Merge pull request #222 from jhollinger/master

API-only access, per issue #150
2025-04-23 00:46:16 -04:00 · 2011-11-26 12:22:04 -08:00 · 2011-11-26 12:22:04 -08:00 · 3aacc0a1eb
commit 3aacc0a1eb
parent 33c51e1b01 a491600487
4 changed files with 70 additions and 12 deletions
--- a/node/db/SecurityManager.js
+++ b/node/db/SecurityManager.js
@ -23,6 +23,7 @@ var async = require("async");
 var authorManager = require("./AuthorManager");
 var padManager = require("./PadManager");
 var sessionManager = require("./SessionManager");
+var settings = require("../utils/Settings")

 /**
 * This function controlls the access to a pad, it checks if the user can access a pad.
@ -34,18 +35,52 @@ var sessionManager = require("./SessionManager");
 */ 
 exports.checkAccess = function (padID, sessionID, token, password, callback)
 { 
-  // it's not a group pad, means we can grant access
-  if(padID.indexOf("$") == -1)
+  var statusObject;
+
+  // a valid session is required (api-only mode)
+  if(settings.requireSession)
  {
-    //get author for this token
-    authorManager.getAuthor4Token(token, function(err, author)
+    // no sessionID, access is denied
+    if(!sessionID)
    {
-      // grant access, with author of token
-      callback(err, {accessStatus: "grant", authorID: author});
-    })
-    
-    //don't continue
-    return;
+      callback(null, {accessStatus: "deny"});
+      return;
+    }
+  }
+  // a session is not required, so we'll check if it's a public pad
+  else
+  {
+    // it's not a group pad, means we can grant access
+    if(padID.indexOf("$") == -1)
+    {
+      //get author for this token
+      authorManager.getAuthor4Token(token, function(err, author)
+      {
+        // assume user has access
+        statusObject = {accessStatus: "grant", authorID: author};
+        // user can't create pads
+        if(settings.editOnly)
+        {
+          // check if pad exists
+          padManager.doesPadExists(padID, function(err, exists)
+          {
+            // pad doesn't exist - user can't have access
+            if(!exists) statusObject.accessStatus = "deny";
+            // grant or deny access, with author of token
+            callback(err, statusObject);
+          });
+        }
+        // user may create new pads - no need to check anything
+        else
+        {
+          // grant access, with author of token
+          callback(err, statusObject);
+        }
+      })
+      
+      //don't continue
+      return;
+    }
  }
   
  var groupID = padID.split("$")[0];
@ -57,8 +92,6 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
  var isPasswordProtected;
  var passwordStatus = password == null ? "notGiven" : "wrong"; // notGiven, correct, wrong

-  var statusObject;
-
  async.series([
    //get basic informations from the database 
    function(callback)
@ -180,6 +213,8 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
      {
        //--> grant access
        statusObject = {accessStatus: "grant", authorID: sessionAuthor};
+        //--> deny access if user isn't allowed to create the pad
+        if(settings.editOnly) statusObject.accessStatus = "deny";
      }
      // there is no valid session avaiable AND pad exists
      else if(!validSession && padExists)