mirror of
https://github.com/Jermolene/TiddlyWiki5
synced 2025-01-24 16:06:58 +00:00
316bd65296
* mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment * Add user profile management and account deletion functionality * add success and error message feedback for user profile operations * fix indentation issues * Add command to create admin user if none exists when the start command is executed * refactor annonymous user flow with create admin implementation * remove mws-add-user from start command
63 lines
1.8 KiB
JavaScript
63 lines
1.8 KiB
JavaScript
/*\
|
|
title: $:/plugins/tiddlywiki/multiwikiserver/routes/handlers/post-acl.js
|
|
type: application/javascript
|
|
module-type: mws-route
|
|
|
|
POST /admin/post-acl
|
|
|
|
\*/
|
|
(function () {
|
|
|
|
/*jslint node: true, browser: true */
|
|
/*global $tw: false */
|
|
"use strict";
|
|
|
|
exports.method = "POST";
|
|
|
|
exports.path = /^\/admin\/post-acl\/?$/;
|
|
|
|
exports.bodyFormat = "www-form-urlencoded";
|
|
|
|
exports.csrfDisable = true;
|
|
|
|
exports.handler = function (request, response, state) {
|
|
var sqlTiddlerDatabase = state.server.sqlTiddlerDatabase;
|
|
var entity_type = state.data.entity_type;
|
|
var recipe_name = state.data.recipe_name;
|
|
var bag_name = state.data.bag_name;
|
|
var role_id = state.data.role_id;
|
|
var permission_id = state.data.permission_id;
|
|
var isRecipe = entity_type === "recipe"
|
|
|
|
var entityAclRecords = sqlTiddlerDatabase.getACLByName(entity_type, isRecipe ? recipe_name : bag_name, true);
|
|
|
|
var aclExists = entityAclRecords.some((record) => (
|
|
record.role_id == role_id && record.permission_id == permission_id
|
|
))
|
|
|
|
// This ensures that the user attempting to modify the ACL has permission to do so
|
|
// if(!state.authenticatedUser || (entityAclRecords.length > 0 && !sqlTiddlerDatabase[isRecipe ? 'hasRecipePermission' : 'hasBagPermission'](state.authenticatedUser.user_id, isRecipe ? recipe_name : bag_name, 'WRITE'))){
|
|
// response.writeHead(403, "Forbidden");
|
|
// response.end();
|
|
// return
|
|
// }
|
|
|
|
if (aclExists) {
|
|
// do nothing, return the user back to the form
|
|
response.writeHead(302, { "Location": "/admin/acl/" + recipe_name + "/" + bag_name });
|
|
response.end();
|
|
return
|
|
}
|
|
|
|
sqlTiddlerDatabase.createACL(
|
|
isRecipe ? recipe_name : bag_name,
|
|
entity_type,
|
|
role_id,
|
|
permission_id
|
|
)
|
|
|
|
response.writeHead(302, { "Location": "/admin/acl/" + recipe_name + "/" + bag_name });
|
|
response.end();
|
|
};
|
|
|
|
}()); |