From e873518d6f2553d9fdfc263b8f0dc2acae765c7c Mon Sep 17 00:00:00 2001
From: webplusai <smupyknight@outlook.com>
Date: Thu, 14 Nov 2024 18:47:25 +0100
Subject: [PATCH] Admin configuration for anonymous read-write operations
 (#8736)

* mws authentication

* add more tests and permission checkers

* add logic to ensure that only authenticated users' requests are handled

* add custom login page

* Implement user authentication as well as session handling

* work on user operations authorization

* add middleware to route handlers for bags & tiddlers routes

* add feature that only returns the tiddlers and bags which the user has permission to access on index page

* refactor auth routes & added user management page

* fix Ci Test failure issue

* fix users list page, add manage roles page

* add commands and scripts to create new user & assign roles and permissions

* resolved ci-test failure

* add ACL permissions to bags & tiddlers on creation

* fix comments and access control list bug

* fix indentation issues

* working on user profile edit

* remove list users command & added support for database in server options

* implement user profile update and password change feature

* update plugin readme

* implement command which triggers protected mode on the server

* revert server-wide auth flag. Implement selective authorization

* ACL management feature

* Complete Access control list implementation

* Added support to manage users' assigned role by admin

* fix comments

* fix comment

* Add user profile management and account deletion functionality

* add success and error message feedback for user profile operations

* fix indentation issues

* Add command to create admin user if none exists when the start command is executed

* refactor annonymous user flow with create admin implementation

* remove mws-add-user from start command

* admin configuration for annonymous read-write opearations

* fix comments

* change get-anon handler to POST
---
 .../MultiWikiServerAllowAnonymousReads.tid    |  4 ++
 .../MultiWikiServerAllowAnonymousWrites.tid   |  4 ++
 .../multiwikiserver/modules/mws-server.js     | 18 ++++-
 .../modules/routes/handlers/get-index.js      |  7 +-
 .../routes/handlers/post-anon-config.js       | 50 ++++++++++++++
 .../modules/routes/handlers/post-anon.js      | 48 ++++++++++++++
 .../modules/routes/helpers/acl-middleware.js  |  6 +-
 .../templates/anon-config-modal.tid           | 27 ++++++++
 .../multiwikiserver/templates/get-index.tid   | 66 +++++++++++++++++++
 .../multiwikiserver/templates/mws-header.tid  | 22 +++++++
 10 files changed, 246 insertions(+), 6 deletions(-)
 create mode 100644 plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousReads.tid
 create mode 100644 plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousWrites.tid
 create mode 100644 plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon-config.js
 create mode 100644 plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon.js
 create mode 100644 plugins/tiddlywiki/multiwikiserver/templates/anon-config-modal.tid

diff --git a/plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousReads.tid b/plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousReads.tid
new file mode 100644
index 000000000..447356619
--- /dev/null
+++ b/plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousReads.tid
@@ -0,0 +1,4 @@
+title: $:/config/MultiWikiServer/AllowAnonymousReads
+text: no
+description: Controls whether anonymous users can read wiki content
+type: text/plain
diff --git a/plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousWrites.tid b/plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousWrites.tid
new file mode 100644
index 000000000..e9f340e1f
--- /dev/null
+++ b/plugins/tiddlywiki/multiwikiserver/config/MultiWikiServerAllowAnonymousWrites.tid
@@ -0,0 +1,4 @@
+title: $:/config/MultiWikiServer/AllowAnonymousWrites
+text: no
+description: Controls whether anonymous users can write to the wiki
+type: text/plain
diff --git a/plugins/tiddlywiki/multiwikiserver/modules/mws-server.js b/plugins/tiddlywiki/multiwikiserver/modules/mws-server.js
index 144b65b8d..fd033b3d7 100644
--- a/plugins/tiddlywiki/multiwikiserver/modules/mws-server.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/mws-server.js
@@ -410,6 +410,18 @@ Server.prototype.requestAuthentication = function(response) {
 	}
 };
 
+// Check if the anonymous IO configuration is set to allow both reads and writes
+Server.prototype.getAnonymousAccessConfig = function() {
+	const allowReadsTiddler = this.wiki.getTiddlerText("$:/config/MultiWikiServer/AllowAnonymousReads", "undefined");
+	const allowWritesTiddler = this.wiki.getTiddlerText("$:/config/MultiWikiServer/AllowAnonymousWrites", "undefined");
+
+	return {
+		allowReads: allowReadsTiddler === "yes",
+		allowWrites: allowWritesTiddler === "yes",
+		isEnabled: allowReadsTiddler !== "undefined" && allowWritesTiddler !== "undefined"
+	};
+}
+
 
