mirror of
https://github.com/wekan/wekan.git
synced 2026-02-07 09:01:47 +01:00
77 lines
2.4 KiB
JavaScript
77 lines
2.4 KiB
JavaScript
Meteor.startup(() => {
|
|
|
|
Accounts.validateLoginAttempt(function (options) {
|
|
const user = options.user || {};
|
|
return !user.loginDisabled;
|
|
});
|
|
|
|
Authentication = {};
|
|
|
|
Authentication.checkUserId = function (userId) {
|
|
if (userId === undefined) {
|
|
const error = new Meteor.Error('Unauthorized', 'Unauthorized');
|
|
error.statusCode = 401;
|
|
throw error;
|
|
}
|
|
const admin = Users.findOne({ _id: userId, isAdmin: true });
|
|
|
|
if (admin === undefined) {
|
|
const error = new Meteor.Error('Forbidden', 'Forbidden');
|
|
error.statusCode = 403;
|
|
throw error;
|
|
}
|
|
|
|
};
|
|
|
|
// This will only check if the user is logged in.
|
|
// The authorization checks for the user will have to be done inside each API endpoint
|
|
Authentication.checkLoggedIn = function(userId) {
|
|
if(userId === undefined) {
|
|
const error = new Meteor.Error('Unauthorized', 'Unauthorized');
|
|
error.statusCode = 401;
|
|
throw error;
|
|
}
|
|
};
|
|
|
|
// An admin should be authorized to access everything, so we use a separate check for admins
|
|
// This throws an error if otherReq is false and the user is not an admin
|
|
Authentication.checkAdminOrCondition = function(userId, otherReq) {
|
|
if(otherReq) return;
|
|
const admin = Users.findOne({ _id: userId, isAdmin: true });
|
|
if (admin === undefined) {
|
|
const error = new Meteor.Error('Forbidden', 'Forbidden');
|
|
error.statusCode = 403;
|
|
throw error;
|
|
}
|
|
};
|
|
|
|
// Helper function. Will throw an error if the user does not have read only access to the given board
|
|
Authentication.checkBoardAccess = function(userId, boardId) {
|
|
Authentication.checkLoggedIn(userId);
|
|
|
|
const board = Boards.findOne({ _id: boardId });
|
|
const normalAccess = board.permission === 'public' || board.members.some((e) => e.userId === userId);
|
|
Authentication.checkAdminOrCondition(userId, normalAccess);
|
|
};
|
|
|
|
if (Meteor.isServer) {
|
|
ServiceConfiguration.configurations.upsert(
|
|
{ service: 'oidc' },
|
|
{
|
|
$set: {
|
|
loginStyle: 'redirect',
|
|
clientId: 'CLIENT_ID',
|
|
secret: 'SECRET',
|
|
serverUrl: 'https://my-server',
|
|
authorizationEndpoint: '/oauth/authorize',
|
|
userinfoEndpoint: '/oauth/userinfo',
|
|
tokenEndpoint: '/oauth/token',
|
|
idTokenWhitelistFields: [],
|
|
requestPermissions: ['openid']
|
|
}
|
|
}
|
|
);
|
|
}
|
|
|
|
});
|
|
|