restricted access to pad import and export

pull/85/merge
Peter 'Pita' Martischka 2011-08-15 22:20:37 +01:00
parent 48980f9e19
commit 317370da2c
1 changed files with 33 additions and 2 deletions

View File

@ -39,6 +39,7 @@ var importHandler;
var exporthtml;
var readOnlyManager;
var padManager;
var securityManager;
//try to get the git version
var version = "";
@ -78,12 +79,14 @@ async.waterfall([
importHandler = require('./handler/ImportHandler');
apiHandler = require('./handler/APIHandler');
padManager = require('./db/PadManager');
securityManager = require('./db/SecurityManager');
//install logging
var httpLogger = log4js.getLogger("http");
app.configure(function()
{
app.use(log4js.connectLogger(httpLogger, { level: log4js.levels.INFO, format: ':status, :method :url'}));
app.use(express.cookieParser());
});
//serve static files
@ -160,6 +163,26 @@ async.waterfall([
});
});
//checks for padAccess
function hasPadAccess(req, res, callback)
{
securityManager.checkAccess(req.params.pad, req.cookies.sessionid, req.cookies.token, req.cookies.password, function(err, accessObj)
{
if(err) throw err;
//there is access, continue
if(accessObj.accessStatus == "grant")
{
callback();
}
//no access
else
{
res.send("403 - Can't touch this", 403);
}
});
}
//serve pad.html under /p
app.get('/p/:pad', function(req, res, next)
{
@ -217,8 +240,12 @@ async.waterfall([
res.header("Access-Control-Allow-Origin", "*");
res.header("Server", serverName);
hasPadAccess(req, res, function()
{
exportHandler.doExport(req, res, req.params.pad, req.params.type);
});
});
//handle import requests
app.post('/p/:pad/import', function(req, res, next)
@ -238,8 +265,12 @@ async.waterfall([
}
res.header("Server", serverName);
hasPadAccess(req, res, function()
{
importHandler.doImport(req, res, req.params.pad);
});
});
var apiLogger = log4js.getLogger("API");