From 42fa08ea979868356e0068177acb62f9b0ab7369 Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 01:08:03 +0700 Subject: [PATCH 1/8] Prepare access controll Need add AccessControllManager. Managers proxy requests to it. --- app.js | 6 +- controller/main/mainController.js | 17 ++- .../main/tpl/{notFound.jade => error.jade} | 2 +- controller/picture/pictureController.js | 41 +++++-- controller/user/userController.js | 12 ++ core/Core.js | 4 + core/Mysql.js | 103 +++++++----------- model/PictureManager.js | 27 +++++ model/User.js | 3 + model/UserManager.js | 8 +- 10 files changed, 141 insertions(+), 82 deletions(-) rename controller/main/tpl/{notFound.jade => error.jade} (51%) diff --git a/app.js b/app.js index 3eede36..300897e 100644 --- a/app.js +++ b/app.js @@ -36,7 +36,7 @@ if (cluster.isMaster) { app.set('view engine', 'jade'); }); -// Set statics dirs (not handlers) + // Set statics dirs (not handlers) app.use('/js/lib', express.static('public/lib')); app.use('/js', express.static('public/js')); app.use('/css', express.static('public/css')); @@ -79,5 +79,7 @@ if (cluster.isMaster) { }); var server = app.listen(config.port); - console.log('Express started on port ' + config.port); + + console.log('Worker ' + cluster.worker.id + ' is started.'); + console.log('Express started on port with ' + config.port + '.'); } diff --git a/controller/main/mainController.js b/controller/main/mainController.js index 1a4d58f..015caba 100644 --- a/controller/main/mainController.js +++ b/controller/main/mainController.js @@ -28,8 +28,21 @@ MainController.prototype.index = function (core, next) { }; MainController.prototype.notFound = function (core, next) { - var data = { script: 'main/main', style: 'main/style' }; - core.responseHtmlFromTemplate('main:notFound', data, next, 404); + var data = { + script: 'main/main', + style: 'main/style', + message: 'Данной страницы не существует.' + }; + core.responseHtmlFromTemplate('main:error', data, next, 404); +}; + +MainController.prototype.forbidden = function (core, next) { + var data = { + script: 'main/main', + style: 'main/style', + message: 'Доступ к данной странице запрещен.' + }; + core.responseHtmlFromTemplate('main:error', data, next, 403); }; module.exports = MainController; diff --git a/controller/main/tpl/notFound.jade b/controller/main/tpl/error.jade similarity index 51% rename from controller/main/tpl/notFound.jade rename to controller/main/tpl/error.jade index 9987ee0..0889349 100755 --- a/controller/main/tpl/notFound.jade +++ b/controller/main/tpl/error.jade @@ -4,4 +4,4 @@ block title | Страница не найдена block content - | К сожалению, данной страницы не существует. + =message diff --git a/controller/picture/pictureController.js b/controller/picture/pictureController.js index fc78686..57bdece 100644 --- a/controller/picture/pictureController.js +++ b/controller/picture/pictureController.js @@ -10,30 +10,47 @@ var AppError = require('../../core/AppError'); var PictureController = function () {}; PictureController.prototype.upload = function (core, next) { + if (null === core.userManager.currentUser) { + return core.forbidden(); + } var file = core.files.picture; var pictureId = core.post.pictureId; - core.pictureManager.upload(file, pictureId, function (err, data) { - if (err) next(new AppError(err)); - core.responseJson(data); + this._checkAccessUpload(pictureId, function () { + core.pictureManager.upload(file, pictureId, function (err, data) { + if (err) next(new AppError(err)); + core.responseJson(data); + }); }); }; +PictureController.prototype._checkAccessUpload = function (pictureId, next) { + if (!pictureId) return next(); + this.getById(pictureId, function (picture) { + picture.checkAccess('upload', next); + }) +}; + PictureController.prototype.addPage = function (core, next) { + if (null === core.userManager.currentUser) { + return core.forbidden(); + } var data = { script: 'picture/addPicture', style: 'main/main' }; core.responseHtmlFromTemplate('picture:addPicture', data, next); }; PictureController.prototype.editPage = function (core, next) { var picture = core.req.picture; - - var data = { - script: 'picture/editPicture', - style: 'main/main', - id: picture.id, - title: picture.title, - description: picture.description - }; - core.responseHtmlFromTemplate('picture:editPicture', data, next); + picture.checkAccess('edit', function (err) { + if (err) return next(new AppError(err)); + var data = { + script: 'picture/editPicture', + style: 'main/main', + id: picture.id, + title: picture.title, + description: picture.description + }; + core.responseHtmlFromTemplate('picture:editPicture', data, next); + }); }; diff --git a/controller/user/userController.js b/controller/user/userController.js index 5f3df71..e65b2f0 100644 --- a/controller/user/userController.js +++ b/controller/user/userController.js @@ -11,11 +11,17 @@ var AppError = require('../../core/AppError'); var UserController = function () {}; UserController.prototype.signUpPage = function (core, next) { + if (null !== core.userManager.currentUser) { + return core.forbidden(next); + } var data = { script: 'user/signUp', style: 'main/main' }; core.responseHtmlFromTemplate('user:signUp', data, next); }; UserController.prototype.signUp = function (core, next) { + if (null !== core.userManager.currentUser) { + return core.forbidden(next); + } core.userManager.signUp(core.post, function (err) { if (err) return next(new AppError(err)); core.responseJson(); @@ -23,6 +29,9 @@ UserController.prototype.signUp = function (core, next) { }; UserController.prototype.signIn = function (core, next) { + if (null !== core.userManager.currentUser) { + return core.forbidden(); + } var login = core.post.login; var password = core.post.password; core.userManager.signIn(login, password, function (err) { @@ -32,6 +41,9 @@ UserController.prototype.signIn = function (core, next) { }; UserController.prototype.signOut = function (core, next) { + if (null === core.userManager.currentUser) { + return core.forbidden(); + } core.userManager.signOut(function (err) { if (err) return next(new AppError(err)); core.responseJson(); diff --git a/core/Core.js b/core/Core.js index 8f8f45b..8a9e5f5 100644 --- a/core/Core.js +++ b/core/Core.js @@ -90,6 +90,10 @@ Core.prototype.notFound = function (next) { mainController.notFound(this, next); }; +Core.prototype.forbidden = function (next) { + mainController.forbidden(this, next); +}; + Core.prototype.render = function (template, data, next) { var tmp = template.split(':'); template = 'controller/' + tmp[0] + '/tpl/' + tmp[1] + '.jade'; diff --git a/core/Mysql.js b/core/Mysql.js index 2733282..40ef01b 100644 --- a/core/Mysql.js +++ b/core/Mysql.js @@ -85,26 +85,21 @@ Mysql.prototype.one = function (table, columns, where, next) { * @param {Function} next */ Mysql.prototype.insert = function (table, fields, next) { - try { - var query = 'insert into' + mysql.escapeId(table); + var query = 'insert into' + mysql.escapeId(table); - query += '(' + _.map(fields, function (value, field) { - if (!