web,db - path rules are now handled by db queries

1 year ago · 8ddd2e9013
4 changed files with 55 additions and 61 deletions
--- a/bin/database/models.js
+++ b/bin/database/models.js
@ -51,6 +51,15 @@ models.group = new Schema({
 	roles: {type: String, default: ""} // roles; separated by commas "a,b,a.b,c.*,d.z.*"
 });

+// pathRules for access management
+models.pathRules = new Schema({
+	group: Schema.Types.ObjectId, // reference to group
+	expression: String, // path expression; e.g.: "(/blocks/.*)"
+	rule: String, // e.g.: block
+	type: String, // e.g: "404", "missing_permission", "login",
+	options: {type: Object, default: {}} // more options...
+});
+
 // application | service
 models.application = new Schema({
 	name: String, // recognizable application name; ex. "passRXBN - Password Manager"
@ -81,6 +90,7 @@ module.exports = (con) => {
 	// initialize models
 	mdls.user = con.model('User', models.user);
 	mdls.group = con.model('Group', models.group);
+	mdls.pathRules = con.model('PathRules', models.pathRules);
 	mdls.application = con.model('Application', models.application);
 	mdls.activity = con.model('Activity', models.activity);
 	mdls.authCode = con.model('AuthCode', models.authCode);
--- a/bin/database/module.js
+++ b/bin/database/module.js
@ -260,6 +260,31 @@ methods.addActivity = async (id, data) => {
 	}
 };

+//  ////////  ////////  //////////  //    //  ////////
+//  //    //  //    //      //      //    //  //
+//  ////////  //    //      //      //    //  //
+//  //        ////////      //      ////////  ////////
+//  //        //    //      //      //    //        //
+//  //        //    //      //      //    //  ////////
+//
+////////////////////////////////////////////////////////////
+
+
+/**
+ * get pathrules
+ * @author Ruben Meyer
+ * @async
+ * @return {Object} async(rules, err)
+ */
+methods.getPathRules = async () => {
+	var PathRules = models.pathRules;
+	try {
+		rules = await PathRules.find({}).exec();
+		return {reply: rules};
+	} catch(err) {
+		return {err: err};
+	}
+};

 //  ////////  ////////  ////////  //////
 //  //    //  //    //  //    //  //
--- a/bin/web/routes/rules.js
+++ b/bin/web/routes/rules.js
@ -7,11 +7,6 @@
 /**
 * EXPLANATIONS:
 *
- * groups: ["anon", "user", "admin"]
- * - anon: not logged in; no cookies
- * - user: logged in; non-special group
- * - admin: logged in; admin group 999 or equivalent
- *
 * expressions: RegExp tested on req.path
 * - ex.:
 * - req.path = "/profile/456";
@ -25,44 +20,8 @@
 * - 404: File not found
 * - missing_permission: Missing Permission page
 * - login: login page
+ *
+ * NOW ADDED TO DATABASE
 */
-let rules = [
-	{
-		group: "anon",
-		expression: "(/blocks/.*)",
-		rule: "block",
-		type: "404"
-	},
-	{
-		group: "anon",
-		expression: "(/error/.*)",
-		rule: "block",
-		type: "404"
-	},
-	{
-		group: "anon",
-		expression: "(/admin/.*)",
-		rule: "block",
-		type: "login"
-	},
-	{
-		group: "user",
-		expression: "(/blocks/.*)",
-		rule: "block",
-		type: "404"
-	},
-	{
-		group: "user",
-		expression: "(/error/.*)",
-		rule: "block",
-		type: "404"
-	},
-	{
-		group: "user",
-		expression: "(/admin/.*)",
-		rule: "block",
-		type: "missing_permission"
-	}
-];

-module.exports = rules;
+module.exports = [];
--- a/bin/web/routes/static.js
+++ b/bin/web/routes/static.js
@ -90,30 +90,36 @@ let getRoutes = async () => {
 	 * all other routes
 	 * @url /*
 	 * @method all
-	 * @TODO comments
 	 */
-	route.all('/*', asyncer(async (req, res, next) => {
+	route.get('/*', asyncer(async (req, res, next) => {
 		// passthrough to next route
 		if(req.path.startsWith('/api'))
 			return next();

 		if(req.path == "/request") return res.render('error/404');

-		let pathRules = require("./rules");
+		let pathRules = await db.getPathRules();

-		let group = "anon";
+		// retrieve guest group - set as default
+		let groups = await db.getGroups();
+		guestId = null;
+		groups.reply.forEach((group) => {
+			if(group.name == "Guest") guestId = group._id;
+		});
+		let group = guestId;
+
+		// set user group
 		if(req.session && req.session.user) {
-			group = "user";
-			if(req.session.user.group == 999) group = "admin";
+			group = req.session.user.group;
 		}

-		pathRules.forEach((rule) => {
+		for(i = 0; i < pathRules.reply.length; i++) {
+			rule = pathRules.reply[i];
 			if(rule.rule == "block") {
-				if(group == rule.group) {
+				if(group == String(rule.group)) {
 					let regex = new RegExp(rule.expression, "g");
 					if(regex.test(req.path)) {
 						if(rule.type == "404") {
-							global['logs'].info("[web] (404) path not found: "+req.path);
 							return res.status(404).render('error/404', {
 								error_code: 404,
 								error_msg: 'msg.request.file.not_found',
@ -126,7 +132,7 @@ let getRoutes = async () => {
 								session: req.session,
 								cfg: cfg
 							});
-						} else if(rule.type == "login") {
+						} else if(rule.type == "login" && (!req.session || !req.session.user)) {
 							return res.status(401).render('error/login', {
 								error_code: 401,
 								session: req.session,
@ -142,15 +148,13 @@ let getRoutes = async () => {
 					}
 				}
 			}
-		});
-
+		};

 		let dir = global['__dirname'] + '/bin/web/views';
 		let path_j = path.join(dir, req.path.toLowerCase());
 		if(fs.existsSync(path_j+'.pug')) {
 			return res.render(req.path.replace(/^\//, ''), {
 				session: req.session,
-				apps: apps.reply,
 				cfg: cfg
 			});
 		} else {
@ -162,10 +166,6 @@ let getRoutes = async () => {
 				cfg: cfg
 			});
 		}
-
-		// TODO: try to login
-		// TODO: role-based authorization
-		// TODO: show login page or page
 	}));

 	return route;