mirror of
https://github.com/NodeBB/NodeBB.git
synced 2025-10-31 11:05:54 +01:00
refactor: remove usage of middlewares
Specifically, middleware.isAdmin|exposePrivilegeSet|exposePrivileges
This commit is contained in:
Julian Lam
@@ -1,13 +1,16 @@
|
|||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
const meta = require('../../meta');
|
const meta = require('../../meta');
|
||||||
|
const privileges = require('../../privileges');
|
||||||
|
|
||||||
const helpers = require('../helpers');
|
const helpers = require('../helpers');
|
||||||
|
|
||||||
const Admin = module.exports;
|
const Admin = module.exports;
|
||||||
|
|
||||||
Admin.updateSetting = async (req, res) => {
|
Admin.updateSetting = async (req, res) => {
|
||||||
if (!res.locals.privileges['admin:settings']) {
|
const ok = await privileges.admin.can('admin:settings', req.uid);
|
||||||
|
|
||||||
|
if (!ok) {
|
||||||
return helpers.formatApiResponse(403, res);
|
return helpers.formatApiResponse(403, res);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
|
const privileges = require('../../privileges');
|
||||||
const categories = require('../../categories');
|
const categories = require('../../categories');
|
||||||
const api = require('../../api');
|
const api = require('../../api');
|
||||||
|
|
||||||
@@ -7,12 +8,23 @@ const helpers = require('../helpers');
|
|||||||
|
|
||||||
const Categories = module.exports;
|
const Categories = module.exports;
|
||||||
|
|
||||||
|
const hasAdminPrivilege = async (uid) => {
|
||||||
|
const ok = await privileges.admin.can(`admin:categories`, uid);
|
||||||
|
if (!ok) {
|
||||||
|
throw new Error('[[error:no-privileges]]');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
Categories.create = async (req, res) => {
|
Categories.create = async (req, res) => {
|
||||||
|
await hasAdminPrivilege(req.uid);
|
||||||
|
|
||||||
const response = await api.categories.create(req, req.body);
|
const response = await api.categories.create(req, req.body);
|
||||||
helpers.formatApiResponse(200, res, response);
|
helpers.formatApiResponse(200, res, response);
|
||||||
};
|
};
|
||||||
|
|
||||||
Categories.update = async (req, res) => {
|
Categories.update = async (req, res) => {
|
||||||
|
await hasAdminPrivilege(req.uid);
|
||||||
|
|
||||||
const payload = {};
|
const payload = {};
|
||||||
payload[req.params.cid] = req.body;
|
payload[req.params.cid] = req.body;
|
||||||
await api.categories.update(req, payload);
|
await api.categories.update(req, payload);
|
||||||
@@ -21,6 +33,8 @@ Categories.update = async (req, res) => {
|
|||||||
};
|
};
|
||||||
|
|
||||||
Categories.delete = async (req, res) => {
|
Categories.delete = async (req, res) => {
|
||||||
|
await hasAdminPrivilege(req.uid);
|
||||||
|
|
||||||
await api.categories.delete(req, { cid: req.params.cid });
|
await api.categories.delete(req, { cid: req.params.cid });
|
||||||
helpers.formatApiResponse(200, res);
|
helpers.formatApiResponse(200, res);
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -2,13 +2,22 @@
|
|||||||
|
|
||||||
const api = require('../../api');
|
const api = require('../../api');
|
||||||
const meta = require('../../meta');
|
const meta = require('../../meta');
|
||||||
|
const privileges = require('../../privileges');
|
||||||
const utils = require('../../utils');
|
const utils = require('../../utils');
|
||||||
|
|
||||||
const helpers = require('../helpers');
|
const helpers = require('../helpers');
|
||||||
|
|
||||||
const Users = module.exports;
|
const Users = module.exports;
|
||||||
|
|
||||||
|
const hasAdminPrivilege = async (uid, privilege) => {
|
||||||
|
const ok = await privileges.admin.can(`admin:${privilege}`, uid);
|
||||||
|
if (!ok) {
|
||||||
|
throw new Error('[[error:no-privileges]]');
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
Users.create = async (req, res) => {
|
Users.create = async (req, res) => {
|
||||||
|
await hasAdminPrivilege(req.uid, 'users');
|
||||||
const userObj = await api.users.create(req, req.body);
|
const userObj = await api.users.create(req, req.body);
|
||||||
helpers.formatApiResponse(200, res, userObj);
|
helpers.formatApiResponse(200, res, userObj);
|
||||||
};
|
};
|
||||||
@@ -24,6 +33,7 @@ Users.delete = async (req, res) => {
|
|||||||
};
|
};
|
||||||
|
|
||||||