_.isString(field)) throw new AppError('Field must be a string'); - return mysql.escapeId(field); - }).join(', ') + ')'; + query += '(' + _.map(fields, function (value, field) { + if (!_.isString(field)) throw new AppError('Field must be a string'); + return mysql.escapeId(field); + }).join(', ') + ')'; - query += ' values(' + _.map(fields, function (value) { - return mysql.escape(value); - }).join(', ') + ')'; + query += ' values(' + _.map(fields, function (value) { + return mysql.escape(value); + }).join(', ') + ')'; - this.query(query, function (err, response) { - if (err) return next(new AppError(err)); - next(null, response.insertId); - }); - - } catch (err) { - next(new AppError(err)); - } + this.query(query, function (err, response) { + if (err) return next(new AppError(err)); + next(null, response.insertId); + }); }; Mysql.prototype.resetCache = function () { @@ -120,14 +115,10 @@ Mysql.prototype.resetCache = function () { * @param {Function} next */ Mysql.prototype.update = function (table, where, values, next) { - try { - var query = 'update ' + mysql.escapeId(table); - query += ' set ' + this._getWhereString(values, ','); - query += ' where ' + this._getWhereString(where); - this.query(query, next); - } catch (err) { - next(new AppError(err)); - } + var query = 'update ' + mysql.escapeId(table); + query += ' set ' + this._getWhereString(values, ','); + query += ' where ' + this._getWhereString(where); + this.query(query, next); }; /** @@ -138,49 +129,39 @@ Mysql.prototype.update = function (table, where, values, next) { * @param {Function} next */ Mysql.prototype.del = function (table, where, next) { - try { - var query = 'delete from ' + mysql.escapeId(table); - query += ' where ' + this._getWhereString(where); - this.query(query, next); - - } catch (err) { - next(new AppError(err)); - } + var query = 'delete from ' + mysql.escapeId(table); + query += ' where ' + this._getWhereString(where); + this.query(query, next); }; Mysql.prototype._select = function (table, columns, where, next) { - try { - table = mysql.escapeId(table); - if (where) { - where = ' where ' + this._getWhereString(where); - } else { - where = ''; - } + table = mysql.escapeId(table); + if (where) { + where = ' where ' + this._getWhereString(where); + } else { + where = ''; + } - if (columns === null) { - columns = '*'; - } else { - columns = columns.forEach(function (column) { - return mysql.escapeId(column); - }).join(', '); - } + if (columns === null) { + columns = '*'; + } else { + columns = columns.forEach(function (column) { + return mysql.escapeId(column); + }).join(', '); + } - var query = 'select ' + columns + ' from ' + table + where; + var query = 'select ' + columns + ' from ' + table + where; - if (this.cache[query]) { - return next(null, this.cache[query]); - } - else { - this.query(query, function (err, rows) { - if (err) return new AppError(err); - this.cache[query] = rows; - next(null, rows); - }.bind(this)); - } - - } catch (err) { - next(new AppError(err)); + if (this.cache[query]) { + return next(null, this.cache[query]); + } + else { + this.query(query, function (err, rows) { + if (err) return new AppError(err); + this.cache[query] = rows; + next(null, rows); + }.bind(this)); } }; diff --git a/model/PictureManager.js b/model/PictureManager.js index 879dcf0..85eadd6 100644 --- a/model/PictureManager.js +++ b/model/PictureManager.js @@ -28,6 +28,33 @@ PictureManager.prototype._getPath = function (filename) { return __dirname + '/../public/img/pictures/' + filename; }; +PictureManager.prototype.checkAccess = function (action, picture, next) { + if (!(picture instanceof Picture)) { + this.getById(picture, function (picture) { + this.checkAccess(action, picture, next); + }.bind(this)); + } + + // action one of [edit, delete, add, view, upload] + + if (picture && 'view' === action) return next(); + + var user = this.core.userManager.currentUser; + + if (null !== user) { + if ('add' === action) return next(); + if ('upload' === action && !picture) return next(); + + // For edit, delete, upload + if (picture && (picture.userId === user.id + || user.hasRole('admin')|| user.hasRole('moder'))) { + return next(); + } + } + + this.core.forbidden(); +}; + PictureManager.prototype.upload = function (file, pictureId, next) { var filename = _.last(file.path.split('/')); diff --git a/model/User.js b/model/User.js index f64fd50..c06fffd 100644 --- a/model/User.js +++ b/model/User.js @@ -26,6 +26,9 @@ var User = function (manager, data) { util.inherits(User, BaseEntity); +User.prototype.hasRole = function (role) { + return role === this.role; +}; User.prototype.getMysqlData = function () { return { diff --git a/model/UserManager.js b/model/UserManager.js index 86676a2..c07a3af 100644 --- a/model/UserManager.js +++ b/model/UserManager.js @@ -37,11 +37,11 @@ UserManager.prototype.initialize = function (next) { }.bind(this)); }; -UserManager.prototype.getUserByLogin = function (login, next) { +UserManager.prototype.getByLogin = function (login, next) { this.getByField('login', login, next); }; -UserManager.prototype.getUserByEmail = function (email, next) { +UserManager.prototype.getByEmail = function (email, next) { this.getByField('email', email, next); }; @@ -102,11 +102,11 @@ UserManager.prototype.signOut = function (next) { }; UserManager.prototype._checkUserOnExists = function (login, email, next) { - this.getUserByLogin(login, function (err, userData) { + this.getByLogin(login, function (err, userData) { if (err) return next(new AppError(err)); if (userData) next(new AppError('User with this login already exists', 2)); - this.getUserByEmail(email, function (err, userData) { + this.getByEmail(email, function (err, userData) { if (err) return next(new AppError(err)); if (userData) return next(new AppError('User with this email already exists', 3)); next(); From 2ce4dd3e83046b615493f8e90ddba9a6a7854107 Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 11:20:45 +0700 Subject: [PATCH 2/8] Add normal access controll system. But not testing work. --- controller/picture/pictureController.js | 