Aaltronav/dougal-software
1
0
Fork 0
mirror of https://gitlab.com/wgp/dougal/software.git synced 2025-12-06 08:27:08 +00:00
Code Issues Packages Projects Releases Activity

Use new orgs based method for authorisation

Browse Source
This commit is contained in:
D. Berge
2025-07-11 22:48:44 +02:00
parent d77f7f66db
commit ca4a14ffd9
1 changed files with 23 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
lib/www/server/api/middleware/auth/access.js
View File

@@ -1,77 +1,34 @@
const { projectOrganisations, orgAccess } = require('../../../lib/db/project/organisations');
async function read (req, res, next) {
if (req.user) {
next();
} else {
next({status: 403, message: "Access denied"});
}
}
async function write (req, res, next) {
if (req.user && (req.user.role == "user" || req.user.role == "admin")) {
next();
} else {
next({status: 403, message: "Access denied"});
}
}
async function admin (req, res, next) {
if (req.user && req.user.role == "admin") {
next();
} else {
next({status: 403, message: "Access denied"});
}
}
/** Return a middleware to check for arbitrary roles.
*
* Examples:
*
* req1 = {user: {role: "admin"}};
*
* role("admin")(req1) → true
* role("user")(req1) → false
* role(["user", "admin"])(req1) → true
* role("guest")(req1) → false
*
* req2 = {user: {role: ["admin", "user"]}}
*
* role("admin")(req2) → true
* role("user")(req2) → true
* role(["user", "admin"])(req2) → true
* role("guest")(req2) → false
*
* To check for role1 AND role2, use two middlewares:
*
* [role("role1"), role("role2")]
*
/** Second-order function.
* Returns a middleware that checks if the user has access to
* `operation` in the project identified by `req.params.project`
*/
async function role (required_role) {
const roles = Array.isArray(required_role)
? required_role
: [ required_role ];
function check (user_role) {
if (Array.isArray(user_role)) {
return user_role.some(check);
} else {
return roles.includes(user_role);
}
}
return (req, res, next) => {
if (req.user && check(req.user?.role)) {
next();
function operation (operation) {
return async function (req, res, next) {
if (req.user) {
if (req.params.project) {
if (await orgAccess(req.user.organisations, req.params.project, operation)) {
next();
return;
}
} else {
next();
return;
}
}
next({status: 403, message: "Access denied"});
};
}
}
const read = operation('read');
const write = operation('write');
const edit = operation('edit');
const admin = edit;
module.exports = {
read,
write,
edit,
admin,
role
};