Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make DELETE require write permissions on container #1014

Merged
merged 3 commits into from
Dec 10, 2018
Merged

Make DELETE require write permissions on container #1014

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
84dbff3
Make DELETE require write permissions on container
rubensworks Dec 6, 2018
22de319
Make logic for testing delete permissions less confusing
rubensworks Dec 7, 2018
8e90a7d
Improving variable naming in allow handler
rubensworks Dec 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions lib/handlers/allow.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
module.exports = allow

const $rdf = require('rdflib')
const path = require('path')
const ACL = require('../acl-checker')
const debug = require('../debug.js').ACL
const fs = require('fs')
const { promisify } = require('util')
const HTTPError = require('../http-error')

function allow (mode) {
function allow (mode, checkPermissionsForDirectory) {
return async function allowHandler (req, res, next) {
const ldp = req.app.locals.ldp || {}
if (!ldp.webid) {
Expand All @@ -19,26 +20,31 @@ function allow (mode) {

// Determine the actual path of the request
// (This is used as an ugly hack to check the ACL status of other resources.)
let reqPath = res && res.locals && res.locals.path
let resourcePath = res && res.locals && res.locals.path
? res.locals.path
: req.path

// Check permissions of the directory instead of the file itself.
if (checkPermissionsForDirectory) {
resourcePath = path.dirname(resourcePath)
}

// Check whether the resource exists
let stat
try {
const ret = await ldp.exists(req.hostname, reqPath)
const ret = await ldp.exists(req.hostname, resourcePath)
stat = ret.stream
} catch (err) {
stat = null
}

// Ensure directories always end in a slash
if (!reqPath.endsWith('/') && stat && stat.isDirectory()) {
reqPath += '/'
if (!resourcePath.endsWith('/') && stat && stat.isDirectory()) {
resourcePath += '/'
}

// Obtain and store the ACL of the requested resource
req.acl = new ACL(rootUrl + reqPath, {
req.acl = new ACL(rootUrl + resourcePath, {
agentOrigin: req.get('origin'),
// host: req.get('host'),
fetch: fetchFromLdp(ldp.resourceMapper),
Expand Down
2 changes: 1 addition & 1 deletion lib/ldp-middleware.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ function LdpMiddleware (corsSettings) {
router.post('/*', allow('Append'), post)
router.patch('/*', allow('Append'), patch)
router.put('/*', allow('Write'), put)
router.delete('/*', allow('Write'), del)
router.delete('/*', allow('Write', true), del)

return router
}