fix: check grants in completion ctrl, user ctrl

ssube · Jan 1, 2019 · 9bf0c54 · 9bf0c54
1 parent c53a8f4
commit 9bf0c54
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 3 deletions.
diff --git a/docs/controller/account-controller.yml b/docs/controller/account-controller.yml
@@ -3,6 +3,7 @@ metadata:
   name: default-account
 data:
   join:
+    allow: true
     grants:
       - grant:*
       - join:create

diff --git a/src/controller/CompletionController.ts b/src/controller/CompletionController.ts
@@ -2,7 +2,7 @@ import { isNil } from 'lodash';
 import { Inject } from 'noicejs';
 import { Connection, Repository } from 'typeorm';
 
-import { BaseController } from 'src/controller/BaseController';
+import { BaseController, ErrorReplyType } from 'src/controller/BaseController';
 import { Controller, ControllerData, ControllerOptions } from 'src/controller/Controller';
 import { Command, CommandVerb } from 'src/entity/Command';
 import { Context } from 'src/entity/Context';
@@ -22,6 +22,9 @@ export interface CompletionControllerData extends ControllerData {
 
 export type CompletionControllerOptions = ControllerOptions<CompletionControllerData>;
 
+const MSG_ERROR_SESSION = 'session required';
+const MSG_ERROR_PERMISSION = 'permission denied';
+
 @Inject('storage')
 export class CompletionController extends BaseController<CompletionControllerData> implements Controller {
   protected readonly storage: Connection;
@@ -65,7 +68,11 @@ export class CompletionController extends BaseController<CompletionControllerDat
 
   public async createFragment(cmd: Command): Promise<void> {
     if (!cmd.context.user) {
-      return this.reply(cmd.context, 'must be logged in');
+      return this.reply(cmd.context, MSG_ERROR_SESSION);
+    }
+
+    if (!this.checkGrants(cmd.context, 'fragment:create')) {
+      return this.reply(cmd.context, MSG_ERROR_PERMISSION);
     }
 
     const key = cmd.getHead('key');
@@ -90,6 +97,14 @@ export class CompletionController extends BaseController<CompletionControllerDat
   }
 
   public async updateFragment(cmd: Command): Promise<void> {
+    if (!cmd.context.user) {
+      return this.errorReply(cmd.context, ErrorReplyType.SessionMissing);
+    }
+
+    if (!this.checkGrants(cmd.context, 'fragment:update')) {
+      return this.errorReply(cmd.context, ErrorReplyType.GrantMissing);
+    }
+
     const id = cmd.getHead('id');
     this.logger.debug({ id }, 'getting fragment to complete');
 

diff --git a/src/controller/UserController.ts b/src/controller/UserController.ts
@@ -1,7 +1,7 @@
 import { Inject } from 'noicejs';
 import { Connection, In, Repository } from 'typeorm';
 
-import { BaseController } from 'src/controller/BaseController';
+import { BaseController, ErrorReplyType } from 'src/controller/BaseController';
 import { Controller, ControllerData, ControllerOptions } from 'src/controller/Controller';
 import { Role } from 'src/entity/auth/Role';
 import { User } from 'src/entity/auth/User';
@@ -66,6 +66,10 @@ export class UserController extends BaseController<UserControllerData> implement
   }
 
   public async createRole(cmd: Command): Promise<void> {
+    if (!this.checkGrants(cmd.context, 'role:create')) {
+      return this.errorReply(cmd.context, ErrorReplyType.GrantMissing);
+    }
+
     const name = cmd.getHead('name');
     const grants = cmd.get('grants');
     const role = await this.roleRepository.insert({
@@ -76,6 +80,10 @@ export class UserController extends BaseController<UserControllerData> implement
   }
 
   public async getRole(cmd: Command): Promise<void> {
+    if (!this.checkGrants(cmd.context, 'role:get')) {
+      return this.errorReply(cmd.context, ErrorReplyType.GrantMissing);
+    }
+
     const name = cmd.get('name');
     const role = await this.roleRepository.findOne({
       where: {
@@ -90,12 +98,20 @@ export class UserController extends BaseController<UserControllerData> implement
   }
 
   public async listRoles(cmd: Command): Promise<void> {
+    if (!this.checkGrants(cmd.context, 'role:list')) {
+      return this.errorReply(cmd.context, ErrorReplyType.GrantMissing);
+    }
+
     const roles = await this.roleRepository.createQueryBuilder('role').getMany();
     const roleText = roles.map((r) => r.toString()).join('\n');
     return this.reply(cmd.context, roleText);
   }
 
   public async createUser(cmd: Command): Promise<void> {
+    if (!this.checkGrants(cmd.context, 'user:create')) {
+      return this.errorReply(cmd.context, ErrorReplyType.GrantMissing);
+    }
+
     const name = cmd.getHeadOrDefault('name', cmd.context.name);
     const roleNames = cmd.getOrDefault('roles', []);
     this.logger.debug({ name, roles: roleNames }, 'creating user');
@@ -117,6 +133,10 @@ export class UserController extends BaseController<UserControllerData> implement
   }
 
   public async getUser(cmd: Command): Promise<void> {
+    if (!this.checkGrants(cmd.context, 'user:get')) {
+      return this.errorReply(cmd.context, ErrorReplyType.GrantMissing);
+    }
+
     const name = cmd.getHead('name');
     const user = await this.userRepository.findOneOrFail({
       where: {
@@ -128,9 +148,14 @@ export class UserController extends BaseController<UserControllerData> implement
   }
 
   public async updateUser(cmd: Command): Promise<void> {
+    if (!this.checkGrants(cmd.context, 'user:update')) {
+      return this.errorReply(cmd.context, ErrorReplyType.GrantMissing);
+    }
+
     const name = cmd.getHeadOrDefault('name', cmd.context.name);
     const roleNames = cmd.getOrDefault('roles', []);
     this.logger.debug({ name, roles: roleNames }, 'updating user');
+
     const user = await this.userRepository.findOneOrFail({
       where: {
         name,
@@ -142,6 +167,7 @@ export class UserController extends BaseController<UserControllerData> implement
       },
     });
     user.roles = roles;
+
     const updatedUser = await this.userRepository.save(user);
     return this.reply(cmd.context, updatedUser.toString());
   }