Merge remote-tracking branch 'origin/access_control'

Conflicts: app.js
EgorKluch · Jan 29, 2014 · 88903cd · 88903cd
2 parents 4f374e5 + ffca1cb
commit 88903cd
Show file tree

Hide file tree

Showing 15 changed files with 324 additions and 156 deletions.
diff --git a/app.js b/app.js
@@ -25,6 +25,8 @@ if (cluster.isMaster) {
   var app = express();
   var params = require('express-params');
   var expressDomain = require('express-domain-middleware');
+  var server;
+
   params.extend(app);
 
   var AppError = require('./core/AppError');
@@ -36,7 +38,7 @@ if (cluster.isMaster) {
     app.set('view engine', 'jade');
   });
 
-// Set statics dirs (not handlers)
+  // Set statics dirs (not handlers)
   app.use('/js/lib', express.static('public/lib'));
   app.use('/js', express.static('public/js'));
   app.use('/css', express.static('public/css'));
@@ -80,7 +82,7 @@ if (cluster.isMaster) {
     res.json(err.status, err.getData());
   });
 
-  var server = app.listen(config.port);
+  server = app.listen(config.port);
   console.log('Express started on port ' + config.port);
 
   server.on('connection', function(socket) {

diff --git a/controller/main/mainController.js b/controller/main/mainController.js
@@ -28,8 +28,23 @@ MainController.prototype.index = function (core, next) {
 };
 
 MainController.prototype.notFound = function (core, next) {
-  var data = { script: 'main/main', style: 'main/style' };
-  core.responseHtmlFromTemplate('main:notFound', data, next, 404);
+  var data = {
+    script: 'main/main',
+    style: 'main/main',
+    title: 'Страница не найдена',
+    message: 'Данной страницы не существует.'
+  };
+  core.responseHtmlFromTemplate('main:error', data, next, 404);
+};
+
+MainController.prototype.forbidden = function (core, next) {
+  var data = {
+    script: 'main/main',
+    style: 'main/main',
+    title: 'Ошибка доступа',
+    message: 'Доступ к данной странице запрещен.'
+  };
+  core.responseHtmlFromTemplate('main:error', data, next, 403);
 };
 
 module.exports = MainController;
diff --git a/controller/main/tpl/error.jade b/controller/main/tpl/error.jade
@@ -0,0 +1,7 @@
+extends block/base
+
+block title
+  =title
+
+block content
+  =message
diff --git a/controller/main/tpl/notFound.jade b/controller/main/tpl/notFound.jade
diff --git a/controller/picture/pictureController.js b/controller/picture/pictureController.js
@@ -10,57 +10,87 @@ var AppError = require('../../core/AppError');
 var PictureController = function () {};
 
 PictureController.prototype.upload = function (core, next) {
-  var file = core.files.picture;
   var pictureId = core.post.pictureId;
-  core.pictureManager.upload(file, pictureId, function (err, data) {
-    if (err) next(new AppError(err));
-    core.responseJson(data);
+  core.pictureManager.hasAccess('upload', { picture: pictureId }, function (err, hasAccess) {
+    if (err) return next(new AppError(err));
+    if (!hasAccess) return core.jsonForbidden();
+
+    var file = core.files.picture;
+    core.pictureManager.upload(file, pictureId, function (err, data) {
+      if (err) next(new AppError(err));
+      core.responseJson(data);
+    });
   });
 };
 
 PictureController.prototype.addPage = function (core, next) {
-  var data = { script: 'picture/addPicture', style: 'main/main' };
-  core.responseHtmlFromTemplate('picture:addPicture', data, next);
+  core.pictureManager.hasAccess('add', null, function (err, hasAccess) {
+    if (err) return next(new AppError(err));
+    if (!hasAccess) return core.forbidden();
+
+    var data = { script: 'picture/addPicture', style: 'main/main' };
+    core.responseHtmlFromTemplate('picture:addPicture', data, next);
+  });
 };
 
 PictureController.prototype.editPage = function (core, next) {
   var picture = core.req.picture;
+  core.pictureManager.hasAccess('edit', { picture: picture }, function (err, hasAccess) {
+    if (err) return next(new AppError(err));
+    if (!hasAccess) return core.forbidden();
 