79 +++++++++++++++---------- core/BaseManager.js | 38 ++++++++---- core/Core.js | 12 ++++ model/PictureManager.js | 66 ++++++++++++--------- model/User.js | 8 +++ 5 files changed, 134 insertions(+), 69 deletions(-) diff --git a/controller/picture/pictureController.js b/controller/picture/pictureController.js index 57bdece..0697cfd 100644 --- a/controller/picture/pictureController.js +++ b/controller/picture/pictureController.js @@ -10,12 +10,13 @@ var AppError = require('../../core/AppError'); var PictureController = function () {}; PictureController.prototype.upload = function (core, next) { - if (null === core.userManager.currentUser) { - return core.forbidden(); - } - var file = core.files.picture; + var self = this; var pictureId = core.post.pictureId; - this._checkAccessUpload(pictureId, function () { + this.core.pictureManager.hasAccess('upload', pictureId, function (err, hasAccess) { + if (err) return next(new AppError(err)); + if (!hasAccess) return self.core.jsonForbidden(); + + var file = core.files.picture; core.pictureManager.upload(file, pictureId, function (err, data) { if (err) next(new AppError(err)); core.responseJson(data); @@ -23,25 +24,24 @@ PictureController.prototype.upload = function (core, next) { }); }; -PictureController.prototype._checkAccessUpload = function (pictureId, next) { - if (!pictureId) return next(); - this.getById(pictureId, function (picture) { - picture.checkAccess('upload', next); - }) -}; - PictureController.prototype.addPage = function (core, next) { - if (null === core.userManager.currentUser) { - return core.forbidden(); - } - var data = { script: 'picture/addPicture', style: 'main/main' }; - core.responseHtmlFromTemplate('picture:addPicture', data, next); + var self = this; + this.core.pictureManager.hasAccess('add', null, function (err, hasAccess) { + if (err) return next(new AppError(err)); + if (!hasAccess) return self.core.forbidden(); + + var data = { script: 'picture/addPicture', style: 'main/main' }; + core.responseHtmlFromTemplate('picture:addPicture', data, next); + }); }; PictureController.prototype.editPage = function (core, next) { + var self = this; var picture = core.req.picture; - picture.checkAccess('edit', function (err) { + this.core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { if (err) return next(new AppError(err)); + if (!hasAccess) return self.core.forbidden(); + var data = { script: 'picture/editPicture', style: 'main/main', @@ -55,29 +55,48 @@ PictureController.prototype.editPage = function (core, next) { PictureController.prototype.add = function (core, next) { - var data = core.post; - data.userId = core.userManager.currentUser.id; - - core.pictureManager.add(data, function (err) { + var self = this; + this.core.pictureManager.hasAccess('add', null, function (err, hasAccess) { if (err) return next(new AppError(err)); - core.responseJson(); + if (!hasAccess) return self.core.jsonForbidden(); + + var data = core.post; + data.userId = core.userManager.currentUser.id; + + core.pictureManager.add(data, function (err) { + if (err) return next(new AppError(err)); + core.responseJson(); + }); }); }; PictureController.prototype.edit = function (core, next) { - var data = core.post; - data.userId = core.userManager.currentUser.id; - - core.pictureManager.edit(core.req.picture, data, function (err) { + var self = this; + var picture = core.req.picture; + this.core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { if (err) return next(new AppError(err)); - core.responseJson(); + if (!hasAccess) return self.core.jsonForbidden(); + + var data = core.post; + data.userId = core.userManager.currentUser.id; + core.pictureManager.edit(picture, data, function (err) { + if (err) return next(new AppError(err)); + core.responseJson(); + }); }); }; PictureController.prototype.del = function (core, next) { - core.pictureManager.del(core.req.picture, function (err) { + var self = this; + var picture = core.req.picture; + this.core.pictureManager.hasAccess('delete', picture, function (err, hasAccess) { if (err) return next(new AppError(err)); - core.responseJson(); + if (!hasAccess) return self.core.jsonForbidden(); + + core.pictureManager.del(picture, function (err) { + if (err) return next(new AppError(err)); + core.responseJson(); + }); }); }; diff --git a/core/BaseManager.js b/core/BaseManager.js index 2329932..81ef682 100644 --- a/core/BaseManager.js +++ b/core/BaseManager.js @@ -16,33 +16,29 @@ var BaseManager = function (core, table, Entity) { BaseClass.call(this, core); this.mysql = this.mysql.assign(table); this.Entity = Entity.bind(null, this); + this.accessHandlers = []; }; util.inherits(BaseManager, BaseClass); BaseManager.prototype.getById = function (id, next) { + var self = this; this.mysql.one(null, { id: id }, function (err, data) { if (err) return next(new AppError(err)); if (!data) return next(null, null); - - try { - next(null, new this.Entity(data, true)); - } catch (err) { next(new AppError(err)); } - - }.bind(this)); -}; + next(null, new self.Entity(data, true)); + }); +};// BaseManager.prototype.getByFields = function (fields, next) { + var self = this; this.mysql.one(null, fields, function (err, data) { if (err) return next(new AppError(err)); if (!data) return next(null, null); + return next(null, new self.Entity(data)); - try { - return next(null, new this.Entity(data)); - } catch (err) { next(new AppError(err)); } - - }.bind(this)); + }); }; BaseManager.prototype.getByField = function (field, value, next) { @@ -51,5 +47,23 @@ BaseManager.prototype.getByField = function (field, value, next) { this.getByFields(fields, next); }; +BaseManager.prototype.addAccessHandler = function (action, handler) { + this.accessHandlers[action] = handler; +}; + +BaseManager.prototype.addAccessHandlers = function (actions, handler) { + var self = this; + actions.forEach(function (action) { + self.addAccessHandler(action, handler); + }); +}; + +BaseManager.prototype.hasAccess = function (action, args, next) { + var handler = this.accessHandlers[action]; + if (undefined === this.accessHandlers[action]) return next(null, false); + if (handler instanceof Function) return handler(handler, args, next); + next(null, !!handler); +}; + module.exports = BaseManager; diff --git a/core/Core.js b/core/Core.js index 8a9e5f5..ea50168 100644 --- a/core/Core.js +++ b/core/Core.js @@ -73,6 +73,10 @@ Core.prototype.responseHtml = function (html, code) { this.res.send(code, html); }; +Core.prototype.getCurrentUser = function () { + return this.userManager.currentUser; +}; + /** * @param {Object} data * @param {String} template @@ -94,6 +98,14 @@ Core.prototype.forbidden = function (next) { mainController.forbidden(this, next); }; +Core.prototype.jsonForbidden = function () { + this.responseJson({ + result: 0, + errorCode: 0, + errorMessage: 'Forbidden' + }, 403); +}; + Core.prototype.render = function (template, data, next) { var tmp = template.split(':'); template = 'controller/' + tmp[0] + '/tpl/' + tmp[1] + '.jade'; diff --git a/model/PictureManager.js b/model/PictureManager.js index 85eadd6..8447a2f 100644 --- a/model/PictureManager.js +++ b/model/PictureManager.js @@ -16,10 +16,49 @@ var Picture = require('./Picture'); var PictureManager = function (core) { BaseManager.call(this, core, 'picture', Picture); + this._initAccessHandlers(); }; util.inherits(PictureManager, BaseManager); +PictureManager.prototype._initAccessHandlers = function () { + this.addAccessHandler('view', true); + + this.addAccessHandler('upload', function (handler, picture, next) { + if (!(picture instanceof Picture)) { + return this.getById(picture, function (picture) { + handler(handler, picture, next); + }); + } + var user = this.core.getCurrentUser(); + if (null === user) return next(null, false); + if (null === picture) return next(null, true); + if (user.inRoles(['moder', 'admin'])) return next(null, true); + if (user.id === picture.userId) return next(null, true); + return next(null, false); + }.bind(this)); + + this.addAccessHandler('add', function (handler, args, next) { + var user = this.core.getCurrentUser(); + if (null === user) return next(null, false); + if (user.inRoles(['pointer', 'moder', 'admin'])) return next(null, true); + return next(null, false); + }); + + this.addAccessHandlers(['edit', 'delete'], function (handler, picture, next) { + if (!(picture instanceof Picture)) { + return this.getById(picture, function (picture) { + handler(handler, picture, next); + }); + } + var user = this.core.getCurrentUser(); + if (null === user) return next(null, false); + if (user.inRoles(['moder', 'admin'])) return next(null, true); + if (user.id === picture.userId) return next(null, true); + return next(null, false); + }); +}; + PictureManager.prototype._getTmpPath = function (filename) { return __dirname + '/../tmp/img/' + filename; }; @@ -28,33 +67,6 @@ PictureManager.prototype._getPath = function (filename) { return __dirname + '/../public/img/pictures/' + filename; }; -PictureManager.prototype.checkAccess = function (action, picture, next) { - if (!(picture instanceof Picture)) { - this.getById(picture, function (picture) { - this.checkAccess(action, picture, next); - }.bind(this)); - } - - // action one of [edit, delete, add, view, upload] - - if (picture && 'view' === action) return next(); - - var user = this.core.userManager.currentUser; - - if (null !== user) { - if ('add' === action) return next(); - if ('upload' === action && !picture) return next(); - - // For edit, delete, upload - if (picture && (picture.userId === user.id - || user.hasRole('admin')|| user.hasRole('moder'))) { - return next(); - } - } - - this.core.forbidden(); -}; - PictureManager.prototype.upload = function (file, pictureId, next) { var filename = _.last(file.path.split('/')); diff --git a/model/User.js b/model/User.js index c06fffd..7f8bce5 100644 --- a/model/User.js +++ b/model/User.js @@ -6,6 +6,7 @@ 'use strict'; var util = require('util'); +var _ = require('underscore'); var BaseEntity = require('../core/BaseEntity'); @@ -30,6 +31,13 @@ User.prototype.hasRole = function (role) { return role === this.role; }; +User.prototype.inRoles = function (roles) { + var self = this; + return !!_.find(roles, function (role) { + return self.hasRole(role); + }); +}; + User.prototype.getMysqlData = function () { return { id: this.id, From 2ae3efc27d5eb23c2fdf32ab74a1a69b8641b05e Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 15:19:41 +0700 Subject: [PATCH 3/8] Access Manager define as npm module Refactoring --- core/BaseManager.js | 19 +++---------- model/PictureManager.js | 59 ++++++++++++++++++++++++----------------- model/User.js | 7 ++++- package.json | 3 ++- 4 files changed, 45 insertions(+), 43 deletions(-) diff --git a/core/BaseManager.js b/core/BaseManager.js index 81ef682..04316ab 100644 --- a/core/BaseManager.js +++ b/core/BaseManager.js @@ -7,6 +7,7 @@ var util = require('util'); var _ = require('underscore'); +var AccessManager = require('hm-access-manager'); var AppError = require('../core/AppError'); var BaseClass = require('../core/BaseClass'); @@ -16,7 +17,7 @@ var BaseManager = function (core, table, Entity) { BaseClass.call(this, core); this.mysql = this.mysql.assign(table); this.Entity = Entity.bind(null, this); - this.accessHandlers = []; + this.accessManager = new AccessManager(); }; util.inherits(BaseManager, BaseClass); @@ -47,22 +48,8 @@ BaseManager.prototype.getByField = function (field, value, next) { this.getByFields(fields, next); }; -BaseManager.prototype.addAccessHandler = function (action, handler) { - this.accessHandlers[action] = handler; -}; - -BaseManager.prototype.addAccessHandlers = function (actions, handler) { - var self = this; - actions.forEach(function (action) { - self.addAccessHandler(action, handler); - }); -}; - BaseManager.prototype.hasAccess = function (action, args, next) { - var handler = this.accessHandlers[action]; - if (undefined === this.accessHandlers[action]) return next(null, false); - if (handler instanceof Function) return handler(handler, args, next); - next(null, !!handler); + this.accessManager.hasAccess(action, args, next); }; diff --git a/model/PictureManager.js b/model/PictureManager.js index 8447a2f..31b8e41 100644 --- a/model/PictureManager.js +++ b/model/PictureManager.js @@ -22,39 +22,48 @@ var PictureManager = function (core) { util.inherits(PictureManager, BaseManager); PictureManager.prototype._initAccessHandlers = function () { - this.addAccessHandler('view', true); + this.accessManager.prepareHandle(function (args, next) { + args.user = this.core.getCurrentUser(); + args.isSuperUser = args.user.inRoles('admin', 'moder'); - this.addAccessHandler('upload', function (handler, picture, next) { - if (!