Enfore info key access restrictions on the API.

Obviously, those keys can be edited freely at the database
level. This is intended.

lib/www/server/api/middleware/info/delete.js

@@ -4,7 +4,7 @@ const { info } = require('../../../lib/db');
 module.exports = async function (req, res, next) {
 
 	try {
-		await info.delete(req.params.project, req.params.path);
+		await info.delete(req.params.project, req.params.path, undefined, req.user.role);
 		res.status(204).send();
 		next();
 	} catch (err) {

lib/www/server/api/middleware/info/get.js

@@ -4,7 +4,7 @@ const { info } = require('../../../lib/db');
 module.exports = async function (req, res, next) {
 
 	try {
-		res.status(200).json(await info.get(req.params.project, req.params.path, req.query));
+		res.status(200).json(await info.get(req.params.project, req.params.path, req.query, req.user.role));
 	} catch (err) {
 		if (err instanceof TypeError) {
 			res.status(404).json(null);

lib/www/server/api/middleware/info/post.js

@@ -6,7 +6,7 @@ module.exports = async function (req, res, next) {
 	try {
 		const payload = req.body;
 
-		await info.post(req.params.project, req.params.path, payload);
+		await info.post(req.params.project, req.params.path, payload, undefined, req.user.role);
 		res.status(201).send();
 		next();
 	} catch (err) {

lib/www/server/api/middleware/info/put.js

@@ -6,7 +6,7 @@ module.exports = async function (req, res, next) {
 	try {
 		const payload = req.body;
 
-		await info.put(req.params.project, req.params.path, payload);
+		await info.put(req.params.project, req.params.path, payload, undefined, req.user.role);
 		res.status(201).send();
 		next();
 	} catch (err) {

lib/www/server/lib/db/info/delete.js

@@ -1,9 +1,15 @@
 const { setSurvey, transaction } = require('../connection');
+const checkPermission = require('./check-permission');
 
-async function del (projectId, path, opts = {}) {
+async function del (projectId, path, opts = {}, role) {
 	const client = await setSurvey(projectId);
 	const [key, ...jsonpath] = (path||"").split("/").filter(i => i.length);
 
+	if (!checkPermission(key, "delete", role)) {
+		throw {status: 403, message: "Forbidden"};
+		return;
+	}
+
 	try {
 		const text = jsonpath.length
 			? `

lib/www/server/lib/db/info/get.js

@@ -1,9 +1,15 @@
 const { setSurvey } = require('../connection');
+const checkPermission = require('./check-permission');
 
-async function get (projectId, path, opts = {}) {
+async function get (projectId, path, opts = {}, role) {
 	const client = await setSurvey(projectId);
 	const [key, ...subkey] = path.split("/").filter(i => i.trim().length);
 
+	if (!checkPermission(key, "get", role)) {
+		throw {status: 403, message: "Forbidden"};
+		return;
+	}
+
 	const text = `
 		SELECT value
 		FROM info

lib/www/server/lib/db/info/post.js

@@ -1,9 +1,15 @@
 const { setSurvey, transaction } = require('../connection');
+const checkPermission = require('./check-permission');
 
-async function post (projectId, path, payload, opts = {}) {
+async function post (projectId, path, payload, opts = {}, role) {
 	const client = await setSurvey(projectId);
 	const [key, ...jsonpath] = (path||"").split("/").filter(i => i.length);
 
+	if (!checkPermission(key, "post", role)) {
+		throw {status: 403, message: "Forbidden"};
+		return;
+	}
+
 	try {
 		const text = jsonpath.length
 			? `

lib/www/server/lib/db/info/put.js

@@ -1,9 +1,15 @@
 const { setSurvey, transaction } = require('../connection');
+const checkPermission = require('./check-permission');
 
-async function put (projectId, path, payload, opts = {}) {
+async function put (projectId, path, payload, opts = {}, role) {
 	const client = await setSurvey(projectId);
 	const [key, ...jsonpath] = (path||"").split("/").filter(i => i.length);
 
+	if (!checkPermission(key, "put", role)) {
+		throw {status: 403, message: "Forbidden"};
+		return;
+	}
+
 	try {
 		const text = jsonpath.length
 			? `