 Server.prototype.requestHandler = function(request,response,options) {
 	options = options || {};
@@ -440,7 +452,11 @@ Server.prototype.requestHandler = function(request,response,options) {
 	
 	// Check whether anonymous access is granted
 	state.allowAnon = false; //this.isAuthorized(state.authorizationType,null);
-
+	var {allowReads, allowWrites, isEnabled} = this.getAnonymousAccessConfig();
+	state.allowAnon = isEnabled;
+	state.allowAnonReads = allowReads;
+	state.allowAnonWrites = allowWrites;
+	state.showAnonConfig = !!state.authenticatedUser?.isAdmin && !state.allowAnon;
 	state.firstGuestUser = this.sqlTiddlerDatabase.listUsers().length === 0 && !state.authenticatedUser;
 
 	// Authorize with the authenticated username
diff --git a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-index.js b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-index.js
index 63ee88708..32bdbc537 100644
--- a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-index.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-index.js
@@ -31,8 +31,8 @@ exports.handler = function(request,response,state) {
 			"Content-Type":  "text/html"
 		});
 		// filter bags and recipies by user's read access from ACL
-		var allowedRecipes = recipeList.filter(recipe => sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser?.user_id, recipe.recipe_name, 'READ'));
-    var allowedBags = bagList.filter(bag => sqlTiddlerDatabase.hasBagPermission(state.authenticatedUser?.user_id, bag.bag_name, 'READ'));
+		var allowedRecipes = recipeList.filter(recipe => sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser?.user_id, recipe.recipe_name, 'READ') || state.allowAnonReads);
+    var allowedBags = bagList.filter(bag => sqlTiddlerDatabase.hasBagPermission(state.authenticatedUser?.user_id, bag.bag_name, 'READ') || state.allowAnonReads);
 
