Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-03 12:36:02 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
75b1bbd09fe54115a8bef500c3de9156ad9b2d7e
NodeBB/src/middleware/admin.js

169 lines
5.6 KiB
JavaScript
Raw Normal View History

ESlint quotes
2017-02-18 01:56:23 -07:00
'use strict';
started moving admin mdw into middleware/admin.js; res.render post-processing to append admin footer/header
2014-03-03 13:17:10 -05:00
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers
2016-08-26 18:50:37 +03:00
var winston = require('winston');
ACP quick actions (#6374) * ACP quick actions - Moved restart, build & restart, and logout into separate buttons - Moved buttons on mobile into the side menu - Added version and upgrade alert to header / mobile menu - Moved version checking to server-side with a cache for rate limiting - Changed "reload" translations to "rebuild and restart" * Change info alert to black-on-white to match focused search bar * Fix tests * Fallback for failed fetch of latest version
2018-03-20 06:32:17 -06:00
var jsesc = require('jsesc');
var nconf = require('nconf');
var semver = require('semver');
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers
2016-08-26 18:50:37 +03:00
var user = require('../user');
var meta = require('../meta');
var plugins = require('../plugins');
feat: privileges for Admin Control Panel (#8355) * feat: acp privileges (WIP) * fix: restore global privilege hooks * refactor: using cid 0 in admin privs * fix: no need for zebrastripe-reset * feat: manage:categories privilege WIP * feat: renamed prefix to admin:, settigns and dashboard privs * fix: nofocus on acp privs group find modal * refactor: privileges.x.get() to not used hardcoded privs * fix: crash if unable to get latest version * feat: setting acp priv * Revert "fix: crash if unable to get latest version" This reverts commit afdb235f48eb0072d88de45f3a1e0151281095b3. * feat: user/privilege acp privs * fix: category selector in manage/privileges * fix: guests potentially becoming admins * fix: bug in setting admin privs * fix: some last minute things + api docs * fix: some more last minute fixes
2020-06-05 15:26:51 -04:00
var privileges = require('../privileges');
refactor: making rendering of header and footer async functions * refactor: make middleware.admin.renderHeader async * refactor: making rendering of header and footer async functions * fix: use app.renderAsync instead of promifying it
2020-06-03 19:07:08 -04:00
var utils = require('../../public/src/utils');
ACP quick actions (#6374) * ACP quick actions - Moved restart, build & restart, and logout into separate buttons - Moved buttons on mobile into the side menu - Added version and upgrade alert to header / mobile menu - Moved version checking to server-side with a cache for rate limiting - Changed "reload" translations to "rebuild and restart" * Change info alert to black-on-white to match focused search bar * Fix tests * Fallback for failed fetch of latest version
2018-03-20 06:32:17 -06:00
var versions = require('../admin/versions');
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares
2020-06-03 20:18:42 -04:00
var helpers = require('./helpers');
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers
2016-08-26 18:50:37 +03:00
var controllers = {
api: require('../controllers/api'),
ESlint comma-dangle
2017-02-17 19:31:21 -07:00
helpers: require('../controllers/helpers'),
added back isAdmin into admin middleware with a warning
2014-12-01 23:07:47 -05:00
};
refactor: changed way middleware was exported
2020-08-21 15:29:40 -04:00
const middleware = module.exports;
middleware.buildHeader = helpers.try(async function (req, res, next) {
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
res.locals.renderAdminHeader = true;
res.locals.config = await controllers.api.loadConfig(req);
next();
});
refactor: changed way middleware was exported
2020-08-21 15:29:40 -04:00
middleware.renderHeader = async (req, res, data) => {
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
var custom_header = {
plugins: [],
authentication: [],
};
res.locals.config = res.locals.config || {};
const results = await utils.promiseParallel({
userData: user.getUserFields(req.uid, ['username', 'userslug', 'email', 'picture', 'email:confirmed']),
scripts: getAdminScripts(),
refactor: move plugin hook methods to plugin.hooks.*
2020-11-20 16:06:26 -05:00
custom_header: plugins.hooks.fire('filter:admin.header.build', custom_header),
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
configs: meta.configs.list(),
latestVersion: getLatestVersion(),
privileges: privileges.admin.get(req.uid),
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares
