mirror of
https://github.com/Jermolene/TiddlyWiki5
synced 2025-01-25 00:16:52 +00:00
e873518d6f
* mws authentication * add more tests and permission checkers * add logic to ensure that only authenticated users' requests are handled * add custom login page * Implement user authentication as well as session handling * work on user operations authorization * add middleware to route handlers for bags & tiddlers routes * add feature that only returns the tiddlers and bags which the user has permission to access on index page * refactor auth routes & added user management page * fix Ci Test failure issue * fix users list page, add manage roles page * add commands and scripts to create new user & assign roles and permissions * resolved ci-test failure * add ACL permissions to bags & tiddlers on creation * fix comments and access control list bug * fix indentation issues * working on user profile edit * remove list users command & added support for database in server options * implement user profile update and password change feature * update plugin readme * implement command which triggers protected mode on the server * revert server-wide auth flag. Implement selective authorization * ACL management feature * Complete Access control list implementation * Added support to manage users' assigned role by admin * fix comments * fix comment * Add user profile management and account deletion functionality * add success and error message feedback for user profile operations * fix indentation issues * Add command to create admin user if none exists when the start command is executed * refactor annonymous user flow with create admin implementation * remove mws-add-user from start command * admin configuration for annonymous read-write opearations * fix comments * change get-anon handler to POST
81 lines
2.7 KiB
JavaScript
81 lines
2.7 KiB
JavaScript
/*\
|
|
title: $:/plugins/tiddlywiki/multiwikiserver/modules/routes/helpers/acl-middleware.js
|
|
type: application/javascript
|
|
module-type: library
|
|
|
|
Middleware to handle ACL permissions
|
|
|
|
\*/
|
|
|
|
(function () {
|
|
|
|
/*jslint node: true, browser: true */
|
|
/*global $tw: false */
|
|
"use strict";
|
|
|
|
/*
|
|
ACL Middleware factory function
|
|
*/
|
|
function redirectToLogin(response, returnUrl) {
|
|
if(!response.headersSent) {
|
|
var validReturnUrlRegex = /^\/(?!.*\.(ico|png|jpg|jpeg|gif|svg|css|js|woff|woff2|ttf|eot|json)$).*$/;
|
|
var sanitizedReturnUrl = '/'; // Default to home page
|
|
|
|
if(validReturnUrlRegex.test(returnUrl)) {
|
|
sanitizedReturnUrl = returnUrl;
|
|
response.setHeader('Set-Cookie', `returnUrl=${encodeURIComponent(sanitizedReturnUrl)}; HttpOnly; Secure; SameSite=Strict; Path=/`);
|
|
} else{
|
|
console.log(`Invalid return URL detected: ${returnUrl}. Redirecting to home page.`);
|
|
}
|
|
const loginUrl = '/login';
|
|
response.writeHead(302, {
|
|
'Location': loginUrl
|
|
});
|
|
response.end();
|
|
}
|
|
};
|
|
|
|
exports.middleware = function (request, response, state, entityType, permissionName) {
|
|
|
|
var server = state.server,
|
|
sqlTiddlerDatabase = server.sqlTiddlerDatabase,
|
|
entityName = state.data ? (state.data[entityType+"_name"] || state.params[0]) : state.params[0];
|
|
|
|
// First, replace '%3A' with ':' to handle TiddlyWiki's system tiddlers
|
|
var partiallyDecoded = entityName?.replace(/%3A/g, ":");
|
|
// Then use decodeURIComponent for the rest
|
|
var decodedEntityName = decodeURIComponent(partiallyDecoded);
|
|
var aclRecord = sqlTiddlerDatabase.getACLByName(entityType, decodedEntityName);
|
|
var isGetRequest = request.method === "GET";
|
|
var hasAnonymousAccess = isGetRequest ? state.allowAnonReads : state.allowAnonWrites;
|
|
// Get permission record
|
|
const permission = sqlTiddlerDatabase.getPermissionByName(permissionName);
|
|
// ACL Middleware will only apply if the entity has a middleware record
|
|
if(aclRecord && aclRecord?.permission_id === permission?.permission_id) {
|
|
// If not authenticated and anonymous access is not allowed, request authentication
|
|
if(!state.authenticatedUsername && !state.allowAnon) {
|
|
if(state.urlInfo.pathname !== '/login') {
|
|
redirectToLogin(response, request.url);
|
|
return;
|
|
}
|
|
}
|
|
// Check if user is authenticated
|
|
if(!state.authenticatedUser && !hasAnonymousAccess && !response.headersSent) {
|
|
response.writeHead(401, "Unauthorized");
|
|
response.end();
|
|
return;
|
|
}
|
|
|
|
// Check ACL permission
|
|
var hasPermission = request.method === "POST" || sqlTiddlerDatabase.checkACLPermission(state.authenticatedUser.user_id, entityType, decodedEntityName, permissionName)
|
|
if(!hasPermission && !hasAnonymousAccess) {
|
|
if(!response.headersSent) {
|
|
response.writeHead(403, "Forbidden");
|
|
response.end();
|
|
}
|
|
return;
|
|
}
|
|
}
|
|
};
|
|
|
|
})(); |