(picture instanceof Picture)) { - return this.getById(picture, function (picture) { - handler(handler, picture, next); - }); + if (!args.picture) return next(null, args); + + if (args.picture instanceof Picture) { + args.isOwnPicture = args.user.id === args.picture.userId; + args.isPointerUser = args.user.hasRole('pointer'); + return next(null, args); } - var user = this.core.getCurrentUser(); - if (null === user) return next(null, false); - if (null === picture) return next(null, true); - if (user.inRoles(['moder', 'admin'])) return next(null, true); - if (user.id === picture.userId) return next(null, true); + + this.getById(args.picture, function (err, picture) { + if (err) return next(err); + + args.picture = picture; + args.isOwnPicture = args.user.id === args.picture.userId; + args.isPointerUser = args.user.hasRole('pointer'); + next(null, args); + }); + }); + + this.accessManager.handle('view', function (action, args, next) { + next(null, true); + }); + + this.accessManager.handle('upload', function (handler, args, next) { + if (!args.user) return next(null, false); + if (!args.picture) return next(null, true); + if (args.isOwnPicture || args.isSuperUser) return next(null, true); return next(null, false); }.bind(this)); - this.addAccessHandler('add', function (handler, args, next) { - var user = this.core.getCurrentUser(); - if (null === user) return next(null, false); - if (user.inRoles(['pointer', 'moder', 'admin'])) return next(null, true); + this.accessManager.handle('add', function (handler, args, next) { + if (!args.user) return next(null, false); + if (args.isPointerUser || args.isSuperUser) return next(null, true); return next(null, false); }); - this.addAccessHandlers(['edit', 'delete'], function (handler, picture, next) { - if (!(picture instanceof Picture)) { - return this.getById(picture, function (picture) { - handler(handler, picture, next); - }); - } - var user = this.core.getCurrentUser(); - if (null === user) return next(null, false); - if (user.inRoles(['moder', 'admin'])) return next(null, true); - if (user.id === picture.userId) return next(null, true); + this.accessManager.handle(['edit', 'delete'], function (handler, args, next) { + if (!args.user) return next(null, false); + if (args.isOwnPicture || args.isSuperUser) return next(null, true); return next(null, false); }); }; diff --git a/model/User.js b/model/User.js index 7f8bce5..d4121db 100644 --- a/model/User.js +++ b/model/User.js @@ -31,8 +31,13 @@ User.prototype.hasRole = function (role) { return role === this.role; }; -User.prototype.inRoles = function (roles) { +User.prototype.inRoles = function () { + if (arguments[0] instanceof Array) { + return this.inRoles.apply(this, arguments[0]); + } + var self = this; + var roles = Array.prototype.slice.call(arguments); return !!_.find(roles, function (role) { return self.hasRole(role); }); diff --git a/package.json b/package.json index 40d659a..9eba11a 100644 --- a/package.json +++ b/package.json @@ -20,6 +20,7 @@ "mysql": "~2.0.0-rc1", "connect-multiparty": "1.0.2", "express-params": "0.0.3", - "express-domain-middleware": "0.1.0" + "express-domain-middleware": "0.1.0", + "hm-access-manager": "0.0.1" } } From 916e9211ceea9835dea99e4dac2fc365eee0953c Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 15:22:01 +0700 Subject: [PATCH 4/8] Delete try block in getRouteHandler --- config/routes.js | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/config/routes.js b/config/routes.js index 97e6ae3..ec0fdb9 100644 --- a/config/routes.js +++ b/config/routes.js @@ -27,11 +27,7 @@ module.exports = function (app) { var getRouteHandler = function (context, method) { return function (req, res, next) { - try { - method.call(context, req.core, next); - } catch (err) { - next(new AppError(err)); - } + method.call(context, req.core, next); } }; From 4064652abbb6d9f721a076bc87fd9dd2d38a16b2 Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 16:35:27 +0700 Subject: [PATCH 5/8] Fix bugs Picture access control works --- controller/main/mainController.js | 6 +++-- controller/main/tpl/error.jade | 2 +- controller/picture/pictureController.js | 30 ++++++++++--------------- controller/user/userController.js | 8 +++---- model/PictureManager.js | 27 +++++++++++++++------- model/User.js | 4 ++-- 6 files changed, 42 insertions(+), 35 deletions(-) diff --git a/controller/main/mainController.js b/controller/main/mainController.js index 015caba..17ee704 100644 --- a/controller/main/mainController.js +++ b/controller/main/mainController.js @@ -30,7 +30,8 @@ MainController.prototype.index = function (core, next) { MainController.prototype.notFound = function (core, next) { var data = { script: 'main/main', - style: 'main/style', + style: 'main/main', + title: 'Страница не найдена', message: 'Данной страницы не существует.' }; core.responseHtmlFromTemplate('main:error', data, next, 404); @@ -39,7 +40,8 @@ MainController.prototype.notFound = function (core, next) { MainController.prototype.forbidden = function (core, next) { var data = { script: 'main/main', - style: 'main/style', + style: 'main/main', + title: 'Ошибка доступа', message: 'Доступ к данной странице запрещен.' }; core.responseHtmlFromTemplate('main:error', data, next, 403); diff --git a/controller/main/tpl/error.jade b/controller/main/tpl/error.jade index 0889349..39bc339 100755 --- a/controller/main/tpl/error.jade +++ b/controller/main/tpl/error.jade @@ -1,7 +1,7 @@ extends block/base block title - | Страница не найдена + =title block content =message diff --git a/controller/picture/pictureController.js b/controller/picture/pictureController.js index 0697cfd..58a77e6 100644 --- a/controller/picture/pictureController.js +++ b/controller/picture/pictureController.js @@ -10,11 +10,10 @@ var AppError = require('../../core/AppError'); var PictureController = function () {}; PictureController.prototype.upload = function (core, next) { - var self = this; var pictureId = core.post.pictureId; - this.core.pictureManager.hasAccess('upload', pictureId, function (err, hasAccess) { + core.pictureManager.hasAccess('upload', pictureId, function (err, hasAccess) { if (err) return next(new AppError(err)); - if (!hasAccess) return self.core.jsonForbidden(); + if (!hasAccess) return core.jsonForbidden(); var file = core.files.picture; core.pictureManager.upload(file, pictureId, function (err, data) { @@ -25,10 +24,9 @@ PictureController.prototype.upload = function (core, next) { }; PictureController.prototype.addPage = function (core, next) { - var self = this; - this.core.pictureManager.hasAccess('add', null, function (err, hasAccess) { + core.pictureManager.hasAccess('add', null, function (err, hasAccess) { if (err) return next(new AppError(err)); - if (!hasAccess) return self.core.forbidden(); + if (!hasAccess) return core.forbidden(); var data = { script: 'picture/addPicture', style: 'main/main' }; core.responseHtmlFromTemplate('picture:addPicture', data, next); @@ -36,11 +34,10 @@ PictureController.prototype.addPage = function (core, next) { }; PictureController.prototype.editPage = function (core, next) { - var self = this; var picture = core.req.picture; - this.core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { + core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { if (err) return next(new AppError(err)); - if (!hasAccess) return self.core.forbidden(); + if (!hasAccess) return core.forbidden(); var data = { script: 'picture/editPicture', @@ -55,10 +52,9 @@ PictureController.prototype.editPage = function (core, next) { PictureController.prototype.add = function (core, next) { - var self = this; - this.core.pictureManager.hasAccess('add', null, function (err, hasAccess) { + core.pictureManager.hasAccess('add', null, function (err, hasAccess) { if (err) return next(new AppError(err)); - if (!hasAccess) return self.core.jsonForbidden(); + if (!hasAccess) return core.jsonForbidden(); var data = core.post; data.userId = core.userManager.currentUser.id; @@ -71,11 +67,10 @@ PictureController.prototype.add = function (core, next) { }; PictureController.prototype.edit = function (core, next) { - var self = this; var picture = core.req.picture; - this.core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { + core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { if (err) return next(new AppError(err)); - if (!hasAccess) return self.core.jsonForbidden(); + if (!hasAccess) return core.jsonForbidden(); var data = core.post; data.userId = core.userManager.currentUser.id; @@ -87,11 +82,10 @@ PictureController.prototype.edit = function (core, next) { }; PictureController.prototype.del = function (core, next) { - var self = this; var picture = core.req.picture; - this.core.pictureManager.hasAccess('delete', picture, function (err, hasAccess) { + core.pictureManager.hasAccess('delete', picture, function (err, hasAccess) { if (err) return next(new AppError(err)); - if (!hasAccess) return self.core.jsonForbidden(); + if (!hasAccess) return core.jsonForbidden(); core.pictureManager.del(picture, function (err) { if (err) return next(new AppError(err)); diff --git a/controller/user/userController.js b/controller/user/userController.js index e65b2f0..b35cee8 100644 --- a/controller/user/userController.js +++ b/controller/user/userController.js @@ -11,7 +11,7 @@ var AppError = require('../../core/AppError'); var UserController = function () {}; UserController.prototype.signUpPage = function (core, next) { - if (null !== core.userManager.currentUser) { + if (core.userManager.isAuthorized()) { return core.forbidden(next); } var data = { script: 'user/signUp', style: 'main/main' }; @@ -19,7 +19,7 @@ UserController.prototype.signUpPage = function (core, next) { }; UserController.prototype.signUp = function (core, next) { - if (null !== core.userManager.currentUser) { + if (core.userManager.isAuthorized()) { return core.forbidden(next); } core.userManager.signUp(core.post, function (err) { @@ -29,7 +29,7 @@ UserController.prototype.signUp = function (core, next) { }; UserController.prototype.signIn = function (core, next) { - if (null !== core.userManager.currentUser) { + if (core.userManager.isAuthorized()) { return core.forbidden(); } var login = core.post.login; @@ -41,7 +41,7 @@ UserController.prototype.signIn = function (core, next) { }; UserController.prototype.signOut = function (core, next) { - if (null === core.userManager.currentUser) { + if (!core.userManager.isAuthorized()) { return core.forbidden(); } core.userManager.signOut(function (err) { diff --git a/model/PictureManager.js b/model/PictureManager.js index 31b8e41..d42c4d4 100644 --- a/model/PictureManager.js +++ b/model/PictureManager.js @@ -22,24 +22,34 @@ var PictureManager = function (core) { util.inherits(PictureManager, BaseManager); PictureManager.prototype._initAccessHandlers = function () { - this.accessManager.prepareHandle(function (args, next) { - args.user = this.core.getCurrentUser(); - args.isSuperUser = args.user.inRoles('admin', 'moder'); + var self = this; + + var initUserArgs = function (args) { + if (!args.user) return; + args.isOwnPicture = args.user.id === args.picture.userId; + args.isPointerUser = args.user.hasRole('pointer'); + }; + + this.accessManager.prepareHandle(function (action, args, next) { + if (!args) args = {}; + + args.user = self.core.getCurrentUser(); + if (args.user) { + args.isSuperUser = args.user.inRoles('admin', 'moder'); + } if (!args.picture) return next(null, args); if (args.picture instanceof Picture) { - args.isOwnPicture = args.user.id === args.picture.userId; - args.isPointerUser = args.user.hasRole('pointer'); + initUserArgs(args); return next(null, args); } - this.getById(args.picture, function (err, picture) { + self.getById(args.picture, function (err, picture) { if (err) return next(err); args.picture = picture; - args.isOwnPicture = args.user.id === args.picture.userId; - args.isPointerUser = args.user.hasRole('pointer'); + initUserArgs(args); next(null, args); }); }); @@ -56,6 +66,7 @@ PictureManager.prototype._initAccessHandlers = function () { }.bind(this)); this.accessManager.handle('add', function (handler, args, next) { + console.log(args); if (!args.user) return next(null, false); if (args.isPointerUser || args.isSuperUser) return next(null, true); return next(null, false); diff --git a/model/User.js b/model/User.js index d4121db..61396c4 100644 --- a/model/User.js +++ b/model/User.js @@ -20,7 +20,7 @@ var User = function (manager, data) { this.login = data.login; this.password = data.password; this.email = data.email; - this.role = data.role; + this.roles = data.roles.split('|'); this.name = data.name; this.secondName = data.second_name; }; @@ -28,7 +28,7 @@ var User = function (manager, data) { util.inherits(User, BaseEntity); User.prototype.hasRole = function (role) { - return role === this.role; + return this.roles.indexOf(role) !== -1; }; User.prototype.inRoles = function () { From 2dbc9b24ce74eb978c315e5f939cb47f05ba78c5 Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 16:37:06 +0700 Subject: [PATCH 6/8] JsHint validate success --- app.