Users.deleteMany = async (req, res) => {
|
Users.deleteMany = async (req, res) => {
|
||||||
|
await hasAdminPrivilege(req.uid, 'users');
|
||||||
await api.users.deleteMany(req, req.body);
|
await api.users.deleteMany(req, req.body);
|
||||||
helpers.formatApiResponse(200, res);
|
helpers.formatApiResponse(200, res);
|
||||||
};
|
};
|
||||||
@@ -49,19 +59,20 @@ Users.unfollow = async (req, res) => {
|
|||||||
};
|
};
|
||||||
|
|
||||||
Users.ban = async (req, res) => {
|
Users.ban = async (req, res) => {
|
||||||
|
await hasAdminPrivilege(req.uid, 'users');
|
||||||
await api.users.ban(req, { ...req.body, uid: req.params.uid });
|
await api.users.ban(req, { ...req.body, uid: req.params.uid });
|
||||||
helpers.formatApiResponse(200, res);
|
helpers.formatApiResponse(200, res);
|
||||||
};
|
};
|
||||||
|
|
||||||
Users.unban = async (req, res) => {
|
Users.unban = async (req, res) => {
|
||||||
|
await hasAdminPrivilege(req.uid, 'users');
|
||||||
await api.users.unban(req, { ...req.body, uid: req.params.uid });
|
await api.users.unban(req, { ...req.body, uid: req.params.uid });
|
||||||
helpers.formatApiResponse(200, res);
|
helpers.formatApiResponse(200, res);
|
||||||
};
|
};
|
||||||
|
|
||||||
Users.generateToken = async (req, res) => {
|
Users.generateToken = async (req, res) => {
|
||||||
if (!res.locals.privileges['admin:settings']) {
|
await hasAdminPrivilege(req.uid, 'settings');
|
||||||
return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
|
if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
|
||||||
} else if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
|
|
||||||
return helpers.formatApiResponse(401, res);
|
return helpers.formatApiResponse(401, res);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -80,9 +91,8 @@ Users.generateToken = async (req, res) => {
|
|||||||
};
|
};
|
||||||
|
|
||||||
Users.deleteToken = async (req, res) => {
|
Users.deleteToken = async (req, res) => {
|
||||||
if (!res.locals.privileges['admin:settings']) {
|
await hasAdminPrivilege(req.uid, 'settings');
|
||||||
return helpers.formatApiResponse(403, res, new Error('[[error:no-privileges]]'));
|
if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
|
||||||
} else if (parseInt(req.params.uid, 10) !== parseInt(req.user.uid, 10)) {
|
|
||||||
return helpers.formatApiResponse(401, res);
|
return helpers.formatApiResponse(401, res);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -201,6 +201,7 @@ module.exports = function (middleware) {
|
|||||||
|
|
||||||
middleware.isAdmin = helpers.try(async function isAdmin(req, res, next) {
|
middleware.isAdmin = helpers.try(async function isAdmin(req, res, next) {
|
||||||
const isAdmin = await user.isAdministrator(req.uid);
|
const isAdmin = await user.isAdministrator(req.uid);
|
||||||
|
|
||||||
if (!isAdmin) {
|
if (!isAdmin) {
|
||||||
return controllers.helpers.notAllowed(req, res);
|
return controllers.helpers.notAllowed(req, res);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -158,8 +158,11 @@ module.exports = function (privileges) {
|
|||||||
};
|
};
|
||||||
|
|
||||||
privileges.admin.can = async function (privilege, uid) {
|
privileges.admin.can = async function (privilege, uid) {
|
||||||
const isUserAllowedTo = await helpers.isUserAllowedTo(privilege, uid, [0]);
|
const [isUserAllowedTo, isAdministrator] = await Promise.all([
|
||||||
return isUserAllowedTo[0];
|
helpers.isUserAllowedTo(privilege, uid, [0]),
|
||||||
|
user.isAdministrator(uid),
|
||||||
|
]);
|
||||||
|
return isAdministrator || isUserAllowedTo[0];
|
||||||
};
|
};
|
||||||
|
|
||||||
// privileges.admin.canGroup = async function (privilege, groupName) {
|
// privileges.admin.canGroup = async function (privilege, groupName) {
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ const setupApiRoute = routeHelpers.setupApiRoute;
|
|||||||
module.exports = function () {
|
module.exports = function () {
|
||||||
const middlewares = [middleware.authenticate];
|
const middlewares = [middleware.authenticate];
|
||||||
|
|
||||||
setupApiRoute(router, 'put', '/settings/:setting', [...middlewares, middleware.checkRequired.bind(null, ['value']), middleware.exposePrivilegeSet], controllers.write.admin.updateSetting);
|
