Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make DELETE require write permissions on container #1014

Merged
merged 3 commits into from
Dec 10, 2018
Merged

Make DELETE require write permissions on container #1014

merged 3 commits into from
Dec 10, 2018

Conversation

rubensworks
Copy link
Contributor

DELETE will now basically always check the permissions of the parent directory.

As requested in #729.

@rubensworks rubensworks added this to In progress in NSS-5.0.0 via automation Dec 6, 2018
@ghost ghost assigned rubensworks Dec 6, 2018
@ghost ghost added the in progress label Dec 6, 2018
@rubensworks rubensworks mentioned this pull request Dec 6, 2018
Closed
@rubensworks rubensworks moved this from In progress to Needs review in NSS-5.0.0 Dec 6, 2018
kjetilk
kjetilk reviewed Dec 6, 2018
View reviewed changes
lib/ldp-middleware.js Outdated
@@ -26,7 +26,7 @@ function LdpMiddleware (corsSettings) {
router.post('/*', allow('Append'), post)
router.patch('/*', allow('Append'), patch)
router.put('/*', allow('Write'), put)
router.delete('/*', allow('Write'), del)
router.delete('/*', allow('Write', '..'), del)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure, but wouldn't ./ be the path to the container?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason why that was needed is because I used path.join, which considers everything to be a path segment, including the filename itself, so ./ would do nothing.

In any case, I rewrote this PR a bit, as it was indeed a bit confusing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK; perhaps you can have a look too, @RubenVerborgh ?

NSS-5.0.0 automation moved this from Needs review to Reviewer approved Dec 9, 2018
RubenVerborgh
RubenVerborgh approved these changes Dec 9, 2018
View reviewed changes
Copy link
Contributor

@RubenVerborgh RubenVerborgh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionality okay, only naming suggestions. Easily testable, or too hard?

lib/handlers/allow.js Outdated
const ACL = require('../acl-checker')
const debug = require('../debug.js').ACL
const fs = require('fs')
const { promisify } = require('util')
const HTTPError = require('../http-error')

function allow (mode) {
function allow (mode, testDirectory) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unclear parameter name IMHO

lib/handlers/allow.js Outdated
@@ -23,6 +24,11 @@ function allow (mode) {
? res.locals.path
: req.path

// If a relativePath has been provided, check permissions based on that
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment out of sync?

lib/handlers/allow.js Outdated
@@ -23,6 +24,11 @@ function allow (mode) {
? res.locals.path
: req.path

// If a relativePath has been provided, check permissions based on that
if (testDirectory) {
reqPath = path.dirname(reqPath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe deceptive to use reqPath for it then. Perhaps should be something like resourcePath.

@rubensworks
Copy link
Contributor Author

Easily testable, or too hard?

Too hard in the current architecture. I couldn't find a place where both the allow and delete handlers were already setup in tests, so writing a test for this would require quite a bit of effort (but should be possible to do if we want to invest time in that).

All other comments have been resolved.

@kjetilk kjetilk merged commit 2fbe582 into nodeSolidServer:release/v5.0.0 Dec 10, 2018
NSS-5.0.0 automation moved this from Reviewer approved to Done Dec 10, 2018
@ghost ghost removed the in progress label Dec 10, 2018
@kjetilk kjetilk mentioned this pull request Dec 11, 2018
Open
@RubenVerborgh RubenVerborgh mentioned this pull request May 16, 2019
Closed
@bourgeoa bourgeoa removed this from Done in NSS-5.0.0 Apr 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kjetilk kjetilk kjetilk left review comments

@RubenVerborgh RubenVerborgh RubenVerborgh approved these changes

Assignees

@rubensworks rubensworks

Labels
ready for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rubensworks @kjetilk @RubenVerborgh