smc-hub/dist/access.js

CoCalc: Backend webserver component

// Generated by CoffeeScript 2.5.1
(function() {
  //########################################################################
  // This file is part of CoCalc: Copyright © 2020 Sagemath, Inc.
  // License: AGPLv3 s.t. "Commons Clause" – see LICENSE.md for details
  //########################################################################
  /*
  Access permissions related to projects for a given user (or project)
  */
  var async, defaults, misc, required, user_is_in_project_group, winston,
    indexOf = [].indexOf;

  async = require('async');

  winston = require('./logger').getLogger('access');

  misc = require('smc-util/misc');

  ({defaults, required} = misc);

  user_is_in_project_group = function(opts) {
    var access, dbg;
    opts = defaults(opts, {
      project_id: required,
      account_id: void 0,
      account_groups: void 0,
      groups: required,
      database: required,
      cb: required // cb(err, true or false)
    });
    dbg = function(m) {
      return winston.debug(`user_is_in_project_group -- ${m}`);
    };
    dbg();
    if (opts.account_id == null) {
      dbg("not logged in, so for now we just say 'no' -- this may change soon.");
      opts.cb(void 0, false); // do not have access
      return;
    }
    access = false;
    return async.series([
      function(cb) {
        dbg(`check if admin or in appropriate group -- ${misc.to_json(opts.account_groups)}`);
        if ((opts.account_groups != null) && indexOf.call(opts.account_groups, // check also done below!
      'admin') >= 0) {
          access = true;
          return cb();
        } else {
          return opts.database.user_is_in_project_group({
            project_id: opts.project_id,
            account_id: opts.account_id,
            groups: opts.groups,
            cb: function(err,
      x) {
              access = x;
              return cb(err);
            }
          });
        }
      },
      function(cb) {
        if (access) {
          return cb(); // done
        } else if (opts.account_groups != null) {
          // already decided above
          return cb();
        } else {
          // User does not have access in normal way and account_groups not provided, so
          // we do an extra group check before denying user.
          return opts.database.get_account({
            columns: ['groups'],
            account_id: opts.account_id,
            cb: function(err,
      r) {
              var ref;
              if (err) {
                return cb(err);
              } else {
                access = indexOf.call((ref = r['groups']) != null ? ref : [],
      'admin') >= 0;
                return cb();
              }
            }
          });
        }
      }
    ], function(err) {
      dbg(`done with tests -- now access=${access}, err=${err}`);
      return opts.cb(err, access);
    });
  };

  exports.user_has_write_access_to_project = function(opts) {
    opts.groups = ['owner', 'collaborator'];
    return user_is_in_project_group(opts);
  };

  exports.user_has_read_access_to_project = function(opts) {
    // Read access is granted if user is in any of the groups listed below (owner, collaborator, or *viewer*).
    //dbg = (m) -> winston.debug("user_has_read_access_to_project #{opts.project_id}, #{opts.account_id}; #{m}")
    opts.groups = ['owner', 'collaborator', 'viewer'];
    return user_is_in_project_group(opts);
  };

}).call(this);

//# sourceMappingURL=access.js.map