Aaltronav/dougal-software
1
0
Fork 0
mirror of https://gitlab.com/wgp/dougal/software.git synced 2025-12-06 11:37:08 +00:00
Code Issues Packages Projects Releases Activity

Update API to handle permissions checks on most endpoints

Browse Source
This commit is contained in:
D. Berge
2025-07-24 19:24:40 +02:00
parent e47020a21e
commit 386fd59900
1 changed files with 42 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
lib/www/server/api/index.js
View File

@@ -94,8 +94,8 @@ app.map({
// WARNING Every route from here onwards requires authentication!
//
app.use(mw.auth.authentify);
// Read access required for anything below here
app.use(mw.auth.access.read);
// Users must be authenticated to access anything below here
app.use(mw.auth.access.user);
// Don't process the request if the data hasn't changed
app.use(mw.etag.ifNoneMatch);
@@ -108,15 +108,15 @@ app.map({
},
'/project/:project': {
get: [ mw.project.summary.get ], // Get project data
delete: [ mw.auth.access.admin, mw.project.delete ], // Delete a project (only if empty)
delete: [ mw.auth.access.edit, mw.project.delete ], // Delete a project (only if empty)
},
'/project/:project/summary': {
get: [ mw.project.summary.get ],
get: [ mw.auth.access.read, mw.project.summary.get ],
},
'/project/:project/configuration': {
get: [ mw.project.configuration.get ], // Get project configuration
patch: [ mw.auth.access.admin, mw.project.configuration.patch ], // Modify project configuration
put: [ mw.auth.access.admin, mw.project.configuration.put ], // Overwrite configuration
patch: [ mw.auth.access.edit, mw.project.configuration.patch ], // Modify project configuration
put: [ mw.auth.access.edit, mw.project.configuration.put ], // Overwrite configuration
},
/*
@@ -124,25 +124,25 @@ app.map({
*/
'/project/:project/gis': {
get: [ mw.etag.noSave, mw.gis.project.bbox ]
get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.bbox ]
},
'/project/:project/gis/preplot': {
get: [ mw.etag.noSave, mw.gis.project.preplot ]
get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.preplot ]
},
'/project/:project/gis/preplot/:featuretype(line|point)': {
get: [ mw.etag.noSave, mw.gis.project.preplot ]
get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.preplot ]
},
'/project/:project/gis/raw/:featuretype(line|point)': {
get: [ mw.etag.noSave, mw.gis.project.raw ]
get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.raw ]
},
'/project/:project/gis/final/:featuretype(line|point)': {
get: [ mw.etag.noSave, mw.gis.project.final ]
get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.final ]
},
'/project/:project/gis/layer': {
get: [ mw.etag.noSave, mw.gis.project.layer.get ]
get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.layer.get ]
},
'/project/:project/gis/layer/:name': {
get: [ mw.etag.noSave, mw.gis.project.layer.get ]
get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.layer.get ]
},
/*
@@ -150,10 +150,10 @@ app.map({
*/
'/project/:project/line/': {
get: [ mw.line.list ],
get: [ mw.auth.access.read, mw.line.list ],
},
'/project/:project/line/:line': {
// get: [ mw.line.get ],
// get: [ mw.auth.access.read, mw.line.get ],
patch: [ mw.auth.access.write, mw.line.patch ],
},
@@ -162,13 +162,13 @@ app.map({
*/
'/project/:project/sequence/': {
get: [ mw.sequence.list ],
get: [ mw.auth.access.read, mw.sequence.list ],
},
'/project/:project/sequence/:sequence': {
get: [ mw.sequence.get ],
get: [ mw.auth.access.read, mw.sequence.get ],
patch: [ mw.auth.access.write, mw.sequence.patch ],
'/:point': {
get: [ mw.sequence.point.get ]
get: [ mw.auth.access.read, mw.sequence.point.get ]
}
},
@@ -177,25 +177,28 @@ app.map({
*/
'/project/:project/plan/': {
get: [ mw.plan.list ],
get: [ mw.auth.access.read, mw.plan.list ],
put: [ mw.auth.access.write, mw.plan.put ],
post: [ mw.auth.access.write, mw.plan.post ]
},
'/project/:project/plan/:sequence': {
// get: [ mw.plan.get ],
