basic access control

author: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2013-03-25 23:11:53 +0200
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2013-03-25 23:13:12 +0200
commit: c832941ab3abff5d1ea826ac8a5ad36c6cb4006d (patch)
tree: 1ef9c55fbbaf5a779d70da0be4f0686763c40bbe /server.lua
parent: f4c5db6fb7d128ba5ed9c2078524f65ae7cce3d3 (diff)
download: acf2-c832941ab3abff5d1ea826ac8a5ad36c6cb4006d.tar.bz2
acf2-c832941ab3abff5d1ea826ac8a5ad36c6cb4006d.tar.xz
1 files changed, 54 insertions, 17 deletions
diff --git a/server.lua b/server.lua
index 43a6a09..c4f3fa4 100644
--- a/server.lua
+++ b/server.lua
@@ -4,6 +4,7 @@ See LICENSE file for license details
 --]]
 
 require 'acf'
+local mnode = acf.model.node
 local isinstance = acf.object.isinstance
 
 require 'json'
@@ -122,22 +123,31 @@ return function(env)
 		      local obj = txn:search(path)
 		      local res
 
-		      if isinstance(obj, acf.model.node.TreeNode) then
-			 local node = {}
-			 for k, v in acf.model.node.pairs(obj) do
-			    node[k] = isinstance(
-			       v,
-			       acf.model.node.TreeNode
-			    ) and acf.model.node.path(v) or v
+		      if isinstance(obj, mnode.TreeNode) then
+			 if not mnode.has_permission(obj, user, 'read') then
+			    return 403
 			 end
-			 res = {data=node, meta=acf.model.node.meta(obj)}
 
-		      else
-			 res = {
-			    data=obj,
-			    meta=acf.model.node.mmeta(parent, name)
-			 }
-		      end
+			 local node = {}
+			 for k, v in mnode.pairs(obj) do
+			    local readable = true
+			    
+			    if isinstance(v, mnode.TreeNode) then
+			       readable = mnode.has_permission(
+				  v,
+				  user,
+				  'read'
+			       )
+			       v = mnode.path(v)
+			    end
+			    
+			    if readable then node[k] = v end
+			 end
+			 res = {data=node, meta=mnode.meta(obj)}
+		   
+		      elseif mnode.has_permission(parent, user, 'read') then
+			 res = {data=obj, meta=mnode.mmeta(parent, name)}
+		      else return 403 end
 
 		      return 200, nil, res
 		   end
@@ -149,11 +159,38 @@ return function(env)
 			 return 405
 		      end
 
+		      if not mnode.has_permission(obj, user, 'create') then
+			 return 403
+		      end
+
 		      acf.model.set.add(obj, data)
 
-		   elseif method == 'DELETE' then parent[name] = nil
-		   elseif method == 'PUT' then parent[name] = data
-		   else return 405 end
+		   else
+		      local obj = parent[name]
+		      if obj ~= nil and not isinstance(obj, mnode.TreeNode) then
+			 obj = parent
+		      end
+
+		      if method == 'DELETE' then
+			 if obj == nil then return 404 end
+			 if not mnode.has_permission(obj, user, 'delete') then
+			    return 403
+			 end
+			 parent[name] = nil
+
+		      elseif method == 'PUT' then
+			 local permission = 'modify'
+			 if obj == nil then
+			    obj = parent
+			    permission = 'create'
+			 end
+			 if not mnode.has_permission(obj, user, permission) then
+			    return 403
+			 end
+			 parent[name] = data
+			 
+		      else return 405 end
+		   end
 		   
 		   txn:commit()
 		   return 205
author	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2013-03-25 23:11:53 +0200
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2013-03-25 23:13:12 +0200
commit	c832941ab3abff5d1ea826ac8a5ad36c6cb4006d (patch)
tree	1ef9c55fbbaf5a779d70da0be4f0686763c40bbe /server.lua
parent	f4c5db6fb7d128ba5ed9c2078524f65ae7cce3d3 (diff)
download	acf2-c832941ab3abff5d1ea826ac8a5ad36c6cb4006d.tar.bz2 acf2-c832941ab3abff5d1ea826ac8a5ad36c6cb4006d.tar.xz