From 9578989b6713d529f51ae7571985187fcf605396 Mon Sep 17 00:00:00 2001
From: NGPixel <github@ngpixel.com>
Date: Mon, 2 Jan 2017 23:32:16 -0500
Subject: [PATCH] Added access check for write and manage actions

---
 README.md                     |  4 ++--
 controllers/admin.js          | 24 ++++++++++++++++++++++++
 controllers/pages.js          | 31 ++++++++++++++++++++++++++++++-
 server.js                     |  1 +
 views/pages/admin/_layout.pug | 17 +++++++++--------
 views/pages/source.pug        | 20 +++++++++++---------
 views/pages/view.pug          | 29 ++++++++++++++++-------------
 7 files changed, 93 insertions(+), 33 deletions(-)

diff --git a/README.md b/README.md
index 602cf75451..a232218a3d 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@
 		- [x] Facebook
 	- [x] Access Rights
 		- [x] View
-		- [ ] Edit / Create
+		- [x] Edit / Create
 - [x] Background Agent (git sync, cache purge, etc.)
 - [x] Caching
 - [x] Create Entry
@@ -40,7 +40,7 @@
 	- [x] Prerequisites
 	- [x] Install
 	- [ ] Authentication
-	- [ ] Git
+	- [x] Git
 	- [x] Upgrade
 - [x] Edit Entry
 - [x] Git Management
diff --git a/controllers/admin.js b/controllers/admin.js
index 089fe97b52..1388d0cf04 100644
--- a/controllers/admin.js
+++ b/controllers/admin.js
@@ -12,10 +12,21 @@ router.get('/', (req, res) => {
 });
 
 router.get('/profile', (req, res) => {
+
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/profile', { adminTab: 'profile' });
+
 });
 
 router.get('/stats', (req, res) => {
+
+	if(res.locals.isGuest) {
+		return res.render('error-forbidden');
+	}
+
 	Promise.all([
 		db.Entry.count(),
 		db.UplFile.count(),
@@ -28,14 +39,27 @@ router.get('/stats', (req, res) => {
 	}).catch((err) => {
 		throw err;
 	});
+
 });
 
 router.get('/users', (req, res) => {
+
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/users', { adminTab: 'users' });
+
 });
 
 router.get('/settings', (req, res) => {
+
+	if(!res.locals.rights.manage) {
+		return res.render('error-forbidden');
+	}
+
 	res.render('pages/admin/settings', { adminTab: 'settings' });
+
 });
 
 module.exports = router;
\ No newline at end of file
diff --git a/controllers/pages.js b/controllers/pages.js
index 88139f8035..0a4bffc51c 100644
--- a/controllers/pages.js
+++ b/controllers/pages.js
@@ -13,6 +13,10 @@ var _ = require('lodash');
  */
 router.get('/edit/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
 
 	entries.fetchOriginal(safePath, {
@@ -40,6 +44,13 @@ router.get('/edit/*', (req, res, next) => {
 
 router.put('/edit/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/edit', ''));
 
 	entries.update(safePath, req.body.markdown).then(() => {
@@ -61,6 +72,10 @@ router.put('/edit/*', (req, res, next) => {
 
 router.get('/create/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.render('error-forbidden');
+	}
+
 	if(_.some(['create','edit','account','source','history','mk'], (e) => { return _.startsWith(req.path, '/create/' + e); })) {
 		return res.render('error', {
 			message: 'You cannot create a document with this name as it is reserved by the system.',
@@ -102,6 +117,13 @@ router.get('/create/*', (req, res, next) => {
 
 router.put('/create/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(_.replace(req.path, '/create', ''));
 
 	entries.create(safePath, req.body.markdown).then(() => {
@@ -109,7 +131,7 @@ router.put('/create/*', (req, res, next) => {
 			ok: true
 		}) || true;
 	}).catch((err) => {
-		res.json({
+		return res.json({
 			ok: false,
 			error: err.message
 		});
@@ -192,6 +214,13 @@ router.get('/*', (req, res, next) => {
  */
 router.put('/*', (req, res, next) => {
 
