From 774bde7c00cea9c2b88ac767c8ed9184b0faf7c0 Mon Sep 17 00:00:00 2001
From: "D. Berge" <dberge@aaltronav.eu>
Date: Sun, 6 Feb 2022 22:39:11 +0100
Subject: [PATCH] Reserve certain keys on info tables

---
 .../server/lib/db/info/check-permission.js    | 83 +++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 lib/www/server/lib/db/info/check-permission.js

diff --git a/lib/www/server/lib/db/info/check-permission.js b/lib/www/server/lib/db/info/check-permission.js
new file mode 100644
index 0000000..e8dd7aa
--- /dev/null
+++ b/lib/www/server/lib/db/info/check-permission.js
@@ -0,0 +1,83 @@
+/** Check permission to read or write certain keys.
+ *
+ * The global and survey `info` tables can be used to
+ * store and retrieve arbitrary data, but it is also
+ * used by the software, with some keys being reserved
+ * for specific purposes.
+ *
+ * This module lists those keys which are in some way
+ * reserved and reports on who should be allowed what
+ * type of access to them.
+ */
+
+
+/** Reserved keys.
+ *
+ * The structure of this dictionary is
+ * object.verb.subject = Boolean.
+ *
+ * The special value `_` is a wildcard
+ * denoting the default condition for
+ * a verb or a subject.
+ */
+const dictionary = {
+	version: {
+		// Database or schema version string.
+		// Everyone can read, nobody can alter.
+		get: { _: true  },
+		_  : { _: false }
+	},
+	config: {
+		// Configuration (site-wide or survey)
+		// Nobody except admin can access
+		_: { _: false, admin: true }
+	},
+	qc: {
+		// QC results (survey)
+		// Everyone can read, nobody can write
+		get: { _: true  },
+		_  : { _: false }
+	},
+	equipment: {
+		// Equipment info (site)
+		// Everyone can read, user + admin can alter
+		get: { _: true },
+		_  : { _: false, user: true, admin: true }
+	},
+	contact: {
+		// Contact details (basically an example entry)
+		// Everyone can read, admin can alter
+		get: { _: true },
+		_  : { _: false, admin: true },
+	}
+}
+
+/** Check if access is allowed to an info entry.
+ *
+ * @a key {String} is the object of the action.
+ * @a verb {String} is the action.
+ * @a role {String} is the subject of the action.
+ *
+ * @returns {Boolean} `true` is the action is allowed,
+ * `false` if it is not.
+ *
+ * By default, all actions are allowed on a key that's
+ * not listed in the dictionary. For a key that is listed,
+ * the result for a default action or subject is denoted
+ * by `_`, others are entered explicitly.
+ *
+ */
+function checkPermission (key, verb, role) {
+	const entry = dictionary[key]
+	if (entry) {
+		const action = entry[verb] ?? entry._
+		if (action) {
+			return action[role] ?? action._ ?? false;
+		}
+		return false;
+	}
+	return true;
+}
+
+
+module.exports = checkPermission;