From c832941ab3abff5d1ea826ac8a5ad36c6cb4006d Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Mon, 25 Mar 2013 23:11:53 +0200
Subject: basic access control

---
 server.lua | 71 +++++++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 54 insertions(+), 17 deletions(-)

(limited to 'server.lua')

diff --git a/server.lua b/server.lua
index 43a6a09..c4f3fa4 100644
--- a/server.lua
+++ b/server.lua
@@ -4,6 +4,7 @@ See LICENSE file for license details
 --]]
 
 require 'acf'
+local mnode = acf.model.node
 local isinstance = acf.object.isinstance
 
 require 'json'
@@ -122,22 +123,31 @@ return function(env)
 		      local obj = txn:search(path)
 		      local res
 
-		      if isinstance(obj, acf.model.node.TreeNode) then
-			 local node = {}
-			 for k, v in acf.model.node.pairs(obj) do
-			    node[k] = isinstance(
-			       v,
-			       acf.model.node.TreeNode
-			    ) and acf.model.node.path(v) or v
+		      if isinstance(obj, mnode.TreeNode) then
+			 if not mnode.has_permission(obj, user, 'read') then
+			    return 403
 			 end
-			 res = {data=node, meta=acf.model.node.meta(obj)}
 
-		      else
-			 res = {
-			    data=obj,
-			    meta=acf.model.node.mmeta(parent, name)
-			 }
-		      end
+			 local node = {}
+			 for k, v in mnode.pairs(obj) do
+			    local readable = true
+			    
+			    if isinstance(v, mnode.TreeNode) then
+			       readable = mnode.has_permission(
+				  v,
+				  user,
+				  'read'
+			       )
+			       v = mnode.path(v)
+			    end
+			    
+			    if readable then node[k] = v end
+			 end
+			 res = {data=node, meta=mnode.meta(obj)}
+		   
+		      elseif mnode.has_permission(parent, user, 'read') then
+			 res = {data=obj, meta=mnode.mmeta(parent, name)}
+		      else return 403 end
 
 		      return 200, nil, res
 		   end
@@ -149,11 +159,38 @@ return function(env)
 			 return 405
 		      end
 
+		      if not mnode.has_permission(obj, user, 'create') then
+			 return 403
+		      end
+
 		      acf.model.set.add(obj, data)
 
-		   elseif method == 'DELETE' then parent[name] = nil
-		   elseif method == 'PUT' then parent[name] = data
-		   else return 405 end
+		   else
+		      local obj = parent[name]
+		      if obj ~= nil and not isinstance(obj, mnode.TreeNode) then
+			 obj = parent
+		      end
+
+		      if method == 'DELETE' then
+			 if obj == nil then return 404 end
+			 if not mnode.has_permission(obj, user, 'delete') then
+			    return 403
+			 end
+			 parent[name] = nil
+
+		      elseif method == 'PUT' then
+			 local permission = 'modify'
+			 if obj == nil then
+			    obj = parent
+			    permission = 'create'
+			 end
+			 if not mnode.has_permission(obj, user, permission) then
+			    return 403
+			 end
+			 parent[name] = data
+			 
+		      else return 405 end
+		   end
 		   
 		   txn:commit()
 		   return 205
-- 
cgit v1.2.3