-  var data = {
-    script: 'picture/editPicture',
-    style: 'main/main',
-    id: picture.id,
-    title: picture.title,
-    description: picture.description
-  };
-  core.responseHtmlFromTemplate('picture:editPicture', data, next);
+    var data = {
+      script: 'picture/editPicture',
+      style: 'main/main',
+      id: picture.id,
+      title: picture.title,
+      description: picture.description
+    };
+    core.responseHtmlFromTemplate('picture:editPicture', data, next);
+  });
 };
 
 
 PictureController.prototype.add = function (core, next) {
-  var data = core.post;
-  data.userId = core.userManager.currentUser.id;
-
-  core.pictureManager.add(data, function (err) {
+  core.pictureManager.hasAccess('add', null, function (err, hasAccess) {
     if (err) return next(new AppError(err));
-    core.responseJson();
+    if (!hasAccess) return core.jsonForbidden();
+
+    var data = core.post;
+    data.userId = core.userManager.currentUser.id;
+
+    core.pictureManager.add(data, function (err) {
+      if (err) return next(new AppError(err));
+      core.responseJson();
+    });
   });
 };
 
 PictureController.prototype.edit = function (core, next) {
-  var data = core.post;
-  data.userId = core.userManager.currentUser.id;
-
-  core.pictureManager.edit(core.req.picture, data, function (err) {
+  var picture = core.req.picture;
+  core.pictureManager.hasAccess('edit', { picture: picture }, function (err, hasAccess) {
     if (err) return next(new AppError(err));
-    core.responseJson();
+    if (!hasAccess) return core.jsonForbidden();
+
+    var data = core.post;
+    data.userId = core.userManager.currentUser.id;
+    core.pictureManager.edit(picture, data, function (err) {
+      if (err) return next(new AppError(err));
+      core.responseJson();
+    });
   });
 };
 
 PictureController.prototype.del = function (core, next) {
-  core.pictureManager.del(core.req.picture, function (err) {
+  var picture = core.req.picture;
+  core.pictureManager.hasAccess('delete', { picture: picture }, function (err, hasAccess) {
     if (err) return next(new AppError(err));
-    core.responseJson();
+    if (!hasAccess) return core.jsonForbidden();
+
+    core.pictureManager.del(picture, function (err) {
+      if (err) return next(new AppError(err));
+      core.responseJson();
+    });
   });
 };
 

diff --git a/controller/user/js/controller/signIn.coffee b/controller/user/js/controller/signIn.coffee
@@ -21,7 +21,7 @@ window.app.controller 'SignInCtrl', ['$scope', '$http', ($scope, $http)->
     $http.post('/signOut', $scope.user)
       .success (response)->
           return console.error response.errorMessage if response.error
-          location.reload()
+          location.href = '/'
       .error (response)->
           console.error response
 ]
diff --git a/controller/user/js/controller/signUp.coffee b/controller/user/js/controller/signUp.coffee
@@ -22,7 +22,7 @@ window.app.controller 'SignUpCtrl', ['$scope', '$http', (s, $http)->
     $http.post('/signUp', s.user)
     .success (response)->
         return console.error response.errorMessage if response.error
-        location.reload()
+        window.history.back();
     .error (response)->
         console.error response
 ]
diff --git a/controller/user/userController.js b/controller/user/userController.js
@@ -11,30 +11,53 @@ var AppError = require('../../core/AppError');
 var UserController = function () {};
 
 UserController.prototype.signUpPage = function (core, next) {
-  var data = { script: 'user/signUp', style: 'main/main' };
-  core.responseHtmlFromTemplate('user:signUp', data, next);
+  core.userManager.hasAccess('signUp', null, function (err, hasAccess) {
+    if (err) return next(new AppError(err));
+    if (!hasAccess) return core.forbidden();
+
+    var data = { script: 'user/signUp', style: 'main/main' };
+    core.responseHtmlFromTemplate('user:signUp', data, next);
+  });
 };
 
 UserController.prototype.signUp = function (core, next) {
-  core.userManager.signUp(core.post, function (err) {
+  core.userManager.hasAccess('signUp', null, function (err, hasAccess) {
     if (err) return next(new AppError(err));
-    core.responseJson();
+    if (!hasAccess) return core.jsonForbidden();
+
+    core.userManager.signUp(core.post, function (err) {
+      if (err) return next(new AppError(err));
+      core.responseJson();
+    });
   });
 };
 