 		// Render the html
 		var html = $tw.mws.store.adminWiki.renderTiddler("text/plain","$:/plugins/tiddlywiki/multiwikiserver/templates/page",{
@@ -43,7 +43,8 @@ exports.handler = function(request,response,state) {
 				"recipe-list": JSON.stringify(allowedRecipes),
 				"username": state.authenticatedUser ? state.authenticatedUser.username : state.firstGuestUser ? "Annonymous User" : "Guest",
 				"user-is-admin": state.authenticatedUser && state.authenticatedUser.isAdmin ? "yes" : "no",
-				"first-guest-user": state.firstGuestUser ? "yes" : "no"
+				"first-guest-user": state.firstGuestUser ? "yes" : "no",
+				"show-annon-config": state.showAnonConfig ? "yes" : "no",
 			}});
 		response.write(html);
 		response.end();
diff --git a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon-config.js b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon-config.js
new file mode 100644
index 000000000..c20806540
--- /dev/null
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon-config.js
@@ -0,0 +1,50 @@
+/*\
+title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/post-anon-config.js
+type: application/javascript
+module-type: mws-route
+
+POST /admin/post-anon-config
+
+\*/
+(function() {
+
+/*jslint node: true, browser: true */
+/*global $tw: false */
+"use strict";
+
+exports.method = "POST";
+
+exports.path = /^\/admin\/post-anon-config\/?$/;
+
+exports.bodyFormat = "www-form-urlencoded";
+
+exports.csrfDisable = true;
+
+exports.handler = function(request, response, state) {
+  // Check if user is authenticated and is admin
+  if(!state.authenticatedUser || !state.authenticatedUser.isAdmin) {
+    response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
+    response.end("Unauthorized");
+    return;
+  }
+
+  var allowReads = state.data.allowReads === "on";
+  var allowWrites = state.data.allowWrites === "on";
+
+  // Update the configuration tiddlers
+  var wiki = $tw.wiki;
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousReads",
+    text: allowReads ? "yes" : "no"
+  });
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousWrites",
+    text: allowWrites ? "yes" : "no"
+  });
+
+  // Redirect back to admin page
+  response.writeHead(302, {"Location": "/"});
+  response.end();
+};
+
+}()); 
\ No newline at end of file
diff --git a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon.js b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon.js
new file mode 100644
index 000000000..288a81bc7
--- /dev/null
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon.js
@@ -0,0 +1,48 @@
+/*\
+title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/post-anon.js
+type: application/javascript
+module-type: mws-route
+
+POST /admin/anon
+
+\*/
+(function() {
+
+/*jslint node: true, browser: true */
+/*global $tw: false */
+"use strict";
+
+exports.method = "POST";
+
+exports.path = /^\/admin\/anon\/?$/;
+
+exports.bodyFormat = "www-form-urlencoded";
+
+exports.csrfDisable = true;
+
+exports.handler = function(request, response, state) {
+  // Check if user is authenticated and is admin
+  if(!state.authenticatedUser || !state.authenticatedUser.isAdmin) {
+    response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
+    response.end("Unauthorized");
+    return;
+  }
+
+  
+  // Update the configuration tiddlers
+  var wiki = $tw.wiki;
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousReads",
+    text: "undefined"
+  });
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousWrites",
+    text: "undefined"
+  });
+
+  // Redirect back to admin page
+  response.writeHead(302, {"Location": "/"});
+  response.end();
+};
+
+}()); 
\ No newline at end of file
diff --git a/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js b/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
index 0ea93de00..cffefdf53 100644
--- a/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
@@ -46,6 +46,8 @@ exports.middleware = function (request, response, state, entityType, permissionN
 	// Then use decodeURIComponent for the rest
 	var decodedEntityName = decodeURIComponent(partiallyDecoded);
 	var aclRecord = sqlTiddlerDatabase.getACLByName(entityType, decodedEntityName);
+	var isGetRequest = request.method === "GET";
+	var hasAnonymousAccess = isGetRequest ? state.allowAnonReads : state.allowAnonWrites;
 	// Get permission record
 	const permission = sqlTiddlerDatabase.getPermissionByName(permissionName);
 	// ACL Middleware will only apply if the entity has a middleware record
@@ -58,7 +60,7 @@ exports.middleware = function (request, response, state, entityType, permissionN
 			}
 		}
 		// Check if user is authenticated
-		if(!state.authenticatedUser && !response.headersSent) {
+		if(!state.authenticatedUser && !hasAnonymousAccess && !response.headersSent) {
 			response.writeHead(401, "Unauthorized");
 			response.end();
 			return;
@@ -66,7 +68,7 @@ exports.middleware = function (request, response, state, entityType, permissionN
 
 		// Check ACL permission
 		var hasPermission = request.method === "POST" || sqlTiddlerDatabase.checkACLPermission(state.authenticatedUser.user_id, entityType, decodedEntityName, permissionName)
-		if(!hasPermission) {
+		if(!hasPermission && !hasAnonymousAccess) {
 			if(!response.headersSent) {
 				response.writeHead(403, "Forbidden");
 				response.end();
diff --git a/plugins/tiddlywiki/multiwikiserver/templates/anon-config-modal.tid b/plugins/tiddlywiki/multiwikiserver/templates/anon-config-modal.tid
new file mode 100644
index 000000000..23a6f54ff
--- /dev/null
+++ b/plugins/tiddlywiki/multiwikiserver/templates/anon-config-modal.tid
@@ -0,0 +1,27 @@
+title: $:/plugins/tiddlywiki/multiwikiserver/templates/anon-config-modal
+subtitle: Anonymous Access Configuration
+class: mws-modal
+
+<div class="mws-modal-container">
+	<div class="mws-modal-content">
+		<h1>Anonymous Access Configuration</h1>
+		<p>This configuration allows anonymous users to read and write to the wiki.</p>
+		<form class="mws-anon-config-form" method="POST" action="/admin/post-anon-config">
+			<div class="mws-modal-section">
+				<$set name="isChecked" value={{{ [[$:/config/MultiWikiServer/AllowAnonymousReads]get[text]] }}}>
+					<input type="checkbox" name="allowReads" checked=<<isChecked>>/> Allow anonymous reads
+				</$set>
+			</div>
+			<div class="mws-modal-section">
+				<$set name="isChecked" value={{{ [[$:/config/MultiWikiServer/AllowAnonymousWrites]get[text]] }}}>
+					<input type="checkbox" name="allowWrites" checked=<<isChecked>>/> Allow anonymous writes
+				</$set>
+			</div>
+			<div class="mws-modal-buttons">
+				<button type="submit" class="mws-modal-button-primary">
+				Save Changes
+				</button>
+			</div>
+		</form>
+	</div>
+</div>
\ No newline at end of file
diff --git a/plugins/tiddlywiki/multiwikiserver/templates/get-index.tid b/plugins/tiddlywiki/multiwikiserver/templates/get-index.tid
index 54bca73f6..761d6546f 100644
--- a/plugins/tiddlywiki/multiwikiserver/templates/get-index.tid
+++ b/plugins/tiddlywiki/multiwikiserver/templates/get-index.tid
@@ -41,6 +41,12 @@ title: $:/plugins/tiddlywiki/multiwikiserver/templates/get-index
 	</div>
 </$list>
 
