Admin configuration for anonymous read-write operations (#8736)

* mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment * Add user profile management and account deletion functionality * add success and error message feedback for user profile operations * fix indentation issues * Add command to create admin user if none exists when the start command is executed * refactor annonymous user flow with create admin implementation * remove mws-add-user from start command * admin configuration for annonymous read-write opearations * fix comments * change get-anon handler to POST
2025-10-26 13:17:38 +00:00 · 2024-11-14 18:47:25 +01:00
parent 316bd65296
commit e873518d6f
10 changed files with 246 additions and 6 deletions
--- a/plugins/tiddlywiki/multiwikiserver/modules/mws-server.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/mws-server.js
@@ -410,6 +410,18 @@ Server.prototype.requestAuthentication = function(response) {
 	}
 };

+// Check if the anonymous IO configuration is set to allow both reads and writes
+Server.prototype.getAnonymousAccessConfig = function() {
+	const allowReadsTiddler = this.wiki.getTiddlerText("$:/config/MultiWikiServer/AllowAnonymousReads", "undefined");
+	const allowWritesTiddler = this.wiki.getTiddlerText("$:/config/MultiWikiServer/AllowAnonymousWrites", "undefined");
+
+	return {
+		allowReads: allowReadsTiddler === "yes",
+		allowWrites: allowWritesTiddler === "yes",
+		isEnabled: allowReadsTiddler !== "undefined" && allowWritesTiddler !== "undefined"
+	};
+}
+

 Server.prototype.requestHandler = function(request,response,options) {
 	options = options || {};
@@ -440,7 +452,11 @@ Server.prototype.requestHandler = function(request,response,options) {
 	
 	// Check whether anonymous access is granted
 	state.allowAnon = false; //this.isAuthorized(state.authorizationType,null);
-
+	var {allowReads, allowWrites, isEnabled} = this.getAnonymousAccessConfig();
+	state.allowAnon = isEnabled;
+	state.allowAnonReads = allowReads;
+	state.allowAnonWrites = allowWrites;
+	state.showAnonConfig = !!state.authenticatedUser?.isAdmin && !state.allowAnon;
 	state.firstGuestUser = this.sqlTiddlerDatabase.listUsers().length === 0 && !state.authenticatedUser;

 	// Authorize with the authenticated username
--- a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-index.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/get-index.js
@@ -31,8 +31,8 @@ exports.handler = function(request,response,state) {
 			"Content-Type":  "text/html"
 		});
 		// filter bags and recipies by user's read access from ACL
-		var allowedRecipes = recipeList.filter(recipe => sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser?.user_id, recipe.recipe_name, 'READ'));
-    var allowedBags = bagList.filter(bag => sqlTiddlerDatabase.hasBagPermission(state.authenticatedUser?.user_id, bag.bag_name, 'READ'));
+		var allowedRecipes = recipeList.filter(recipe => sqlTiddlerDatabase.hasRecipePermission(state.authenticatedUser?.user_id, recipe.recipe_name, 'READ') || state.allowAnonReads);
+    var allowedBags = bagList.filter(bag => sqlTiddlerDatabase.hasBagPermission(state.authenticatedUser?.user_id, bag.bag_name, 'READ') || state.allowAnonReads);