 UserController.prototype.signIn = function (core, next) {
-  var login = core.post.login;
-  var password = core.post.password;
-  core.userManager.signIn(login, password, function (err) {
+  core.userManager.hasAccess('signIn', null, function (err, hasAccess) {
     if (err) return next(new AppError(err));
-    core.responseJson();
+    if (!hasAccess) return core.jsonForbidden();
+
+    var login = core.post.login;
+    var password = core.post.password;
+    core.userManager.signIn(login, password, function (err) {
+      if (err) return next(new AppError(err));
+      core.responseJson();
+    });
   });
 };
 
 UserController.prototype.signOut = function (core, next) {
-  core.userManager.signOut(function (err) {
+  core.userManager.hasAccess('signOut', null, function (err, hasAccess) {
     if (err) return next(new AppError(err));
-    core.responseJson();
+    if (!hasAccess) return core.jsonForbidden();
+
+    if (!core.userManager.isAuthorized()) {
+      return core.forbidden();
+    }
+    core.userManager.signOut(function (err) {
+      if (err) return next(new AppError(err));
+      core.responseJson();
+    });
   });
 };
 

diff --git a/core/BaseManager.js b/core/BaseManager.js
@@ -7,6 +7,7 @@
 
 var util = require('util');
 var _ = require('underscore');
+var AccessManager = require('hm-access-manager');
 
 var AppError = require('../core/AppError');
 var BaseClass = require('../core/BaseClass');
@@ -16,33 +17,29 @@ var BaseManager = function (core, table, Entity) {
   BaseClass.call(this, core);
   this.mysql = this.mysql.assign(table);
   this.Entity = Entity.bind(null, this);
+  this.accessManager = new AccessManager();
 };
 
 util.inherits(BaseManager, BaseClass);
 
 
 BaseManager.prototype.getById = function (id, next) {
+  var self = this;
   this.mysql.one(null, { id: id }, function (err, data) {
     if (err) return next(new AppError(err));
     if (!data) return next(null, null);
-
-    try {
-      next(null, new this.Entity(data, true));
-    } catch (err) { next(new AppError(err)); }
-
-  }.bind(this));
-};
+    next(null, new self.Entity(data, true));
+  });
+};//
 
 BaseManager.prototype.getByFields = function (fields, next) {
+  var self = this;
   this.mysql.one(null, fields, function (err, data) {
     if (err) return next(new AppError(err));
     if (!data) return next(null, null);
+    return next(null, new self.Entity(data));
 
-    try {
-      return next(null, new this.Entity(data));
-    } catch (err) { next(new AppError(err)); }
-
-  }.bind(this));
+  });
 };
 
 BaseManager.prototype.getByField = function (field, value, next) {
@@ -51,5 +48,9 @@ BaseManager.prototype.getByField = function (field, value, next) {
   this.getByFields(fields, next);
 };
 
+BaseManager.prototype.hasAccess = function (action, args, next) {
+  this.accessManager.hasAccess(action, args, next);
+};
+
 
 module.exports = BaseManager;
diff --git a/core/Core.js b/core/Core.js
@@ -73,6 +73,10 @@ Core.prototype.responseHtml = function (html, code) {
   this.res.send(code, html);
 };
 
+Core.prototype.getCurrentUser = function () {
+  return this.userManager.currentUser;
+};
+
 /**
  * @param {Object} data
  * @param {String} template
@@ -90,6 +94,18 @@ Core.prototype.notFound = function (next) {
   mainController.notFound(this, next);
 };
 
+Core.prototype.forbidden = function (next) {
+  mainController.forbidden(this, next);
+};
+
+Core.prototype.jsonForbidden = function () {
+  this.responseJson({
+    result: 0,
+    errorCode: 0,
+    errorMessage: 'Forbidden'
+  }, 403);
+};
+
 Core.prototype.render = function (template, data, next) {
   var tmp = template.split(':');
   template = 'controller/' + tmp[0] + '/tpl/' + tmp[1] + '.jade';