web,db - path rules are now handled by db queries

2020-08-31 09:42:38 +02:00 · 2020-08-31 09:42:38 +02:00 · 8ddd2e9013
commit 8ddd2e9013
parent 2420bd2e80
4 changed files with 55 additions and 61 deletions
--- a/bin/database/models.js
+++ b/bin/database/models.js
@ -51,6 +51,15 @@ models.group = new Schema({
 	roles: {type: String, default: ""} // roles; separated by commas "a,b,a.b,c.*,d.z.*"
 });
 // pathRules for access management
 models.pathRules = new Schema({
 	group: Schema.Types.ObjectId, // reference to group
 	expression: String, // path expression; e.g.: "(/blocks/.*)"
 	rule: String, // e.g.: block
 	type: String, // e.g: "404", "missing_permission", "login",
 	options: {type: Object, default: {}} // more options...
 });
 // application | service
 models.application = new Schema({
 	name: String, // recognizable application name; ex. "passRXBN - Password Manager"
@ -81,6 +90,7 @@ module.exports = (con) => {
 	// initialize models
 	mdls.user = con.model('User', models.user);
 	mdls.group = con.model('Group', models.group);
 	mdls.pathRules = con.model('PathRules', models.pathRules);
 	mdls.application = con.model('Application', models.application);
 	mdls.activity = con.model('Activity', models.activity);
 	mdls.authCode = con.model('AuthCode', models.authCode);
--- a/bin/database/module.js
+++ b/bin/database/module.js
@ -260,6 +260,31 @@ methods.addActivity = async (id, data) => {
 	}
 };
 //  ////////  ////////  //////////  //    //  ////////
 //  //    //  //    //      //      //    //  //
 //  ////////  //    //      //      //    //  //
 //  //        ////////      //      ////////  ////////
 //  //        //    //      //      //    //        //
 //  //        //    //      //      //    //  ////////
 //
 ////////////////////////////////////////////////////////////
 /**
 * get pathrules
 * @author Ruben Meyer
 * @async
 * @return {Object} async(rules, err)
 */
 methods.getPathRules = async () => {
 	var PathRules = models.pathRules;
 	try {
 		rules = await PathRules.find({}).exec();
 		return {reply: rules};
 	} catch(err) {
 		return {err: err};
 	}
 };
 //  ////////  ////////  ////////  //////
 //  //    //  //    //  //    //  //
--- a/bin/web/routes/rules.js
+++ b/bin/web/routes/rules.js
@ -7,11 +7,6 @@
 /**
 * EXPLANATIONS:
 *
 * groups: ["anon", "user", "admin"]
 * - anon: not logged in; no cookies
 * - user: logged in; non-special group
 * - admin: logged in; admin group 999 or equivalent
 *
 * expressions: RegExp tested on req.path
 * - ex.:
 * - req.path = "/profile/456";
@ -25,44 +20,8 @@
 * - 404: File not found
 * - missing_permission: Missing Permission page
 * - login: login page
 *
 * NOW ADDED TO DATABASE
 */
 let rules = [
 	{
 		group: "anon",
 		expression: "(/blocks/.*)",
 		rule: "block",
 		type: "404"
 	},
 	{
 		group: "anon",
 		expression: "(/error/.*)",
 		rule: "block",
 		type: "404"
 	},
 	{
 		group: "anon",
 		expression: "(/admin/.*)",
 		rule: "block",
 		type: "login"
 	},
 	{
 		group: "user",
 		expression: "(/blocks/.*)",
 		rule: "block",
 		type: "404"
 	},
 	{
 		group: "user",
 		expression: "(/error/.*)",
 		rule: "block",
 		type: "404"
 	},
 	{
 		group: "user",
 		expression: "(/admin/.*)",
 		rule: "block",
 		type: "missing_permission"
 	}
 ];
-module.exports = rules;
+module.exports = [];
--- a/bin/web/routes/static.js
+++ b/bin/web/routes/static.js
@ -90,30 +90,36 @@ let getRoutes = async () => {
 	 * all other routes
 	 * @url /*
 	 * @method all
 	 * @TODO comments
 	 */
-	route.all('/*', asyncer(async (req, res, next) => {
+	route.get('/*', asyncer(async (req, res, next) => {
 		// passthrough to next route
 		if(req.path.startsWith('/api'))
 			return next();
 		if(req.path == "/request") return res.render('error/404');
-		let pathRules = require("./rules");
+		let pathRules = await db.getPathRules();
-		let group = "anon";
+		// retrieve guest group - set as default
 		let groups = await db.getGroups();
 		guestId = null;
 		groups.reply.forEach((group) => {
 			if(group.name == "Guest") guestId = group._id;
 		});
 		let group = guestId;
 		// set user group
 		if(req.session && req.session.user) {
-			group = "user";
+			group = req.session.user.group;
 			if(req.session.user.group == 999) group = "admin";
 		}
-		pathRules.forEach((rule) => {
+		for(i = 0; i < pathRules.reply.length; i++) {
 			rule = pathRules.reply[i];
 			if(rule.rule == "block") {
-				if(group == rule.group) {
+				if(group == String(rule.group)) {
 					let regex = new RegExp(rule.expression, "g");
 					if(regex.test(req.path)) {
 						if(rule.type == "404") {
 							global['logs'].info("[web] (404) path not found: "+req.path);
 							return res.status(404).render('error/404', {
 								error_code: 404,
 								error_msg: 'msg.request.file.not_found',
@ -126,7 +132,7 @@ let getRoutes = async () => {
 								session: req.session,
 								cfg: cfg
 							});
-						} else if(rule.type == "login") {
+						} else if(rule.type == "login" && (!req.session || !req.session.user)) {
 							return res.status(401).render('error/login', {
 								error_code: 401,
 								session: req.session,
@ -142,15 +148,13 @@ let getRoutes = async () => {
 					}
 				}
 			}
-		});
+		};
 		let dir = global['__dirname'] + '/bin/web/views';
 		let path_j = path.join(dir, req.path.toLowerCase());
 		if(fs.existsSync(path_j+'.pug')) {
 			return res.render(req.path.replace(/^\//, ''), {
 				session: req.session,
 				apps: apps.reply,
 				cfg: cfg
 			});
 		} else {
@ -162,10 +166,6 @@ let getRoutes = async () => {
 				cfg: cfg
 			});
 		}
 		// TODO: try to login
 		// TODO: role-based authorization
 		// TODO: show login page or page
 	}));
 	return route;