diff --git a/server/api/auth.js b/server/api/auth.js index cdc9811b..b6860cd0 100644 --- a/server/api/auth.js +++ b/server/api/auth.js @@ -41,9 +41,12 @@ const Auth = { hasPerm (scope) { return (req, res, next) => { log.debug(scope, req.path) - oauth.oauthServer.authenticate({ scope })(req, res, () => { - log.debug('has perm') - next() + oauth.oauthServer.authenticate({ scope })(req, res, err => { + if (err) { + next() + } else { + next(Error(err)) + } }) } } diff --git a/server/api/controller/oauth.js b/server/api/controller/oauth.js index ec789e82..c792ae81 100644 --- a/server/api/controller/oauth.js +++ b/server/api/controller/oauth.js @@ -143,11 +143,17 @@ const oauthController = { // TODO verifyScope (token, scope) { - log.debug('VERIFY SCOPE ', scope) - if (token.user.is_admin) { + // const userScope = [ + // 'user:remove', + // 'user:update', + // 'event:write', + // 'event:remove' + // ] + log.debug(`VERIFY SCOPE ${scope} ${token.user.email}`) + if (token.user.is_admin && token.user.is_active) { return true } else { - return true + return false } } diff --git a/server/api/index.js b/server/api/index.js index 0172a735..55a9722f 100644 --- a/server/api/index.js +++ b/server/api/index.js @@ -2,7 +2,7 @@ const express = require('express') const multer = require('multer') const cors = require('cors')() -const { isAuth, isAdmin, hasPerm } = require('./auth') +const { isAuth, isAdmin } = require('./auth') const eventController = require('./controller/event') const exportController = require('./controller/export') const userController = require('./controller/user') @@ -54,11 +54,11 @@ api.post('/user/register', userController.register) api.post('/user', isAdmin, userController.create) // update user -api.put('/user', hasPerm('user:update'), userController.update) +api.put('/user', isAuth, userController.update) // delete user api.delete('/user/:id', isAdmin, userController.remove) -api.delete('/user', hasPerm('user:remove'), userController.remove) +api.delete('/user', isAdmin, userController.remove) // get all users api.get('/users', isAdmin, userController.getAll) @@ -85,12 +85,15 @@ api.put('/place', isAdmin, eventController.updatePlace) * @param {array} [recurrent.days] - array of days * @param {image} [image] - Image */ -api.post('/event', hasPerm('event:write'), upload.single('image'), eventController.add) -api.put('/event', hasPerm('event:write'), upload.single('image'), eventController.update) -api.get('/event/import', helpers.importURL) + +// allow anyone to add an event (anon event has to be confirmed, TODO: flood protection) +api.post('/event', upload.single('image'), eventController.add) + +api.put('/event', isAuth, upload.single('image'), eventController.update) +api.get('/event/import', isAuth, helpers.importURL) // remove event -api.delete('/event/:id', hasPerm('event:remove'), eventController.remove) +api.delete('/event/:id', isAuth, eventController.remove) // get tags/places api.get('/event/meta', eventController.getMeta) @@ -107,8 +110,8 @@ api.post('/settings', isAdmin, settingsController.setRequest) api.post('/settings/logo', isAdmin, multer({ dest: config.upload_path }).single('logo'), settingsController.setLogo) // confirm event -api.put('/event/confirm/:event_id', hasPerm('event:write'), eventController.confirm) -api.put('/event/unconfirm/:event_id', hasPerm('event:write'), eventController.unconfirm) +api.put('/event/confirm/:event_id', isAuth, eventController.confirm) +api.put('/event/unconfirm/:event_id', isAuth, eventController.unconfirm) // get event api.get('/event/:event_id.:format?', cors, eventController.get) @@ -134,8 +137,8 @@ api.put('/announcements/:announce_id', isAdmin, announceController.update) api.delete('/announcements/:announce_id', isAdmin, announceController.remove) // OAUTH -api.get('/clients', hasPerm('oauth:read'), oauthController.getClients) -api.get('/client/:client_id', hasPerm('oauth:read'), oauthController.getClient) +api.get('/clients', isAuth, oauthController.getClients) +api.get('/client/:client_id', isAuth, oauthController.getClient) api.post('/client', oauthController.createClient) api.use((req, res) => res.sendStatus(404))