Update API to handle permissions checks on most endpoints

2025-12-06 11:37:08 +00:00 · 2025-07-24 19:24:40 +02:00
parent e47020a21e
commit 386fd59900
1 changed files with 42 additions and 39 deletions
--- a/lib/www/server/api/index.js
+++ b/lib/www/server/api/index.js
@@ -94,8 +94,8 @@ app.map({
 // WARNING Every route from here onwards requires authentication!
 //
 app.use(mw.auth.authentify);
-// Read access required for anything below here
+// Users must be authenticated to access anything below here
-app.use(mw.auth.access.read);
+app.use(mw.auth.access.user);
 // Don't process the request if the data hasn't changed
 app.use(mw.etag.ifNoneMatch);
@@ -108,15 +108,15 @@ app.map({
 	},
 	'/project/:project': {
 		get: [ mw.project.summary.get ],      // Get project data
-		delete: [ mw.auth.access.admin, mw.project.delete ], // Delete a project (only if empty)
+		delete: [ mw.auth.access.edit, mw.project.delete ], // Delete a project (only if empty)
 	},
 	'/project/:project/summary': {
-		get: [ mw.project.summary.get ],
+		get: [ mw.auth.access.read, mw.project.summary.get ],
 	},
 	'/project/:project/configuration': {
 		get: [ mw.project.configuration.get ],	// Get project configuration
-		patch: [ mw.auth.access.admin, mw.project.configuration.patch ],	// Modify project configuration
+		patch: [ mw.auth.access.edit, mw.project.configuration.patch ],	// Modify project configuration
-		put: [ mw.auth.access.admin, mw.project.configuration.put ],	// Overwrite configuration
+		put: [ mw.auth.access.edit, mw.project.configuration.put ],	// Overwrite configuration
 	},
 	/*
@@ -124,25 +124,25 @@ app.map({
 	 */
 	'/project/:project/gis': {
-		get: [ mw.etag.noSave, mw.gis.project.bbox ]
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.bbox ]
 	},
 	'/project/:project/gis/preplot': {
-		get: [ mw.etag.noSave, mw.gis.project.preplot ]
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.preplot ]
 	},
 	'/project/:project/gis/preplot/:featuretype(line|point)': {
-		get: [ mw.etag.noSave, mw.gis.project.preplot ]
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.preplot ]
 	},
 	'/project/:project/gis/raw/:featuretype(line|point)': {
-		get: [ mw.etag.noSave, mw.gis.project.raw ]
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.raw ]
 	},
 	'/project/:project/gis/final/:featuretype(line|point)': {
-		get: [ mw.etag.noSave, mw.gis.project.final ]
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.final ]
 	},
 	'/project/:project/gis/layer': {
-		get: [ mw.etag.noSave, mw.gis.project.layer.get ]
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.layer.get ]
 	},
 	'/project/:project/gis/layer/:name': {
-		get: [ mw.etag.noSave, mw.gis.project.layer.get ]
+		get: [ mw.auth.access.read, mw.etag.noSave, mw.gis.project.layer.get ]
 	},
 	/*
@@ -150,10 +150,10 @@ app.map({
 	 */
 	'/project/:project/line/': {
-		get: [ mw.line.list ],
+		get: [ mw.auth.access.read, mw.line.list ],
 	},
 	'/project/:project/line/:line': {
-// 		get: [ mw.line.get ],
+// 		get: [ mw.auth.access.read, mw.line.get ],
 		patch: [ mw.auth.access.write, mw.line.patch ],
 	},
@@ -162,13 +162,13 @@ app.map({
 	 */
 	'/project/:project/sequence/': {
-		get: [ mw.sequence.list ],
+		get: [ mw.auth.access.read, mw.sequence.list ],
 	},
 	'/project/:project/sequence/:sequence': {
-		get: [ mw.sequence.get ],
+		get: [ mw.auth.access.read, mw.sequence.get ],
 		patch: [ mw.auth.access.write, mw.sequence.patch ],
 		'/:point': {
-			get: [ mw.sequence.point.get ]
+			get: [ mw.auth.access.read, mw.sequence.point.get ]
 		}
 	},
@@ -177,25 +177,28 @@ app.map({
 	 */
 	'/project/:project/plan/': {
-		get: [ mw.plan.list ],
+		get: [ mw.auth.access.read, mw.plan.list ],
 		put: [ mw.auth.access.write, mw.plan.put ],
 		post: [ mw.auth.access.write, mw.plan.post ]
 	},
 	'/project/:project/plan/:sequence': {
-// 		get: [ mw.plan.get ],
+// 		get: [ mw.auth.access.read, mw.plan.get ],
 		patch: [ mw.auth.access.write, mw.plan.patch ],
 		delete: [ mw.auth.access.write, mw.plan.delete ]
