Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 15:30:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

add token authentication, only admin can use api

Browse source
This commit is contained in:
huneau romain 2017-05-11 12:15:02 +02:00
parent 548172949a
commit b5271e5346
9 changed files with 50 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.meteor/packages
View file

@ -77,3 +77,4 @@ simple:json-routes
rajit:bootstrap3-datepicker rajit:bootstrap3-datepicker
kadira:flow-router kadira:flow-router
shell-server@0.2.3 shell-server@0.2.3
simple:rest-accounts-password

4
.meteor/versions
View file

@ -134,7 +134,11 @@ service-configuration@1.0.11
session@1.1.7 session@1.1.7
sha@1.0.9 sha@1.0.9
shell-server@0.2.3 shell-server@0.2.3
simple:authenticate-user-by-token@1.0.1
simple:json-routes@2.1.0 simple:json-routes@2.1.0
simple:rest-accounts-password@1.1.2
simple:rest-bearer-token-parser@1.0.1
simple:rest-json-error-handler@1.0.1
softwarerero:accounts-t9n@1.3.9 softwarerero:accounts-t9n@1.3.9
spacebars@1.0.15 spacebars@1.0.15
spacebars-compiler@1.1.2 spacebars-compiler@1.1.2

4
models/boards.js
View file

@ -557,6 +557,7 @@ if (Meteor.isServer) {
//BOARDS REST API //BOARDS REST API
if (Meteor.isServer) { if (Meteor.isServer) {
JsonRoutes.add('GET', '/api/boards', function (req, res, next) { JsonRoutes.add('GET', '/api/boards', function (req, res, next) {
Authentication.checkUserId(req.userId);
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
code: 200, code: 200,
data: Boards.find({ permission: 'public' }).map(function (doc) { data: Boards.find({ permission: 'public' }).map(function (doc) {
@ -569,6 +570,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('GET', '/api/boards/:id', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:id', function (req, res, next) {
Authentication.checkUserId( req.userId);
const id = req.params.id; const id = req.params.id;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
code: 200, code: 200,
@ -577,6 +579,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('POST', '/api/boards', function (req, res, next) { JsonRoutes.add('POST', '/api/boards', function (req, res, next) {
Authentication.checkUserId( req.userId);
const id = Boards.insert({ const id = Boards.insert({
title: req.body.title, title: req.body.title,
members: [ members: [
@ -599,6 +602,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('DELETE', '/api/boards/:id', function (req, res, next) { JsonRoutes.add('DELETE', '/api/boards/:id', function (req, res, next) {
Authentication.checkUserId( req.userId);
const id = req.params.id; const id = req.params.id;
Boards.remove({ _id: id }); Boards.remove({ _id: id });
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {

4
models/cardComments.js
View file

@ -84,6 +84,7 @@ if (Meteor.isServer) {
//CARD COMMENT REST API //CARD COMMENT REST API
if (Meteor.isServer) { if (Meteor.isServer) {
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
@ -99,6 +100,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramCommentId = req.params.commentId; const paramCommentId = req.params.commentId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
@ -109,6 +111,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) { JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/comments', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
const id = CardComments.insert({ const id = CardComments.insert({
@ -126,6 +129,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) { JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/comments/:commentId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramCommentId = req.params.commentId; const paramCommentId = req.params.commentId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;

4
models/cards.js
View file

@ -373,6 +373,7 @@ if (Meteor.isServer) {
//LISTS REST API //LISTS REST API
if (Meteor.isServer) { if (Meteor.isServer) {
JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramListId = req.params.listId; const paramListId = req.params.listId;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
@ -388,6 +389,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramListId = req.params.listId; const paramListId = req.params.listId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
@ -398,6 +400,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('POST', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) { JsonRoutes.add('POST', '/api/boards/:boardId/lists/:listId/cards', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramListId = req.params.listId; const paramListId = req.params.listId;
const id = Cards.insert({ const id = Cards.insert({
@ -418,6 +421,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) { JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId/cards/:cardId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramListId = req.params.listId; const paramListId = req.params.listId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;