+<$list filter="[<show-annon-config>match[yes]]">
+	<$tiddler tiddler="$:/plugins/tiddlywiki/multiwikiserver/templates/anon-config-modal">
+		<$transclude/>
+	</$tiddler>
+</$list>
+
 <ul class="mws-vertical-list">
 	<$list filter="[<recipe-list>jsonindexes[]] :sort[<currentTiddler>jsonget[recipe_name]]" variable="recipe-index">
 		<li>
@@ -284,4 +290,64 @@ title: $:/plugins/tiddlywiki/multiwikiserver/templates/get-index
 .mws-security-warning-button:hover {
 	background-color: #6d5204;
 }
+
+.mws-modal-container {
+	position: fixed;
+	top: 0;
+	left: 0;
+	width: 100%;
+	height: 100%;
+	background-color: rgba(0, 0, 0, 0.5);
+}
+
+.mws-modal-content {
+	background-color: #fefefe;
+	margin: 15% auto;
+	padding: 20px;
+	border: 1px solid #888;
+	width: 80%;
+	max-width: 500px;
+}
+
+.mws-config-button {
+	background-color: #4CAF50;
+	color: white;
+	padding: 8px 16px;
+	border: none;
+	border-radius: 4px;
+	cursor: pointer;
+	margin-bottom: 1rem;
+}
+
+.mws-config-button:hover {
+    background-color: #45a049;
+}
+
+.mws-modal-content {
+    padding: 20px;
+}
+
+.mws-modal-section {
+    margin-bottom: 15px;
+}
+
+.mws-modal-buttons {
+    display: flex;
+    gap: 10px;
+    justify-content: flex-end;
+    margin-top: 20px;
+}
+
+.mws-modal-button-primary {
+    background-color: #4CAF50;
+    color: white;
+    padding: 8px 16px;
+    border: none;
+    border-radius: 4px;
+    cursor: pointer;
+}
+
+.mws-modal-button-primary:hover {
+    background-color: #45a049;
+}
 </style>
diff --git a/plugins/tiddlywiki/multiwikiserver/templates/mws-header.tid b/plugins/tiddlywiki/multiwikiserver/templates/mws-header.tid
index 8b74d1b84..2d8e43f5e 100644
--- a/plugins/tiddlywiki/multiwikiserver/templates/mws-header.tid
+++ b/plugins/tiddlywiki/multiwikiserver/templates/mws-header.tid
@@ -10,6 +10,9 @@ title: $:/plugins/tiddlywiki/multiwikiserver/templates/mws-header
 				<div class="mws-admin-dropdown-content">
 					<a href="/admin/users">Manage Users</a>
 					<a href="/admin/roles">Manage Roles</a>
+					<form action="/admin/anon" method="post" class="mws-admin-form">
+						<input type="submit" value="Reconfigure Anonymous Access" class="mws-admin-form-button"/>
+					</form>
 				</div>
 			</div>
 		<% elseif [<username>!match[Guest]]+[<first-guest-user>match[no]] %>
@@ -104,4 +107,23 @@ title: $:/plugins/tiddlywiki/multiwikiserver/templates/mws-header
 	cursor: pointer;
 	padding: 5px 10px;
 }
+
+.mws-admin-form {
+	margin: 0;
+}
+
+.mws-admin-form-button {
+	width: 100%;
+	text-align: left;
+	padding: 12px 16px;
+	background: none;
+	border: none;
+	color: black;
+	cursor: pointer;
+	font-size: inherit;
+}
+
+.mws-admin-form-button:hover {
+	background-color: #ddd;
+}
 </style>
\ No newline at end of file