+	if(!res.locals.rights.write) {
+		return res.json({
+			ok: false,
+			error: 'Forbidden'
+		});
+	}
+
 	let safePath = entries.parsePath(req.path);
 
 	if(_.isEmpty(req.body.move)) {
diff --git a/server.js b/server.js
index eaee3c8b1e..abb8282477 100644
--- a/server.js
+++ b/server.js
@@ -89,6 +89,7 @@ app.use(express.static(path.join(ROOTPATH, 'assets')));
 
 var strategy = require(CORE_PATH + 'core-libs/auth')(passport, appconfig);
 global.rights = require(CORE_PATH + 'core-libs/rights');
+rights.init();
 
 var sessionStore = new sessionMongoStore({
   mongooseConnection: db.connection,
diff --git a/views/pages/admin/_layout.pug b/views/pages/admin/_layout.pug
index d3ad3c7083..27707e938d 100644
--- a/views/pages/admin/_layout.pug
+++ b/views/pages/admin/_layout.pug
@@ -41,14 +41,15 @@ block content
 								a(href='/admin/stats')
 									i.icon-bar-graph-2
 									span Stats
-							li
-								a(href='/admin/users')
-									i.icon-users
-									span Users
-							li
-								a(href='/admin/settings')
-									i.icon-cog
-									span Site Settings
+							if rights.manage
+								li
+									a(href='/admin/users')
+										i.icon-users
+										span Users
+								li
+									a(href='/admin/settings')
+										i.icon-cog
+										span Site Settings
 							li
 								a(href='/logout')
 									i.icon-delete2
diff --git a/views/pages/source.pug b/views/pages/source.pug
index 16a972bc35..e1048719f9 100644
--- a/views/pages/source.pug
+++ b/views/pages/source.pug
@@ -6,18 +6,20 @@ block rootNavCenter
 block rootNavRight
 	i.nav-item#notifload
 	span.nav-item
-		a.button.is-outlined.btn-move-prompt.is-hidden
-			i.icon-shuffle
-			span Move
+		if rights.write
+			a.button.is-outlined.btn-move-prompt.is-hidden
+				i.icon-shuffle
+				span Move
 		a.button.is-outlined(href='/' + pageData.meta.path)
 			i.icon-loader
 			span Normal View
-		a.button.is-orange(href='/edit/' + pageData.meta.path)
-			i.fa.fa-edit
-			span Edit
-		a.button.is-blue.btn-create-prompt
-			i.fa.fa-plus
-			span Create
+		if rights.write
+			a.button.is-orange(href='/edit/' + pageData.meta.path)
+				i.fa.fa-edit
+				span Edit
+			a.button.is-blue.btn-create-prompt
+				i.fa.fa-plus
+				span Create
 
 block content
 
diff --git a/views/pages/view.pug b/views/pages/view.pug
index 02c79d3a89..df5cda8a46 100644
--- a/views/pages/view.pug
+++ b/views/pages/view.pug
@@ -11,18 +11,20 @@ mixin tocMenu(ti)
 block rootNavRight
 	i.nav-item#notifload
 	.nav-item
-		a.button.is-outlined.btn-move-prompt.is-hidden
-			i.icon-shuffle
-			span Move
+		if rights.write
+			a.button.is-outlined.btn-move-prompt.is-hidden
+				i.icon-shuffle
+				span Move
 		a.button.is-outlined(href='/source/' + pageData.meta.path)
 			i.icon-loader
 			span Source
-		a.button(href='/edit/' + pageData.meta.path)
-			i.icon-document-text
-			span Edit
-		a.button.btn-create-prompt
-			i.icon-plus
-			span Create
+		if rights.write
+			a.button(href='/edit/' + pageData.meta.path)
+				i.icon-document-text
+				span Edit
+			a.button.btn-create-prompt
+				i.icon-plus
+				span Create
 
 block content
 
@@ -46,10 +48,11 @@ block content
 									a(href='/' + pageData.parent.path)
 										i.icon-reply
 										span= pageData.parent.title
-							li
-								a(href='/admin')
-									i.icon-head
-									span Account
+							if !isGuest
+								li
+									a(href='/admin')
+										i.icon-head
+										span Account
 					aside.stickyscroll(data-margin-top=40)
 						.sidebar-label
 							i.icon-th-list