 		// Render the html
 		var html = $tw.mws.store.adminWiki.renderTiddler("text/plain","$:/plugins/tiddlywiki/multiwikiserver/templates/page",{
@@ -43,7 +43,8 @@ exports.handler = function(request,response,state) {
 				"recipe-list": JSON.stringify(allowedRecipes),
 				"username": state.authenticatedUser ? state.authenticatedUser.username : state.firstGuestUser ? "Annonymous User" : "Guest",
 				"user-is-admin": state.authenticatedUser && state.authenticatedUser.isAdmin ? "yes" : "no",
-				"first-guest-user": state.firstGuestUser ? "yes" : "no"
+				"first-guest-user": state.firstGuestUser ? "yes" : "no",
+				"show-annon-config": state.showAnonConfig ? "yes" : "no",
 			}});
 		response.write(html);
 		response.end();
--- a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon-config.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon-config.js
@@ -0,0 +1,50 @@
+/*\
+title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/post-anon-config.js
+type: application/javascript
+module-type: mws-route
+
+POST /admin/post-anon-config
+
+\*/
+(function() {
+
+/*jslint node: true, browser: true */
+/*global $tw: false */
+"use strict";
+
+exports.method = "POST";
+
+exports.path = /^\/admin\/post-anon-config\/?$/;
+
+exports.bodyFormat = "www-form-urlencoded";
+
+exports.csrfDisable = true;
+
+exports.handler = function(request, response, state) {
+  // Check if user is authenticated and is admin
+  if(!state.authenticatedUser || !state.authenticatedUser.isAdmin) {
+    response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
+    response.end("Unauthorized");
+    return;
+  }
+
+  var allowReads = state.data.allowReads === "on";
+  var allowWrites = state.data.allowWrites === "on";
+
+  // Update the configuration tiddlers
+  var wiki = $tw.wiki;
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousReads",
+    text: allowReads ? "yes" : "no"
+  });
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousWrites",
+    text: allowWrites ? "yes" : "no"
+  });
+
+  // Redirect back to admin page
+  response.writeHead(302, {"Location": "/"});
+  response.end();
+};
+
+}()); 
--- a/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/handlers/post-anon.js
@@ -0,0 +1,48 @@
+/*\
+title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/post-anon.js
+type: application/javascript
+module-type: mws-route
+
+POST /admin/anon
+
+\*/
+(function() {
+
+/*jslint node: true, browser: true */
+/*global $tw: false */
+"use strict";
+
+exports.method = "POST";
+
+exports.path = /^\/admin\/anon\/?$/;
+
+exports.bodyFormat = "www-form-urlencoded";
+
+exports.csrfDisable = true;
+
+exports.handler = function(request, response, state) {
+  // Check if user is authenticated and is admin
+  if(!state.authenticatedUser || !state.authenticatedUser.isAdmin) {
+    response.writeHead(401, "Unauthorized", { "Content-Type": "text/plain" });
+    response.end("Unauthorized");
+    return;
+  }
+
+  
+  // Update the configuration tiddlers
+  var wiki = $tw.wiki;
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousReads",
+    text: "undefined"
+  });
+  wiki.addTiddler({
+    title: "$:/config/MultiWikiServer/AllowAnonymousWrites",
+    text: "undefined"
+  });
+
+  // Redirect back to admin page
+  response.writeHead(302, {"Location": "/"});
+  response.end();
+};
+
+}()); 
--- a/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
+++ b/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
@@ -46,6 +46,8 @@ exports.middleware = function (request, response, state, entityType, permissionN
 	// Then use decodeURIComponent for the rest
 	var decodedEntityName = decodeURIComponent(partiallyDecoded);
 	var aclRecord = sqlTiddlerDatabase.getACLByName(entityType, decodedEntityName);
+	var isGetRequest = request.method === "GET";
+	var hasAnonymousAccess = isGetRequest ? state.allowAnonReads : state.allowAnonWrites;
 	// Get permission record
 	const permission = sqlTiddlerDatabase.getPermissionByName(permissionName);
 	// ACL Middleware will only apply if the entity has a middleware record
@@ -58,7 +60,7 @@ exports.middleware = function (request, response, state, entityType, permissionN
 			}
 		}
 		// Check if user is authenticated
-		if(!state.authenticatedUser && !response.headersSent) {
+		if(!state.authenticatedUser && !hasAnonymousAccess && !response.headersSent) {
 			response.writeHead(401, "Unauthorized");
 			response.end();
 			return;
@@ -66,7 +68,7 @@ exports.middleware = function (request, response, state, entityType, permissionN

 		// Check ACL permission
 		var hasPermission = request.method === "POST" || sqlTiddlerDatabase.checkACLPermission(state.authenticatedUser.user_id, entityType, decodedEntityName, permissionName)
-		if(!hasPermission) {
+		if(!hasPermission && !hasAnonymousAccess) {
 			if(!response.headersSent) {
 				response.writeHead(403, "Forbidden");
 				response.end();