2020-06-03 20:18:42 -04:00
});
acp shenans
2015-03-06 19:38:10 -05:00
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
var userData = results.userData;
userData.uid = req.uid;
userData['email:confirmed'] = userData['email:confirmed'] === 1;
userData.privileges = results.privileges;
var acpPath = req.path.slice(1).split('/');
acpPath.forEach(function (path, i) {
acpPath[i] = path.charAt(0).toUpperCase() + path.slice(1);
});
acpPath = acpPath.join(' > ');
var version = nconf.get('version');
res.locals.config.userLang = res.locals.config.acpLang || res.locals.config.userLang;
var templateValues = {
config: res.locals.config,
configJSON: jsesc(JSON.stringify(res.locals.config), { isScriptContext: true }),
relative_path: res.locals.config.relative_path,
adminConfigJSON: encodeURIComponent(JSON.stringify(results.configs)),
user: userData,
userJSON: jsesc(JSON.stringify(userData), { isScriptContext: true }),
plugins: results.custom_header.plugins,
authentication: results.custom_header.authentication,
scripts: results.scripts,
'cache-buster': meta.config['cache-buster'] || '',
env: !!process.env.NODE_ENV,
title: (acpPath || 'Dashboard') + ' | NodeBB Admin Control Panel',
bodyClass: data.bodyClass,
version: version,
latestVersion: results.latestVersion,
upgradeAvailable: results.latestVersion && semver.gt(results.latestVersion, version),
fix: empty "manage" menu showing in ACP ... if no privileges corresponding to those menu items are given
2020-08-21 15:42:04 -04:00
showManageMenu: results.privileges.superadmin || ['categories', 'privileges', 'users', 'settings'].some(priv => results.privileges[`admin:${priv}`]),
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers
2016-08-26 18:50:37 +03:00
};
closes #5082
2016-10-05 15:22:35 +03:00
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
templateValues.template = { name: res.locals.template };
templateValues.template[res.locals.template] = true;
feat: explicitly add filter:admin/header.build hook As it is not fired during middleware.processRender
2020-12-21 09:59:12 -05:00
// Normally this should hook be automatically added by middleware.processRender(), but it seems to only be fired for page hooks, and not when called internally.
({ templateValues } = await plugins.hooks.fire('filter:admin/header.build', { req, res, templateData: templateValues }));
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
return await req.app.renderAsync('admin/header', templateValues);
};
async function getAdminScripts() {
refactor: move plugin hook methods to plugin.hooks.*
2020-11-20 16:06:26 -05:00
const scripts = await plugins.hooks.fire('filter:admin.scripts.get', []);
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
return scripts.map(function (script) {
return { src: script };
});
}
async function getLatestVersion() {
try {
const result = await versions.getLatestVersion();
return result;
} catch (err) {
winston.error('[acp] Failed to fetch latest version' + err.stack);
refactor
2017-05-24 15:07:03 -04:00
}
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
return null;
}
closes #5082
2016-10-05 15:22:35 +03:00
refactor: changed way middleware was exported
2020-08-21 15:29:40 -04:00
middleware.renderFooter = async function (req, res, data) {
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
return await req.app.renderAsync('admin/footer', data);
};
fix: deprecate middleware.isAdmin Also, handle admin logout timer in middleware.admin.checkPrivileges
2020-10-30 12:30:58 -04:00
middleware.checkPrivileges = helpers.try(async (req, res, next) => {
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
// Kick out guests, obviously
fix: deprecate middleware.isAdmin Also, handle admin logout timer in middleware.admin.checkPrivileges
2020-10-30 12:30:58 -04:00
if (req.uid <= 0) {
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
return controllers.helpers.notAllowed(req, res);
#8344 (#8346) * feat: wip * feat: wrap middlewares * feat: middleware errors * feat: more middleware changes * fix: remove unused async * fix: prevent version errors from blocking acp render * feat: wrap more middlewares
2020-06-03 20:18:42 -04:00
}
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
// Otherwise, check for privilege based on page (if not in mapping, deny access)
const path = req.path.replace(/^(\/api)?\/admin\/?/g, '');
if (path) {
const privilege = privileges.admin.resolve(path);
fix: broken test
2020-10-30 17:16:40 -04:00
if (!await privileges.admin.can(privilege, req.uid)) {
