wiki/server/libs/rights.js

'use strict'

/* global db */

const _ = require('lodash')

/**
 * Rights
 */
module.exports = {

  guest: {
    provider: 'local',
    email: 'guest',
    name: 'Guest',
    password: '',
    rights: [
      {
        role: 'read',
        path: '/',
        deny: false,
        exact: false
      }
    ]
  },

  /**
   * Initialize Rights module
   *
   * @return     {void}  Void
   */
  init () {
    let self = this

    db.onReady.then(() => {
      db.User.findOne({ provider: 'local', email: 'guest' }).then((u) => {
        if (u) {
          self.guest = u
        }
      })
    })
  },

  /**
   * Check user permissions for this request
   *
   * @param      {object}  req     The request object
   * @return     {object}  List of permissions for this request
   */
  check (req) {
    let self = this

    let perm = {
      read: false,
      write: false,
      manage: false
    }
    let rt = []
    let p = _.chain(req.originalUrl).toLower().trim().value()

    // Load user rights

    if (_.isArray(req.user.rights)) {
      rt = req.user.rights
    }

    // Check rights

    if (self.checkRole(p, rt, 'admin')) {
      perm.read = true
      perm.write = true
      perm.manage = true
    } else if (self.checkRole(p, rt, 'write')) {
      perm.read = true
      perm.write = true
    } else if (self.checkRole(p, rt, 'read')) {
      perm.read = true
    }

    return perm
  },

  /**
   * Check for a specific role based on list of user rights
   *
   * @param      {String}         p       Base path
   * @param      {array<object>}  rt      The user rights
   * @param      {string}         role    The minimum role required
   * @return     {boolean}        True if authorized
   */
  checkRole (p, rt, role) {
    if (_.find(rt, { role: 'admin' })) { return true }

    // Check specific role on path

    let filteredRights = _.filter(rt, (r) => {
      if (r.role === role || (r.role === 'write' && role === 'read')) {
        if ((!r.exact && _.startsWith(p, r.path)) || (r.exact && p === r.path)) {
          return true
        }
      }
      return false
    })

    // Check for deny scenario

    let isValid = false

    if (filteredRights.length > 1) {
      isValid = !_.chain(filteredRights).sortBy((r) => {
        return r.path.length + ((r.deny) ? 0.5 : 0)
      }).last().get('deny').value()
    } else if (filteredRights.length === 1 && filteredRights[0].deny === false) {
      isValid = true
    }

    // Deny by default

    return isValid
  }

}