diff --git a/controllers/authController.js b/controllers/authController.js index 48c7253..03d9bef 100644 --- a/controllers/authController.js +++ b/controllers/authController.js @@ -1,40 +1,12 @@ const bcrypt = require('bcrypt') const config = require('./../config') const db = require('knex')(config.database) +const perms = require('./permissionController') const randomstring = require('randomstring') const utils = require('./utilsController') const authController = {} -authController.permissions = { - user: 0, // upload & delete own files, create & delete albums - moderator: 50, // delete other user's files - admin: 80, // manage users (disable accounts) & create moderators - superadmin: 100 // create admins - // groups will inherit permissions from groups which have lower value -} - -authController.is = (user, group) => { - // root bypass - if (user.username === 'root') { return true } - const permission = user.permission || 0 - return permission >= authController.permissions[group] -} - -authController.higher = (user, target) => { - const userPermission = user.permission || 0 - const targetPermission = target.permission || 0 - return userPermission > targetPermission -} - -authController.mapPermissions = user => { - const map = {} - Object.keys(authController.permissions).forEach(group => { - map[group] = authController.is(user, group) - }) - return map -} - authController.verify = async (req, res, next) => { const username = req.body.username const password = req.body.password @@ -92,7 +64,7 @@ authController.register = async (req, res, next) => { password: hash, token, enabled: 1, - permission: authController.permissions.user + permission: perms.permissions.user }) return res.json({ success: true, token }) }) @@ -191,7 +163,7 @@ authController.editUser = async (req, res, next) => { if (!target) { return res.json({ success: false, description: 'Could not get user with the specified ID.' }) - } else if (!authController.higher(user, target)) { + } else if (!perms.higher(user, target)) { return res.json({ success: false, description: 'The user is in the same or higher group as you.' }) } else if (target.username === 'root') { return res.json({ success: false, description: 'Root user may not be edited.' }) @@ -202,7 +174,7 @@ authController.editUser = async (req, res, next) => { return res.json({ success: false, description: 'Username must have 4-32 characters.' }) } - let permission = req.body.group ? authController.permissions[req.body.group] : target.permission + let permission = req.body.group ? perms.permissions[req.body.group] : target.permission if (typeof permission !== 'number' || permission < 0) { permission = target.permission } await db.table('users') @@ -236,7 +208,7 @@ authController.listUsers = async (req, res, next) => { const user = await utils.authorize(req, res) if (!user) { return } - const isadmin = authController.is(user, 'admin') + const isadmin = perms.is(user, 'admin') if (!isadmin) { return res.status(403) } let offset = req.params.page diff --git a/controllers/permissionController.js b/controllers/permissionController.js new file mode 100644 index 0000000..2e928de --- /dev/null +++ b/controllers/permissionController.js @@ -0,0 +1,32 @@ +const permissionController = {} + +permissionController.permissions = { + user: 0, // upload & delete own files, create & delete albums + moderator: 50, // delete other user's files + admin: 80, // manage users (disable accounts) & create moderators + superadmin: 100 // create admins + // groups will inherit permissions from groups which have lower value +} + +permissionController.is = (user, group) => { + // root bypass + if (user.username === 'root') { return true } + const permission = user.permission || 0 + return permission >= permissionController.permissions[group] +} + +permissionController.higher = (user, target) => { + const userPermission = user.permission || 0 + const targetPermission = target.permission || 0 + return userPermission > targetPermission +} + +permissionController.mapPermissions = user => { + const map = {} + Object.keys(permissionController.permissions).forEach(group => { + map[group] = permissionController.is(user, group) + }) + return map +} + +module.exports = permissionController diff --git a/controllers/tokenController.js b/controllers/tokenController.js index 63264a9..38dfd48 100644 --- a/controllers/tokenController.js +++ b/controllers/tokenController.js @@ -1,6 +1,6 @@ -const auth = require('./authController') const config = require('./../config') const db = require('knex')(config.database) +const perms = require('./permissionController') const randomstring = require('randomstring') const utils = require('./utilsController') @@ -26,7 +26,7 @@ tokenController.verify = async (req, res, next) => { return res.json({ success: true, username: user.username, - permissions: auth.mapPermissions(user) + permissions: perms.mapPermissions(user) }) } diff --git a/controllers/uploadController.js b/controllers/uploadController.js index fd25e00..364b2b1 100644 --- a/controllers/uploadController.js +++ b/controllers/uploadController.js @@ -1,4 +1,3 @@ -const auth = require('./authController') const config = require('./../config') const crypto = require('crypto') const db = require('knex')(config.database) @@ -6,6 +5,7 @@ const fetch = require('node-fetch') const fs = require('fs') const multer = require('multer') const path = require('path') +const perms = require('./permissionController') const randomstring = require('randomstring') const utils = require('./utilsController') @@ -652,7 +652,7 @@ uploadsController.list = async (req, res) => { // Headers is string-only, this seem to be the safest and lightest const all = req.headers.all === '1' - const ismoderator = auth.is(user, 'moderator') + const ismoderator = perms.is(user, 'moderator') if (all && !ismoderator) { return res.json(403) } const files = await db.table('files') diff --git a/controllers/utilsController.js b/controllers/utilsController.js index 0a47691..0fabed1 100644 --- a/controllers/utilsController.js +++ b/controllers/utilsController.js @@ -5,6 +5,7 @@ const ffmpeg = require('fluent-ffmpeg') const fs = require('fs') const gm = require('gm') const path = require('path') +const perms = require('./permissionController') const utilsController = {} const uploadsDir = path.join(__dirname, '..', config.uploads.folder) @@ -167,10 +168,12 @@ utilsController.deleteFile = file => { utilsController.bulkDeleteFiles = async (field, values, user) => { if (!user || !['id', 'name'].includes(field)) { return } + console.log(require('util').inspect(perms)) + const ismoderator = perms.is(user, 'moderator') const files = await db.table('files') .whereIn(field, values) .where(function () { - if (user.username !== 'root') { + if (!ismoderator) { this.where('userid', user.id) } }) diff --git a/database/db.js b/database/db.js index d8bbb73..656789b 100644 --- a/database/db.js +++ b/database/db.js @@ -1,4 +1,4 @@ -const { permissions } = require('./../controllers/authController') +const perms = require('./../controllers/permissionController') const init = function (db) { // Create the tables we need to store galleries and files @@ -59,7 +59,7 @@ const init = function (db) { password: hash, token: require('randomstring').generate(64), timestamp: Math.floor(Date.now() / 1000), - permission: permissions.superadmin + permission: perms.permissions.superadmin }).then(() => {}) }) }) diff --git a/database/migration.js b/database/migration.js index eb7b599..216dd0a 100644 --- a/database/migration.js +++ b/database/migration.js @@ -1,6 +1,6 @@ const config = require('./../config') const db = require('knex')(config.database) -const { permissions } = require('./../controllers/authController') +const perms = require('./../controllers/permissionController') const map = { albums: { @@ -36,11 +36,11 @@ migration.start = async () => { .where('username', 'root') .first() .update({ - permission: permissions.superadmin + permission: perms.permissions.superadmin }) .then(rows => { if (!rows) { return console.log('Unable to update root\'s permission into superadmin.') } - console.log(`Updated root's permission to ${permissions.superadmin} (superadmin).`) + console.log(`Updated root's permission to ${perms.permissions.superadmin} (superadmin).`) }) console.log('Migration finished! Now start lolisafe normally')