// get: [ mw.auth.access.read, mw.plan.get ],
patch: [ mw.auth.access.write, mw.plan.patch ],
delete: [ mw.auth.access.write, mw.plan.delete ]
},
/*
* Line name endpoints
*
*/
// Read access is sufficient for the next two endpoints
'/project/:project/linename': {
post: [ mw.linename.post ], // Get a linename
post: [ mw.auth.access.read, mw.linename.post ], // Get a linename
},
'/project/:project/linename/properties': {
get: [ mw.linename.properties.get ], // Get linename properties
get: [ mw.auth.access.read, mw.linename.properties.get ], // Get linename properties
},
/*
@@ -203,19 +206,19 @@ app.map({
*/
'/project/:project/event/': {
get: [ mw.event.list ],
get: [ mw.auth.access.read, mw.event.list ],
post: [ mw.auth.access.write, mw.event.post ],
put: [ mw.auth.access.write, mw.event.put ],
delete: [ mw.auth.access.write, mw.event.delete ],
'changes/:since': {
get: [ mw.event.changes ]
get: [ mw.auth.access.read, mw.event.changes ]
},
// TODO Rename -/:sequence → sequence/:sequence
'-/:sequence/': { // NOTE: We need to avoid conflict with the next endpoint ☹
get: [ mw.event.sequence.get ],
get: [ mw.auth.access.read, mw.event.sequence.get ],
},
':id/': {
get: [ mw.event.get ],
get: [ mw.auth.access.read, mw.event.get ],
put: [ mw.auth.access.write, mw.event.put ],
patch: [ mw.auth.access.write, mw.event.patch ],
delete: [mw.auth.access.write, mw.event.delete ]
@@ -229,17 +232,17 @@ app.map({
'/project/:project/qc': {
'/results': {
// Get all QC results for :project
get: [ mw.etag.noSave, mw.qc.results.get ],
get: [ mw.auth.access.read, mw.etag.noSave, mw.qc.results.get ],
// Delete all QC results for :project
delete: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.delete ],
delete: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.delete ],
'/accept': {
post: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.accept ]
post: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.accept ]
},
'/unaccept': {
post: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.unaccept ]
post: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.unaccept ]
},
'/sequence/:sequence': {
@@ -247,7 +250,7 @@ app.map({
get: [ mw.etag.noSave, mw.qc.results.get ],
// Delete QC results for :project, :sequence
delete: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.delete ]
delete: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.delete ]
}
}
},
@@ -257,18 +260,18 @@ app.map({
*/
'/project/:project/label/': {
get: [ mw.label.list ],
get: [ mw.auth.access.read, mw.label.list ],
// post: [ mw.label.post ],
},
'/project/:project/configuration/:path(*)?': {
get: [ mw.configuration.get ],
get: [ mw.auth.access.read, mw.configuration.get ],
// post: [ mw.auth.access.admin, mw.label.post ],
},
'/project/:project/info/:path(*)': {
get: [ mw.info.get ],
post: [ mw.auth.access.write, mw.info.post ],
put: [ mw.auth.access.write, mw.info.put ],
delete: [ mw.auth.access.write, mw.info.delete ]
get: [ mw.auth.operations, mw.auth.access.read, mw.info.get ],
post: [ mw.auth.operations, mw.auth.access.write, mw.info.post ],
put: [ mw.auth.operations, mw.auth.access.write, mw.info.put ],
delete: [ mw.auth.operations, mw.auth.access.write, mw.info.delete ]
},
'/project/:project/meta/': {
put: [ mw.auth.access.write, mw.meta.put ],
@@ -278,7 +281,7 @@ app.map({
// GET:
// `/raw/sequences/qc/missing_shots`,
// `/final/points/qc/sync_warn/results
get: [ mw.meta.get ],
get: [ mw.auth.access.read, mw.meta.get ],
// // PUT:
// // `/raw/qc/missing_shots` ← { sequence: …, value: … }
// put: [ mw.meta.put ]
@@ -296,7 +299,7 @@ app.map({
'/files/?:path(*)': {
get: [ mw.auth.access.write, mw.etag.noSave, mw.files.get ]
},
'/navdata/': {
'/navdata/': { // TODO These endpoints should probably need read access auth
get: [ mw.etag.noSave, mw.navdata.get ],
'gis/:featuretype(line|point)': {
get: [ mw.etag.noSave, mw.gis.navdata.get ]