diff --git a/lib/www/server/api/index.js b/lib/www/server/api/index.js index 4ad61ac..64963bf 100644 --- a/lib/www/server/api/index.js +++ b/lib/www/server/api/index.js @@ -94,8 +94,8 @@ app.map({ // WARNING Every route from here onwards requires authentication! // app.use(mw.auth.authentify); -// Read access required for anything below here -app.use(mw.auth.access.read); +// Users must be authenticated to access anything below here +app.use(mw.auth.access.user); // Don't process the request if the data hasn't changed app.use(mw.etag.ifNoneMatch); @@ -108,15 +108,15 @@ app.map({ }, '/project/:project': { get: [ mw.project.summary.get ], // Get project data - delete: [ mw.auth.access.admin, mw.project.delete ], // Delete a project (only if empty) + delete: [ mw.auth.access.edit, mw.project.delete ], // Delete a project (only if empty) }, '/project/:project/summary': { - get: [ mw.project.summary.get ], + get: [ mw.auth.access.read, mw.project.summary.get ], }, '/project/:project/configuration': { get: [ mw.project.configuration.get ], // Get project configuration - patch: [ mw.auth.access.admin, mw.project.configuration.patch ], // Modify project configuration - put: [ mw.auth.access.admin, mw.project.configuration.put ], // Overwrite configuration + patch: [ mw.auth.access.edit, mw.project.configuration.patch ], // Modify project configuration + put: [ mw.auth.access.edit, mw.project.configuration.put ], // Overwrite configuration }, /* @@ -124,25 +124,25 @@ app.map({ */ '/project/:project/gis': { - get: [ mw.etag.noSave, mw.gis.project.bbox ] + get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.bbox ] }, '/project/:project/gis/preplot': { - get: [ mw.etag.noSave, mw.gis.project.preplot ] + get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.preplot ] }, '/project/:project/gis/preplot/:featuretype(line|point)': { - get: [ mw.etag.noSave, mw.gis.project.preplot ] + get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.preplot ] }, '/project/:project/gis/raw/:featuretype(line|point)': { - get: [ mw.etag.noSave, mw.gis.project.raw ] + get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.raw ] }, '/project/:project/gis/final/:featuretype(line|point)': { - get: [ mw.etag.noSave, mw.gis.project.final ] + get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.final ] }, '/project/:project/gis/layer': { - get: [ mw.etag.noSave, mw.gis.project.layer.get ] + get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.layer.get ] }, '/project/:project/gis/layer/:name': { - get: [ mw.etag.noSave, mw.gis.project.layer.get ] + get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.layer.get ] }, /* @@ -150,10 +150,10 @@ app.map({ */ '/project/:project/line/': { - get: [ mw.line.list ], + get: [ mw.auth.access.read, mw.line.list ], }, '/project/:project/line/:line': { -// get: [ mw.line.get ], +// get: [ mw.auth.access.read, mw.line.get ], patch: [ mw.auth.access.write, mw.line.patch ], }, @@ -162,13 +162,13 @@ app.map({ */ '/project/:project/sequence/': { - get: [ mw.sequence.list ], + get: [ mw.auth.access.read, mw.sequence.list ], }, '/project/:project/sequence/:sequence': { - get: [ mw.sequence.get ], + get: [ mw.auth.access.read, mw.sequence.get ], patch: [ mw.auth.access.write, mw.sequence.patch ], '/:point': { - get: [ mw.sequence.point.get ] + get: [ mw.auth.access.read, mw.sequence.point.get ] } }, @@ -177,25 +177,28 @@ app.map({ */ '/project/:project/plan/': { - get: [ mw.plan.list ], + get: [ mw.auth.access.read, mw.plan.list ], put: [ mw.auth.access.write, mw.plan.put ], post: [ mw.auth.access.write, mw.plan.post ] }, '/project/:project/plan/:sequence': { -// get: [ mw.plan.get ], +// get: [ mw.auth.access.read, mw.plan.get ], patch: [ mw.auth.access.write, mw.plan.patch ], delete: [ mw.auth.access.write, mw.plan.delete ] }, /* * Line name endpoints + * */ + // Read access is sufficient for the next two endpoints + '/project/:project/linename': { - post: [ mw.linename.post ], // Get a linename + post: [ mw.auth.access.read, mw.linename.post ], // Get a linename }, '/project/:project/linename/properties': { - get: [ mw.linename.properties.get ], // Get linename properties + get: [ mw.auth.access.read, mw.linename.properties.get ], // Get linename properties }, /* @@ -203,19 +206,19 @@ app.map({ */ '/project/:project/event/': { - get: [ mw.event.list ], + get: [ mw.auth.access.read, mw.event.list ], post: [ mw.auth.access.write, mw.event.post ], put: [ mw.auth.access.write, mw.event.put ], delete: [ mw.auth.access.write, mw.event.delete ], 'changes/:since': { - get: [ mw.event.changes ] + get: [ mw.auth.access.read, mw.event.changes ] }, // TODO Rename -/:sequence → sequence/:sequence '-/:sequence/': { // NOTE: We need to avoid conflict with the next endpoint ☹ - get: [ mw.event.sequence.get ], + get: [ mw.auth.access.read, mw.event.sequence.get ], }, ':id/': { - get: [ mw.event.get ], + get: [ mw.auth.access.read, mw.event.get ], put: [ mw.auth.access.write, mw.event.put ], patch: [ mw.auth.access.write, mw.event.patch ], delete: [mw.auth.access.write, mw.event.delete ] @@ -229,17 +232,17 @@ app.map({ '/project/:project/qc': { '/results': { // Get all QC results for :project - get: [ mw.etag.noSave, mw.qc.results.get ], + get: [ mw.auth.access.read, mw.etag.noSave, mw.qc.results.get ], // Delete all QC results for :project - delete: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.delete ], + delete: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.delete ], '/accept': { - post: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.accept ] + post: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.accept ] }, '/unaccept': { - post: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.unaccept ] + post: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.unaccept ] }, '/sequence/:sequence': { @@ -247,7 +250,7 @@ app.map({ get: [ mw.etag.noSave, mw.qc.results.get ], // Delete QC results for :project, :sequence - delete: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.delete ] + delete: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.delete ] } } }, @@ -257,18 +260,18 @@ app.map({ */ '/project/:project/label/': { - get: [ mw.label.list ], + get: [ mw.auth.access.read, mw.label.list ], // post: [ mw.label.post ], }, '/project/:project/configuration/:path(*)?': { - get: [ mw.configuration.get ], + get: [ mw.auth.access.read, mw.configuration.get ], // post: [ mw.auth.access.admin, mw.label.post ], }, '/project/:project/info/:path(*)': { - get: [ mw.info.get ], - post: [ mw.auth.access.write, mw.info.post ], - put: [ mw.auth.access.write, mw.info.put ], - delete: [ mw.auth.access.write, mw.info.delete ] + get: [ mw.auth.operations, mw.auth.access.read, mw.info.get ], + post: [ mw.auth.operations, mw.auth.access.write, mw.info.post ], + put: [ mw.auth.operations, mw.auth.access.write, mw.info.put ], + delete: [ mw.auth.operations, mw.auth.access.write, mw.info.delete ] }, '/project/:project/meta/': { put: [ mw.auth.access.write, mw.meta.put ], @@ -278,7 +281,7 @@ app.map({ // GET: // `/raw/sequences/qc/missing_shots`, // `/final/points/qc/sync_warn/results - get: [ mw.meta.get ], + get: [ mw.auth.access.read, mw.meta.get ], // // PUT: // // `/raw/qc/missing_shots` ← { sequence: …, value: … } // put: [ mw.meta.put ] @@ -296,7 +299,7 @@ app.map({ '/files/?:path(*)': { get: [ mw.auth.access.write, mw.etag.noSave, mw.files.get ] }, - '/navdata/': { + '/navdata/': { // TODO These endpoints should probably need read access auth get: [ mw.etag.noSave, mw.navdata.get ], 'gis/:featuretype(line|point)': { get: [ mw.etag.noSave, mw.gis.navdata.get ]