wekan/server/authentication.js

Meteor.startup(() => {

  Accounts.validateLoginAttempt(function (options) {
    const user = options.user || {};
    return !user.loginDisabled;
  });

  Authentication = {};

  Authentication.checkUserId = function (userId) {
    if (userId === undefined) {
      const error = new Meteor.Error('Unauthorized', 'Unauthorized');
      error.statusCode = 401;
      throw error;
    }
    const admin = Users.findOne({ _id: userId, isAdmin: true });

    if (admin === undefined) {
      const error = new Meteor.Error('Forbidden', 'Forbidden');
      error.statusCode = 403;
      throw error;
    }

  };

  // This will only check if the user is logged in.
  // The authorization checks for the user will have to be done inside each API endpoint
  Authentication.checkLoggedIn = function(userId) {
    if(userId === undefined) {
      const error = new Meteor.Error('Unauthorized', 'Unauthorized');
      error.statusCode = 401;
      throw error;
    }
  };

  // An admin should be authorized to access everything, so we use a separate check for admins
  // This throws an error if otherReq is false and the user is not an admin
  Authentication.checkAdminOrCondition = function(userId, otherReq) {
    if(otherReq) return;
    const admin = Users.findOne({ _id: userId, isAdmin: true });
    if (admin === undefined) {
      const error = new Meteor.Error('Forbidden', 'Forbidden');
      error.statusCode = 403;
      throw error;
    }
  };

  // Helper function. Will throw an error if the user does not have read only access to the given board
  Authentication.checkBoardAccess = function(userId, boardId) {
    Authentication.checkLoggedIn(userId);

    const board = Boards.findOne({ _id: boardId });
    const normalAccess = board.permission === 'public' || board.members.some((e) => e.userId === userId);
    Authentication.checkAdminOrCondition(userId, normalAccess);
  };

});
add token authentication, only admin can use api 2017-05-11 12:15:02 +02:00			`Meteor.startup(() => {`
Add the ability for the admin : - disabling a login for a user (not himself) - enabling a login for a user - transfering the ownership of all user's boards to himself 2017-10-13 08:15:19 +02:00
			`Accounts.validateLoginAttempt(function (options) {`
Fix: Error after sending invitation and joining board: Exception while invoking method 'login' TypeError: Cannot read property 'loginDisabled' of undefined. Thanks to nztqa ! Closes #1331 2017-11-19 17:51:26 +02:00			`const user = options.user \|\| {};`
			`return !user.loginDisabled;`
Add the ability for the admin : - disabling a login for a user (not himself) - enabling a login for a user - transfering the ownership of all user's boards to himself 2017-10-13 08:15:19 +02:00			`});`

add token authentication, only admin can use api 2017-05-11 12:15:02 +02:00			`Authentication = {};`

			`Authentication.checkUserId = function (userId) {`
			`if (userId === undefined) {`
			`const error = new Meteor.Error('Unauthorized', 'Unauthorized');`
			`error.statusCode = 401;`
			`throw error;`
			`}`
			`const admin = Users.findOne({ _id: userId, isAdmin: true });`

			`if (admin === undefined) {`
			`const error = new Meteor.Error('Forbidden', 'Forbidden');`
			`error.statusCode = 403;`
			`throw error;`
			`}`

			`};`

Added a non restrictive authentication function 2017-05-15 18:40:45 +02:00			`// This will only check if the user is logged in.`
			`// The authorization checks for the user will have to be done inside each API endpoint`
			`Authentication.checkLoggedIn = function(userId) {`
			`if(userId === undefined) {`
			`const error = new Meteor.Error('Unauthorized', 'Unauthorized');`
			`error.statusCode = 401;`
			`throw error;`
			`}`
			`};`

Added a simple authorization function 2017-05-15 19:43:15 +02:00			`// An admin should be authorized to access everything, so we use a separate check for admins`
			`// This throws an error if otherReq is false and the user is not an admin`
			`Authentication.checkAdminOrCondition = function(userId, otherReq) {`
			`if(otherReq) return;`
			`const admin = Users.findOne({ _id: userId, isAdmin: true });`
			`if (admin === undefined) {`
			`const error = new Meteor.Error('Forbidden', 'Forbidden');`
			`error.statusCode = 403;`
			`throw error;`
			`}`
Fixed eslint errors 2017-05-15 22:10:46 +02:00			`};`
Added a simple authorization function 2017-05-15 19:43:15 +02:00
Extracted board access check function 2017-05-15 21:02:31 +02:00			`// Helper function. Will throw an error if the user does not have read only access to the given board`
			`Authentication.checkBoardAccess = function(userId, boardId) {`
			`Authentication.checkLoggedIn(userId);`

			`const board = Boards.findOne({ _id: boardId });`
Fixed eslint errors 2017-05-15 22:10:46 +02:00			`const normalAccess = board.permission === 'public' \|\| board.members.some((e) => e.userId === userId);`
Extracted board access check function 2017-05-15 21:02:31 +02:00			`Authentication.checkAdminOrCondition(userId, normalAccess);`
Fixed eslint errors 2017-05-15 22:10:46 +02:00			`};`
Extracted board access check function 2017-05-15 21:02:31 +02:00
add token authentication, only admin can use api 2017-05-11 12:15:02 +02:00			`});`