4
models/checklists.js
View file

@ -177,6 +177,7 @@ if (Meteor.isServer) {
//CARD COMMENT REST API //CARD COMMENT REST API
if (Meteor.isServer) { if (Meteor.isServer) {
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
code: 200, code: 200,
@ -190,6 +191,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramChecklistId = req.params.checklistId; const paramChecklistId = req.params.checklistId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
@ -199,6 +201,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) { JsonRoutes.add('POST', '/api/boards/:boardId/cards/:cardId/checklists', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
const checklistToSend = {}; const checklistToSend = {};
@ -221,6 +224,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) { JsonRoutes.add('DELETE', '/api/boards/:boardId/cards/:cardId/checklists/:checklistId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramCommentId = req.params.commentId; const paramCommentId = req.params.commentId;
const paramCardId = req.params.cardId; const paramCardId = req.params.cardId;
Checklists.remove({ _id: paramCommentId, cardId: paramCardId }); Checklists.remove({ _id: paramCommentId, cardId: paramCardId });

4
models/lists.js
View file

@ -132,6 +132,7 @@ if (Meteor.isServer) {
//LISTS REST API //LISTS REST API
if (Meteor.isServer) { if (Meteor.isServer) {
JsonRoutes.add('GET', '/api/boards/:boardId/lists', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/lists', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
code: 200, code: 200,
@ -145,6 +146,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId', function (req, res, next) { JsonRoutes.add('GET', '/api/boards/:boardId/lists/:listId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramListId = req.params.listId; const paramListId = req.params.listId;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
@ -154,6 +156,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('POST', '/api/boards/:boardId/lists', function (req, res, next) { JsonRoutes.add('POST', '/api/boards/:boardId/lists', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const id = Lists.insert({ const id = Lists.insert({
title: req.body.title, title: req.body.title,
@ -168,6 +171,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId', function (req, res, next) { JsonRoutes.add('DELETE', '/api/boards/:boardId/lists/:listId', function (req, res, next) {
Authentication.checkUserId( req.userId);
const paramBoardId = req.params.boardId; const paramBoardId = req.params.boardId;
const paramListId = req.params.listId; const paramListId = req.params.listId;
Lists.remove({ _id: paramListId, boardId: paramBoardId }); Lists.remove({ _id: paramListId, boardId: paramBoardId });

4
models/users.js
View file

@ -528,6 +528,7 @@ if (Meteor.isServer) {
// USERS REST API // USERS REST API
if (Meteor.isServer) { if (Meteor.isServer) {
JsonRoutes.add('GET', '/api/users', function (req, res, next) { JsonRoutes.add('GET', '/api/users', function (req, res, next) {
Authentication.checkUserId( req.userId);
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
code: 200, code: 200,
data: Meteor.users.find({}).map(function (doc) { data: Meteor.users.find({}).map(function (doc) {
@ -536,6 +537,7 @@ if (Meteor.isServer) {
}); });
}); });
JsonRoutes.add('GET', '/api/users/:id', function (req, res, next) { JsonRoutes.add('GET', '/api/users/:id', function (req, res, next) {
Authentication.checkUserId( req.userId);
const id = req.params.id; const id = req.params.id;
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {
code: 200, code: 200,
@ -543,6 +545,7 @@ if (Meteor.isServer) {
}); });
}); });
JsonRoutes.add('POST', '/api/users/', function (req, res, next) { JsonRoutes.add('POST', '/api/users/', function (req, res, next) {
Authentication.checkUserId( req.userId);
const id = Accounts.createUser({ const id = Accounts.createUser({
username: req.body.username, username: req.body.username,
email: req.body.email, email: req.body.email,
@ -558,6 +561,7 @@ if (Meteor.isServer) {
}); });
JsonRoutes.add('DELETE', '/api/users/:id', function (req, res, next) { JsonRoutes.add('DELETE', '/api/users/:id', function (req, res, next) {
Authentication.checkUserId( req.userId);
const id = req.params.id; const id = req.params.id;
Meteor.users.remove({ _id: id }); Meteor.users.remove({ _id: id });
JsonRoutes.sendResult(res, { JsonRoutes.sendResult(res, {

21
server/authentication.js Normal file
View file

@ -0,0 +1,21 @@
Meteor.startup(() => {
Authentication = {};
Authentication.checkUserId = function (userId) {
if (userId === undefined) {
const error = new Meteor.Error('Unauthorized', 'Unauthorized');
error.statusCode = 401;
throw error;
}
const admin = Users.findOne({ _id: userId, isAdmin: true });
if (admin === undefined) {
const error = new Meteor.Error('Forbidden', 'Forbidden');
error.statusCode = 403;
throw error;
}
};
});