 	},
 	/*
 	 * Line name endpoints
 	 *
 	 */
 	// Read access is sufficient for the next two endpoints
 	'/project/:project/linename': {
-		post: [ mw.linename.post ], // Get a linename
+		post: [ mw.auth.access.read, mw.linename.post ], // Get a linename
 	},
 	'/project/:project/linename/properties': {
-		get: [ mw.linename.properties.get ], // Get linename properties
+		get: [ mw.auth.access.read, mw.linename.properties.get ], // Get linename properties
 	},
 	/*
@@ -203,19 +206,19 @@ app.map({
 	 */
 	'/project/:project/event/': {
-		get: [ mw.event.list ],
+		get: [ mw.auth.access.read, mw.event.list ],
 		post: [ mw.auth.access.write, mw.event.post ],
 		put: [ mw.auth.access.write, mw.event.put ],
 		delete: [ mw.auth.access.write, mw.event.delete ],
 		'changes/:since': {
-			get: [ mw.event.changes ]
+			get: [ mw.auth.access.read, mw.event.changes ]
 		},
 		// TODO Rename -/:sequence → sequence/:sequence
 		'-/:sequence/': { // NOTE: We need to avoid conflict with the next endpoint ☹
-			get: [ mw.event.sequence.get ],
+			get: [ mw.auth.access.read, mw.event.sequence.get ],
 		},
 		':id/': {
-			get: [ mw.event.get ],
+			get: [ mw.auth.access.read, mw.event.get ],
 			put: [ mw.auth.access.write, mw.event.put ],
 			patch: [ mw.auth.access.write, mw.event.patch ],
 			delete: [mw.auth.access.write,  mw.event.delete ]
@@ -229,17 +232,17 @@ app.map({
 	'/project/:project/qc': {
 		'/results': {
 			// Get all QC results for :project
-			get: [ mw.etag.noSave, mw.qc.results.get ],
+			get: [ mw.auth.access.read, mw.etag.noSave, mw.qc.results.get ],
 			// Delete all QC results for :project
-			delete: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.delete ],
+			delete: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.delete ],
 			'/accept': {
-				post: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.accept ]
+				post: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.accept ]
 			},
 			'/unaccept': {
-				post: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.unaccept ]
+				post: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.unaccept ]
 			},
 			'/sequence/:sequence': {
@@ -247,7 +250,7 @@ app.map({
 				get: [ mw.etag.noSave, mw.qc.results.get ],
 				// Delete QC results for :project, :sequence
-				delete: [ mw.etag.noSave, mw.auth.access.write, mw.qc.results.delete ]
+				delete: [ mw.auth.access.write, mw.etag.noSave, mw.qc.results.delete ]
 			}
 		}
 	},
@@ -257,18 +260,18 @@ app.map({
 	 */
 	'/project/:project/label/': {
-		get: [ mw.label.list ],
+		get: [ mw.auth.access.read, mw.label.list ],
 // 		post: [ mw.label.post ],
 	},
 	'/project/:project/configuration/:path(*)?': {
-		get: [ mw.configuration.get ],
+		get: [ mw.auth.access.read, mw.configuration.get ],
 // 		post: [ mw.auth.access.admin, mw.label.post ],
 	},
 	'/project/:project/info/:path(*)': {
-		get: [ mw.info.get ],
+		get: [ mw.auth.operations, mw.auth.access.read, mw.info.get ],
-		post: [ mw.auth.access.write, mw.info.post ],
+		post: [ mw.auth.operations, mw.auth.access.write, mw.info.post ],
-		put: [ mw.auth.access.write, mw.info.put ],
+		put: [ mw.auth.operations, mw.auth.access.write, mw.info.put ],
-		delete: [ mw.auth.access.write, mw.info.delete ]
+		delete: [ mw.auth.operations, mw.auth.access.write, mw.info.delete ]
 	},
 	'/project/:project/meta/': {
 		put: [ mw.auth.access.write, mw.meta.put ],
@@ -278,7 +281,7 @@ app.map({
 		// GET:
 		// `/raw/sequences/qc/missing_shots`,
 		// `/final/points/qc/sync_warn/results
-		get: [ mw.meta.get ],
+		get: [ mw.auth.access.read, mw.meta.get ],
 // 		// PUT:
 // 		// `/raw/qc/missing_shots` ← { sequence: …, value: … }
 // 		put: [ mw.meta.put ]
@@ -296,7 +299,7 @@ app.map({
 	'/files/?:path(*)': {
 		get: [ mw.auth.access.write, mw.etag.noSave, mw.files.get ]
 	},
-	'/navdata/': {
+	'/navdata/': { // TODO These endpoints should probably need read access auth
 		get: [ mw.etag.noSave, mw.navdata.get ],
 		'gis/:featuretype(line|point)': {
 			get: [ mw.etag.noSave, mw.gis.navdata.get ]