UNPKG

pip-services3-rpc-node

Version:

Remote procedure calls for Pip.Services in Node.js

github.com/pip-services3-node/pip-services3-rpc-node

pip-services3-node/pip-services3-rpc-node

66 lines (60 loc) 2.42 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/** @module auth */ const _ = require('lodash'); import { UnauthorizedException } from 'pip-services3-commons-node'; import { HttpResponseSender } from '../services/HttpResponseSender'; export class OwnerAuthorizer { public owner(idParam: string = 'user_id'): (req: any, res: any, next: () => void) => void { return (req, res, next) => { if (req.user == null) { HttpResponseSender.sendError( req, res, new UnauthorizedException( null, 'NOT_SIGNED', 'User must be signed in to perform this operation' ).withStatus(401) ); } else { let userId = req.params[idParam] || req.param(idParam); if (req.user_id != userId) { HttpResponseSender.sendError( req, res, new UnauthorizedException( null, 'FORBIDDEN', 'Only data owner can perform this operation' ).withStatus(403) ); } else { next(); } } }; } public ownerOrAdmin(idParam: string = 'user_id'): (req: any, res: any, next: () => void) => void { return (req, res, next) => { if (req.user == null) { HttpResponseSender.sendError( req, res, new UnauthorizedException( null, 'NOT_SIGNED', 'User must be signed in to perform this operation' ).withStatus(401) ); } else { let userId = req.params[idParam] || req.param(idParam); let roles = req.user != null ? req.user.roles : null; let admin = _.includes(roles, 'admin'); if (req.user_id != userId && !admin) { HttpResponseSender.sendError( req, res, new UnauthorizedException( null, 'FORBIDDEN', 'Only data owner can perform this operation' ).withStatus(403) ); } else { next(); } } }; } }