feat: privileges for Admin Control Panel (#8355) * feat: acp privileges (WIP) * fix: restore global privilege hooks * refactor: using cid 0 in admin privs * fix: no need for zebrastripe-reset * feat: manage:categories privilege WIP * feat: renamed prefix to admin:, settigns and dashboard privs * fix: nofocus on acp privs group find modal * refactor: privileges.x.get() to not used hardcoded privs * fix: crash if unable to get latest version * feat: setting acp priv * Revert "fix: crash if unable to get latest version" This reverts commit afdb235f48eb0072d88de45f3a1e0151281095b3. * feat: user/privilege acp privs * fix: category selector in manage/privileges * fix: guests potentially becoming admins * fix: bug in setting admin privs * fix: some last minute things + api docs * fix: some more last minute fixes
2020-06-05 15:26:51 -04:00
return controllers.helpers.notAllowed(req, res);
}
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
} else {
// If accessing /admin, check for any valid admin privs
const privilegeSet = await privileges.admin.get(req.uid);
if (!Object.values(privilegeSet).some(Boolean)) {
return controllers.helpers.notAllowed(req, res);
feat: privileges for Admin Control Panel (#8355) * feat: acp privileges (WIP) * fix: restore global privilege hooks * refactor: using cid 0 in admin privs * fix: no need for zebrastripe-reset * feat: manage:categories privilege WIP * feat: renamed prefix to admin:, settigns and dashboard privs * fix: nofocus on acp privs group find modal * refactor: privileges.x.get() to not used hardcoded privs * fix: crash if unable to get latest version * feat: setting acp priv * Revert "fix: crash if unable to get latest version" This reverts commit afdb235f48eb0072d88de45f3a1e0151281095b3. * feat: user/privilege acp privs * fix: category selector in manage/privileges * fix: guests potentially becoming admins * fix: bug in setting admin privs * fix: some last minute things + api docs * fix: some more last minute fixes
2020-06-05 15:26:51 -04:00
}
fix: change how admin middlewares are exported
2020-08-21 15:11:54 -04:00
}
feat: privileges for Admin Control Panel (#8355) * feat: acp privileges (WIP) * fix: restore global privilege hooks * refactor: using cid 0 in admin privs * fix: no need for zebrastripe-reset * feat: manage:categories privilege WIP * feat: renamed prefix to admin:, settigns and dashboard privs * fix: nofocus on acp privs group find modal * refactor: privileges.x.get() to not used hardcoded privs * fix: crash if unable to get latest version * feat: setting acp priv * Revert "fix: crash if unable to get latest version" This reverts commit afdb235f48eb0072d88de45f3a1e0151281095b3. * feat: user/privilege acp privs * fix: category selector in manage/privileges * fix: guests potentially becoming admins * fix: bug in setting admin privs * fix: some last minute things + api docs * fix: some more last minute fixes
2020-06-05 15:26:51 -04:00
fix: #9063, missing handler for passwordless accounts in admin.checkPrivileges middleware
2020-12-05 09:50:45 -05:00
// If user does not have password
const hasPassword = await user.hasPassword(req.uid);
if (!hasPassword) {
return next();
}
fix: deprecate middleware.isAdmin Also, handle admin logout timer in middleware.admin.checkPrivileges
2020-10-30 12:30:58 -04:00
// Reject if they need to re-login (due to ACP timeout), otherwise extend logout timer
const loginTime = req.session.meta ? req.session.meta.datetime : 0;
const adminReloginDuration = meta.config.adminReloginDuration * 60000;
const disabled = meta.config.adminReloginDuration === 0;
if (disabled || (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {
const timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);
if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {
req.session.meta.datetime += Math.min(300000, adminReloginDuration);
}
return next();
}
let returnTo = req.path;
if (nconf.get('relative_path')) {
returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');
}
returnTo = returnTo.replace(/^\/api/, '');
req.session.returnTo = returnTo;
req.session.forceLogin = 1;
feat: allow plugins to override ACP relogin challenge - used in 2factor
2020-12-11 11:50:18 -05:00
await plugins.hooks.fire('response:auth.relogin', { req, res });
if (res.headersSent) {
return;
}
fix: deprecate middleware.isAdmin Also, handle admin logout timer in middleware.admin.checkPrivileges
2020-10-30 12:30:58 -04:00
if (res.locals.isAPI) {
fix: restore old behaviour of empty json w/ 401 code in admin middleware
2020-10-30 14:07:47 -04:00
res.status(401).json({});
fix: deprecate middleware.isAdmin Also, handle admin logout timer in middleware.admin.checkPrivileges
2020-10-30 12:30:58 -04:00
} else {
res.redirect(nconf.get('relative_path') + '/login?local=1');
}
});
Reference in New Issue Copy Permalink