Abstract away the token-protection logic

2026-06-06 15:49:01 +02:00 · 2017-10-19 16:26:01 +01:00
parent 22795981b9
commit eab77aba91
7 changed files with 35 additions and 12 deletions
@@ -24,8 +24,7 @@ module.exports = EditorHttpController =
 		EditorHttpController._buildJoinProjectView req, project_id, user_id, (error, project, privilegeLevel) ->
 			return next(error) if error?
 			# Hide access tokens if this is not the project owner
-			if privilegeLevel != 'owner' && project?.tokens?
-				project.tokens = {readOnly: '', readAndWrite: ''}
+			TokenAccessHandler.protectTokens(project, privilegeLevel)
 			res.json {
 				project: project
 				privilegeLevel: privilegeLevel
@@ -331,14 +331,7 @@ module.exports = ProjectController =
 		return projects

 	_buildProjectViewModel: (project, accessLevel, source) ->
-		tokens =
-			readOnly: ''
-			readAndWrite: ''
-		if project.tokens?
-			if accessLevel == 'owner' || (accessLevel == 'readAndWrite' && source == 'token')
-				tokens.readAndWrite = project.tokens.readAndWrite
-			if accessLevel == 'owner' || (accessLevel == 'readOnly' && source == 'token')
-				tokens.readOnly = project.tokens.readOnly
+		TokenAccessHandler.protectTokens(project, accessLevel)
 		model = {
 			id: project._id
 			name: project.name
@@ -348,7 +341,7 @@ module.exports = ProjectController =
 			source: source
 			archived: !!project.archived
 			owner_ref: project.owner_ref
-			tokens: tokens
+			tokens: project.tokens
 		}
 		return model

@@ -1,5 +1,6 @@
 Project = require('../../models/Project').Project
 PublicAccessLevels = require '../Authorization/PublicAccessLevels'
+PrivilegeLevels = require '../Authorization/PrivilegeLevels'
 ObjectId = require("mongojs").ObjectId
 Settings = require('settings-sharelatex')

@@ -72,3 +73,12 @@ module.exports = TokenAccessHandler =
 				return callback(err) if err?
 				isValidReadOnly = _validate(readOnlyProject)
 				callback null, isValidReadAndWrite, isValidReadOnly
+
+	protectTokens: (project, privilegeLevel) ->
+		if project? && project.tokens?
+			if privilegeLevel == PrivilegeLevels.OWNER
+				return
+			if privilegeLevel != PrivilegeLevels.READ_AND_WRITE
+				project.tokens.readAndWrite = ''
+			if privilegeLevel != PrivilegeLevels.READ_ONLY
+				project.tokens.readOnly = ''
@@ -31,6 +31,7 @@ describe "EditorHttpController", ->
 			json: sinon.stub()
 		@callback = sinon.stub()
 		@TokenAccessHandler.getRequestToken = sinon.stub().returns(@token = null)
+		@TokenAccessHandler.protectTokens = sinon.stub()
 			
 	describe "joinProject", ->
 		beforeEach ->
@@ -63,6 +63,7 @@ describe "ProjectController", ->
 			getLastOccurance: sinon.stub()
 		@TokenAccessHandler =
 			getRequestToken: sinon.stub().returns(@token)
+			protectTokens: sinon.stub()
 		@ProjectController = SandboxedModule.require modulePath, requires:
 			"settings-sharelatex":@settings
 			"logger-sharelatex":
@@ -66,4 +66,3 @@ describe "OneTimeTokenHandler", ->
 				done()


-
@@ -360,3 +360,23 @@ describe "TokenAccessHandler", ->
 					expect(rw).to.equal false
 					expect(ro).to.equal false
 					done()
+
+
+	describe 'protectTokens', ->
+		beforeEach ->
+			@project = {tokens: {readAndWrite: 'rw', readOnly: 'ro'}}
+
+		it 'should hide write token from read-only user', ->
+			@TokenAccessHandler.protectTokens(@project, 'readOnly')
+			expect(@project.tokens.readAndWrite).to.equal ''
+			expect(@project.tokens.readOnly).to.equal 'ro'
+
+		it 'should hide read token from read-write user', ->
+			@TokenAccessHandler.protectTokens(@project, 'readAndWrite')
+			expect(@project.tokens.readAndWrite).to.equal 'rw'
+			expect(@project.tokens.readOnly).to.equal ''
+
+		it 'should leave tokens in place for owner', ->
+			@TokenAccessHandler.protectTokens(@project, 'owner')
+			expect(@project.tokens.readAndWrite).to.equal 'rw'
+			expect(@project.tokens.readOnly).to.equal 'ro'
				`@@ -66,4 +66,3 @@ describe "OneTimeTokenHandler", ->`
				`done()`