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app.js b/app.js index 300897e..d5457a4 100644 --- a/app.js +++ b/app.js @@ -25,6 +25,8 @@ if (cluster.isMaster) { var app = express(); var params = require('express-params'); var expressDomain = require('express-domain-middleware'); + var server; + params.extend(app); var AppError = require('./core/AppError'); @@ -78,7 +80,7 @@ if (cluster.isMaster) { res.json(err.status, err.getData()); }); - var server = app.listen(config.port); + server = app.listen(config.port); console.log('Worker ' + cluster.worker.id + ' is started.'); console.log('Express started on port with ' + config.port + '.'); From 8c48ecdb0c6e6d5405c903250231e65bbb67c30d Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 17:01:53 +0700 Subject: [PATCH 7/8] Add works user access control. --- controller/picture/pictureController.js | 8 +-- controller/user/userController.js | 55 +++++++++++-------- model/UserManager.js | 72 +++++++++++++++++-------- 3 files changed, 86 insertions(+), 49 deletions(-) diff --git a/controller/picture/pictureController.js b/controller/picture/pictureController.js index 58a77e6..4ccd01e 100644 --- a/controller/picture/pictureController.js +++ b/controller/picture/pictureController.js @@ -11,7 +11,7 @@ var PictureController = function () {}; PictureController.prototype.upload = function (core, next) { var pictureId = core.post.pictureId; - core.pictureManager.hasAccess('upload', pictureId, function (err, hasAccess) { + core.pictureManager.hasAccess('upload', { picture: pictureId }, function (err, hasAccess) { if (err) return next(new AppError(err)); if (!hasAccess) return core.jsonForbidden(); @@ -35,7 +35,7 @@ PictureController.prototype.addPage = function (core, next) { PictureController.prototype.editPage = function (core, next) { var picture = core.req.picture; - core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { + core.pictureManager.hasAccess('edit', { picture: picture }, function (err, hasAccess) { if (err) return next(new AppError(err)); if (!hasAccess) return core.forbidden(); @@ -68,7 +68,7 @@ PictureController.prototype.add = function (core, next) { PictureController.prototype.edit = function (core, next) { var picture = core.req.picture; - core.pictureManager.hasAccess('edit', picture, function (err, hasAccess) { + core.pictureManager.hasAccess('edit', { picture: picture }, function (err, hasAccess) { if (err) return next(new AppError(err)); if (!hasAccess) return core.jsonForbidden(); @@ -83,7 +83,7 @@ PictureController.prototype.edit = function (core, next) { PictureController.prototype.del = function (core, next) { var picture = core.req.picture; - core.pictureManager.hasAccess('delete', picture, function (err, hasAccess) { + core.pictureManager.hasAccess('delete', { picture: picture }, function (err, hasAccess) { if (err) return next(new AppError(err)); if (!hasAccess) return core.jsonForbidden(); diff --git a/controller/user/userController.js b/controller/user/userController.js index b35cee8..1a5698a 100644 --- a/controller/user/userController.js +++ b/controller/user/userController.js @@ -11,42 +11,53 @@ var AppError = require('../../core/AppError'); var UserController = function () {}; UserController.prototype.signUpPage = function (core, next) { - if (core.userManager.isAuthorized()) { - return core.forbidden(next); - } - var data = { script: 'user/signUp', style: 'main/main' }; - core.responseHtmlFromTemplate('user:signUp', data, next); + core.userManager.hasAccess('signUp', null, function (err, hasAccess) { + if (err) return next(new AppError(err)); + if (!hasAccess) return core.forbidden(); + + var data = { script: 'user/signUp', style: 'main/main' }; + core.responseHtmlFromTemplate('user:signUp', data, next); + }); }; UserController.prototype.signUp = function (core, next) { - if (core.userManager.isAuthorized()) { - return core.forbidden(next); - } - core.userManager.signUp(core.post, function (err) { + core.userManager.hasAccess('signUp', null, function (err, hasAccess) { if (err) return next(new AppError(err)); - core.responseJson(); + if (!hasAccess) return core.jsonForbidden(); + + core.userManager.signUp(core.post, function (err) { + if (err) return next(new AppError(err)); + core.responseJson(); + }); }); }; UserController.prototype.signIn = function (core, next) { - if (core.userManager.isAuthorized()) { - return core.forbidden(); - } - var login = core.post.login; - var password = core.post.password; - core.userManager.signIn(login, password, function (err) { + core.userManager.hasAccess('signIn', null, function (err, hasAccess) { if (err) return next(new AppError(err)); - core.responseJson(); + if (!hasAccess) return core.jsonForbidden(); + + var login = core.post.login; + var password = core.post.password; + core.userManager.signIn(login, password, function (err) { + if (err) return next(new AppError(err)); + core.responseJson(); + }); }); }; UserController.prototype.signOut = function (core, next) { - if (!core.userManager.isAuthorized()) { - return core.forbidden(); - } - core.userManager.signOut(function (err) { + core.userManager.hasAccess('signOut', null, function (err, hasAccess) { if (err) return next(new AppError(err)); - core.responseJson(); + if (!hasAccess) return core.jsonForbidden(); + + if (!core.userManager.isAuthorized()) { + return core.forbidden(); + } + core.userManager.signOut(function (err) { + if (err) return next(new AppError(err)); + core.responseJson(); + }); }); }; diff --git a/model/UserManager.js b/model/UserManager.js index c07a3af..dc668c2 100644 --- a/model/UserManager.js +++ b/model/UserManager.js @@ -15,11 +15,43 @@ var User = require('./User'); var UserManager = function (core) { BaseManager.call(this, core, 'user', User); + this._initAccessHandlers(); }; util.inherits(UserManager, BaseManager); +UserManager.prototype._initAccessHandlers = function () { + var self = this; + this.accessManager.prepareHandle(function (action, args, next) { + if (!args) args = {}; + args.currentUser = self.core.getCurrentUser(); + if (args.user) { + args.isSuperUser = args.currentUser.inRoles('admin', 'moder'); + } + if (!args.user) args.user = args.currentUser; + next(null, args); + }); + + this.accessManager.handle(['signIn', 'signUp'], function (action, args, next) { + next(null, !args.currentUser); + }); + + this.accessManager.handle('signOut', function (action, args, next) { + next(null, args.currentUser); + }); + + this.accessManager.handle(['edit', 'delete'], function (action, args, next) { + if (!args.currentUser) return next(null, false); + if (args.isSuperUser || args.currentUser.id === args.user.id) { + return next(null, true); + } + return next(null, false); + }); +}; + UserManager.prototype.initialize = function (next) { + var self = this; + var token = this.session.token; if (!token) return next(); @@ -27,14 +59,14 @@ UserManager.prototype.initialize = function (next) { if (err) return next(new AppError(err)); if (!userData) { - this.session.token = null; - this.currentUser = null; + self.session.token = null; + self.currentUser = null; return next(null); } - this.currentUser = new this.Entity(userData); + self.currentUser = new self.Entity(userData); next(null); - }.bind(this)); + }); }; UserManager.prototype.getByLogin = function (login, next) { @@ -50,9 +82,7 @@ UserManager.prototype.isAuthorized = function () { }; UserManager.prototype.signIn = function (login, password, next) { - if (this.isAuthorized()) { - return next(new AppError('User already login', 1)); - } + var self = this; password = this._getHashedPassword(password); var data = { @@ -61,39 +91,35 @@ UserManager.prototype.signIn = function (login, password, next) { }; this.mysql.one(data, function (err, userData) { if (err) return next(new AppError(err)); - - if (!userData) return next(new AppError('Wrong login or password', 2)); + if (!userData) return next(new AppError('Wrong login or password', 1)); var id = userData.id; - this._createToken(function (err, token) { + self._createToken(function (err, token) { if (err) return next(new AppError(err)); - this.session.token = token; - this.mysql.update({ id: id }, { token: token }, next); - }.bind(this)); - }.bind(this)); + self.session.token = token; + self.mysql.update({ id: id }, { token: token }, next); + }); + }); }; UserManager.prototype.signUp = function (data, next) { - if (this.isAuthorized()) return next(new AppError('User already login', 1)); + var self = this; var user = new this.Entity(data); user.password = this._getHashedPassword(user.password); this._checkUserOnExists(user.login, user.email, function (err) { if (err) return next(new AppError(err)); - this._createToken(function (err, token) { if (err) return next(new AppError(err)); user.token = token; - this.mysql.insert(user.getMysqlData(), function (err) { if (err) return next(new AppError(err)); - - this.signIn(user.login, data.password, next); - }.bind(this)); - }.bind(this)); - }.bind(this)); + self.signIn(user.login, data.password, next); + }); + }); + }); }; UserManager.prototype.signOut = function (next) { @@ -111,7 +137,7 @@ UserManager.prototype._checkUserOnExists = function (login, email, next) { if (userData) return next(new AppError('User with this email already exists', 3)); next(); }); - }.bind(this)); + }); }; UserManager.prototype._createToken = function (next) { From ffca1cbb8c79ac43c5bdda1d7c75dfc950a58a4d Mon Sep 17 00:00:00 2001 From: EgorKluch Date: Wed, 29 Jan 2014 17:23:59 +0700 Subject: [PATCH 8/8] Add usability behavior on signUp, signOut --- controller/user/js/controller/signIn.coffee | 2 +- controller/user/js/controller/signUp.coffee | 2 +- model/PictureManager.js | 1 - model/User.js | 4 ++-- model/UserManager.js | 9 ++++----- 5 files changed, 8 insertions(+), 10 deletions(-) diff --git a/controller/user/js/controller/signIn.coffee b/controller/user/js/controller/signIn.coffee index 9d5544f..cfe5689 100644 --- a/controller/user/js/controller/signIn.coffee +++ b/controller/user/js/controller/signIn.coffee @@ -21,7 +21,7 @@ window.app.controller 'SignInCtrl', ['$scope', '$http', ($scope, $http)-> $http.post('/signOut', $scope.user) .success (response)-> return console.error response.errorMessage if response.error - location.reload() + location.href = '/' .error (response)-> console.error response ] diff --git a/controller/user/js/controller/signUp.coffee b/controller/user/js/controller/signUp.coffee index a2f1870..74ac828 100644 --- a/controller/user/js/controller/signUp.coffee +++ b/controller/user/js/controller/signUp.coffee @@ -22,7 +22,7 @@ window.app.controller 'SignUpCtrl', ['$scope', '$http', (s, $http)-> $http.post('/signUp', s.user) .success (response)-> return console.error response.errorMessage if response.error - location.reload() + window.history.back(); .error (response)-> console.error response ] diff --git a/model/PictureManager.js b/model/PictureManager.js index d42c4d4..15ece4f 100644 --- a/model/PictureManager.js +++ b/model/PictureManager.js @@ -66,7 +66,6 @@ PictureManager.prototype._initAccessHandlers = function () { }.bind(this)); this.accessManager.handle('add', function (handler, args, next) { - console.log(args); if (!args.user) return next(null, false); if (args.isPointerUser || args.isSuperUser) return next(null, true); return next(null, false); diff --git a/model/User.js b/model/User.js index 61396c4..4f777cf 100644 --- a/model/User.js +++ b/model/User.js @@ -20,7 +20,7 @@ var User = function (manager, data) { this.login = data.login; this.password = data.password; this.email = data.email; - this.roles = data.roles.split('|'); + this.roles = data.roles ? data.roles.split('|') : 'user'; this.name = data.name; this.secondName = data.second_name; }; @@ -50,7 +50,7 @@ User.prototype.getMysqlData = function () { login: this.login, password: this.password, email: this.email, - role: this.role, + roles: this.roles, name: this.name, second_name: this.secondName }; diff --git a/model/UserManager.js b/model/UserManager.js index dc668c2..64cd08c 100644 --- a/model/UserManager.js +++ b/model/UserManager.js @@ -83,7 +83,6 @@ UserManager.prototype.isAuthorized = function () { UserManager.prototype.signIn = function (login, password, next) { var self = this; - password = this._getHashedPassword(password); var data = { login: login, @@ -104,17 +103,16 @@ UserManager.prototype.signIn = function (login, password, next) { UserManager.prototype.signUp = function (data, next) { var self = this; - var user = new this.Entity(data); user.password = this._getHashedPassword(user.password); this._checkUserOnExists(user.login, user.email, function (err) { if (err) return next(new AppError(err)); - this._createToken(function (err, token) { + self._createToken(function (err, token) { if (err) return next(new AppError(err)); user.token = token; - this.mysql.insert(user.getMysqlData(), function (err) { + self.mysql.insert(user.getMysqlData(), function (err) { if (err) return next(new AppError(err)); self.signIn(user.login, data.password, next); }); @@ -128,11 +126,12 @@ UserManager.prototype.signOut = function (next) { }; UserManager.prototype._checkUserOnExists = function (login, email, next) { + var self = this; this.getByLogin(login, function (err, userData) { if (err) return next(new AppError(err)); if (userData) next(new AppError('User with this login already exists', 2)); - this.getByEmail(email, function (err, userData) { + self.getByEmail(email, function (err, userData) { if (err) return next(new AppError(err)); if (userData) return next(new AppError('User with this email already exists', 3)); next();