +11,9 @@ module.exports = function () {
const middlewares = [middleware.authenticate];

setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['name']), middleware.exposePrivilegeSet], 'post', controllers.write.groups.create);
setupApiRoute(router, '/:slug', middleware, [...middlewares, middleware.assertGroup, middleware.exposePrivileges], 'delete', controllers.write.groups.delete);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assertGroup, middleware.exposePrivileges], 'put', controllers.write.groups.join);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assertGroup, middleware.exposePrivileges], 'delete', controllers.write.groups.leave);
setupApiRoute(router, '/:slug', middleware, [...middlewares, middleware.assert.group, middleware.exposePrivileges], 'delete', controllers.write.groups.delete);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assert.group, middleware.exposePrivileges], 'put', controllers.write.groups.join);
setupApiRoute(router, '/:slug/membership/:uid', middleware, [...middlewares, middleware.assert.group, middleware.exposePrivileges], 'delete', controllers.write.groups.leave);

return router;
};
14 changes: 7 additions & 7 deletions src/routes/write/posts.js
View file
Expand Up @@ -11,16 +11,16 @@ module.exports = function () {
const middlewares = [middleware.authenticate];

setupApiRoute(router, '/:pid', middleware, [...middlewares, middleware.checkRequired.bind(null, ['content'])], 'put', controllers.write.posts.edit);
setupApiRoute(router, '/:pid', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.purge);
setupApiRoute(router, '/:pid', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.purge);

setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assertPost], 'put', controllers.write.posts.restore);
setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.delete);
setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assert.post], 'put', controllers.write.posts.restore);
setupApiRoute(router, '/:pid/state', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.delete);

setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.checkRequired.bind(null, ['delta']), middleware.assertPost], 'put', controllers.write.posts.vote);
setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.unvote);
setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.checkRequired.bind(null, ['delta']), middleware.assert.post], 'put', controllers.write.posts.vote);
setupApiRoute(router, '/:pid/vote', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.unvote);

setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assertPost], 'put', controllers.write.posts.bookmark);
setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assertPost], 'delete', controllers.write.posts.unbookmark);
setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assert.post], 'put', controllers.write.posts.bookmark);
setupApiRoute(router, '/:pid/bookmark', middleware, [...middlewares, middleware.assert.post], 'delete', controllers.write.posts.unbookmark);

return router;
};
28 changes: 14 additions & 14 deletions src/routes/write/topics.js
View file
Expand Up @@ -11,25 +11,25 @@ module.exports = function () {
const middlewares = [middleware.authenticate];

setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['cid', 'title', 'content'])], 'post', controllers.write.topics.create);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.checkRequired.bind(null, ['content']), middleware.assertTopic], 'post', controllers.write.topics.reply);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.purge);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.checkRequired.bind(null, ['content']), middleware.assert.topic], 'post', controllers.write.topics.reply);
setupApiRoute(router, '/:tid', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.purge);

setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.restore);
setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.delete);
setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.restore);
setupApiRoute(router, '/:tid/state', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.delete);

setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.pin);
setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unpin);
setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.pin);
setupApiRoute(router, '/:tid/pin', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unpin);

setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.lock);
setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unlock);
setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.lock);
setupApiRoute(router, '/:tid/lock', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unlock);

setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.follow);
setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unfollow);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assertTopic], 'put', controllers.write.topics.ignore);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.unfollow); // intentional, unignore == unfollow
setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.follow);
setupApiRoute(router, '/:tid/follow', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unfollow);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assert.topic], 'put', controllers.write.topics.ignore);
setupApiRoute(router, '/:tid/ignore', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.unfollow); // intentional, unignore == unfollow

setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.checkRequired.bind(null, ['tags']), middleware.assertTopic], 'put', controllers.write.topics.addTags);
setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.assertTopic], 'delete', controllers.write.topics.deleteTags);
setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.checkRequired.bind(null, ['tags']), middleware.assert.topic], 'put', controllers.write.topics.addTags);
setupApiRoute(router, '/:tid/tags', middleware, [...middlewares, middleware.assert.topic], 'delete', controllers.write.topics.deleteTags);

return router;
};
18 changes: 9 additions & 9 deletions src/routes/write/users.js
View file
Expand Up @@ -18,19 +18,19 @@ function authenticatedRoutes() {
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['username']), middleware.isAdmin], 'post', controllers.write.users.create);
setupApiRoute(router, '/', middleware, [...middlewares, middleware.checkRequired.bind(null, ['uids']), middleware.isAdmin, middleware.exposePrivileges], 'delete', controllers.write.users.deleteMany);

setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.delete);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assert.user], 'put', controllers.write.users.update);
setupApiRoute(router, '/:uid', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivileges], 'delete', controllers.write.users.delete);

setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword']), middleware.assertUser], 'put', controllers.write.users.changePassword);
setupApiRoute(router, '/:uid/password', middleware, [...middlewares, middleware.checkRequired.bind(null, ['newPassword']), middleware.assert.user], 'put', controllers.write.users.changePassword);

setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assertUser], 'delete', controllers.write.users.unfollow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assert.user], 'put', controllers.write.users.follow);
setupApiRoute(router, '/:uid/follow', middleware, [...middlewares, middleware.assert.user], 'delete', controllers.write.users.unfollow);

setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivileges], 'delete', controllers.write.users.unban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivileges], 'put', controllers.write.users.ban);
setupApiRoute(router, '/:uid/ban', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivileges], 'delete', controllers.write.users.unban);

setupApiRoute(router, '/:uid/tokens', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivilegeSet], 'post', controllers.write.users.generateToken);
setupApiRoute(router, '/:uid/tokens/:token', middleware, [...middlewares, middleware.assertUser, middleware.exposePrivilegeSet], 'delete', controllers.write.users.deleteToken);
setupApiRoute(router, '/:uid/tokens', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], 'post', controllers.write.users.generateToken);
setupApiRoute(router, '/:uid/tokens/:token', middleware, [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], 'delete', controllers.write.users.deleteToken);

/**
* Implement this later...
Expand Down

0 comments on commit 8ecef7b

Please sign in to comment.