setupApiRoute(router, 'put', '/settings/:setting', [...middlewares, middleware.checkRequired.bind(null, ['value'])], controllers.write.admin.updateSetting);
|
||||||
|
|
||||||
return router;
|
return router;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -10,9 +10,9 @@ const setupApiRoute = routeHelpers.setupApiRoute;
|
|||||||
module.exports = function () {
|
module.exports = function () {
|
||||||
const middlewares = [middleware.authenticate];
|
const middlewares = [middleware.authenticate];
|
||||||
|
|
||||||
setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['name']), middleware.isAdmin], controllers.write.categories.create);
|
setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['name'])], controllers.write.categories.create);
|
||||||
setupApiRoute(router, 'put', '/:cid', [...middlewares, middleware.isAdmin], controllers.write.categories.update);
|
setupApiRoute(router, 'put', '/:cid', [...middlewares], controllers.write.categories.update);
|
||||||
setupApiRoute(router, 'delete', '/:cid', [...middlewares, middleware.isAdmin], controllers.write.categories.delete);
|
setupApiRoute(router, 'delete', '/:cid', [...middlewares], controllers.write.categories.delete);
|
||||||
|
|
||||||
return router;
|
return router;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -15,8 +15,8 @@ function guestRoutes() {
|
|||||||
function authenticatedRoutes() {
|
function authenticatedRoutes() {
|
||||||
const middlewares = [middleware.authenticate];
|
const middlewares = [middleware.authenticate];
|
||||||
|
|
||||||
setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['username']), middleware.isAdmin], controllers.write.users.create);
|
setupApiRoute(router, 'post', '/', [...middlewares, middleware.checkRequired.bind(null, ['username'])], controllers.write.users.create);
|
||||||
setupApiRoute(router, 'delete', '/', [...middlewares, middleware.checkRequired.bind(null, ['uids']), middleware.isAdmin, middleware.exposePrivileges], controllers.write.users.deleteMany);
|
setupApiRoute(router, 'delete', '/', [...middlewares, middleware.checkRequired.bind(null, ['uids'])], controllers.write.users.deleteMany);
|
||||||
|
|
||||||
setupApiRoute(router, 'put', '/:uid', [...middlewares, middleware.assert.user], controllers.write.users.update);
|
setupApiRoute(router, 'put', '/:uid', [...middlewares, middleware.assert.user], controllers.write.users.update);
|
||||||
setupApiRoute(router, 'delete', '/:uid', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.delete);
|
setupApiRoute(router, 'delete', '/:uid', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.delete);
|
||||||
@@ -28,11 +28,11 @@ function authenticatedRoutes() {
|
|||||||
setupApiRoute(router, 'put', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.follow);
|
setupApiRoute(router, 'put', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.follow);
|
||||||
setupApiRoute(router, 'delete', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.unfollow);
|
setupApiRoute(router, 'delete', '/:uid/follow', [...middlewares, middleware.assert.user], controllers.write.users.unfollow);
|
||||||
|
|
||||||
setupApiRoute(router, 'put', '/:uid/ban', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.ban);
|
setupApiRoute(router, 'put', '/:uid/ban', [...middlewares, middleware.assert.user], controllers.write.users.ban);
|
||||||
setupApiRoute(router, 'delete', '/:uid/ban', [...middlewares, middleware.assert.user, middleware.exposePrivileges], controllers.write.users.unban);
|
setupApiRoute(router, 'delete', '/:uid/ban', [...middlewares, middleware.assert.user], controllers.write.users.unban);
|
||||||
|
|
||||||
setupApiRoute(router, 'post', '/:uid/tokens', [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], controllers.write.users.generateToken);
|
setupApiRoute(router, 'post', '/:uid/tokens', [...middlewares, middleware.assert.user], controllers.write.users.generateToken);
|
||||||
setupApiRoute(router, 'delete', '/:uid/tokens/:token', [...middlewares, middleware.assert.user, middleware.exposePrivilegeSet], controllers.write.users.deleteToken);
|
setupApiRoute(router, 'delete', '/:uid/tokens/:token', [...middlewares, middleware.assert.user], controllers.write.users.deleteToken);
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = function () {
|
module.exports = function () {
|
||||||
|
|||||||
Reference in New Issue
Block a user