3 files changed, 22 insertions, 42 deletions

diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js
index 6e3e8373..b8e62dda 100644
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@@ -4,6 +4,7 @@ const Router = require('express').Router
 const passport = require('passport')
 const { Strategy, InternalOAuthError } = require('passport-oauth2')
 const config = require('../../../config')
+const logger = require('../../../logger')
 const { passportGeneralCallback } = require('../utils')
 
 let oauth2Auth = module.exports = Router()
@@ -31,6 +32,7 @@ class OAuth2CustomStrategy extends Strategy {
         return done(new Error('Failed to parse user profile'))
       }
 
+      checkAuthorization(json, done)
       let profile = parseProfile(json)
       profile.provider = 'oauth2'
 
@@ -50,18 +52,36 @@ function extractProfileAttribute (data, path) {
 }
 
 function parseProfile (data) {
+  const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr)
   const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
   const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
   const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
 
   return {
-    id: username,
+    id: id || username,
     username: username,
     displayName: displayName,
     email: email
   }
 }
 
+function checkAuthorization (data, done) {
+  const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
+  const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
+
+  if (config.oauth2.accessRole) {
+    if (!roles) {
+      logger.error('oauth2: "accessRole" configured, but user profile doesn\'t contain roles attribute. Permission denied')
+      return done('Permission denied', null)
+    }
+
+    if (!roles.includes(config.oauth2.accessRole)) {
+      logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`)
+      return done('Permission denied', null)
+    }
+  }
+}
+
 OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
   this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
     var json
@@ -76,6 +96,7 @@ OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
       return done(new Error('Failed to parse user profile'))
     }
 
+    checkAuthorization(json, done)
     let profile = parseProfile(json)
     profile.provider = 'oauth2'
 
diff --git a/lib/web/note/actions.js b/lib/web/note/actions.js
index 9ff7fedb..d92d2443 100644
--- a/lib/web/note/actions.js
+++ b/lib/web/note/actions.js
@@ -2,9 +2,7 @@ const models = require('../../models')
 const logger = require('../../logger')
 const config = require('../../config')
 const errors = require('../../errors')
-const fs = require('fs')
 const shortId = require('shortid')
-const markdownpdf = require('markdown-pdf')
 const moment = require('moment')
 const querystring = require('querystring')
 
@@ -33,37 +31,6 @@ exports.getInfo = function getInfo (req, res, note) {
   res.send(data)
 }
 
-exports.createPDF = function createPDF (req, res, note) {
-  const url = config.serverURL || 'http://' + req.get('host')
-  const body = note.content
-  const extracted = models.Note.extractMeta(body)
-  let content = extracted.markdown
-  const title = models.Note.decodeTitle(note.title)
-
-  if (!fs.existsSync(config.tmpPath)) {
-    fs.mkdirSync(config.tmpPath)
-  }
-  const path = config.tmpPath + '/' + Date.now() + '.pdf'
-  content = content.replace(/\]\(\//g, '](' + url + '/')
-  markdownpdf().from.string(content).to(path, function () {
-    if (!fs.existsSync(path)) {
-      logger.error('PDF seems to not be generated as expected. File doesn\'t exist: ' + path)
-      return errors.errorInternalError(res)
-    }
-    const stream = fs.createReadStream(path)
-    let filename = title
-    // Be careful of special characters
-    filename = encodeURIComponent(filename)
-    // Ideally this should strip them
-    res.setHeader('Content-disposition', 'attachment; filename="' + filename + '.pdf"')
-    res.setHeader('Cache-Control', 'private')
-    res.setHeader('Content-Type', 'application/pdf; charset=UTF-8')
-    res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling
-    stream.pipe(res)
-    fs.unlinkSync(path)
-  })
-}
-
 exports.createGist = function createGist (req, res, note) {
   const data = {
     client_id: config.github.clientID,
diff --git a/lib/web/note/controller.js b/lib/web/note/controller.js
index f79574df..45aea9e2 100644
--- a/lib/web/note/controller.js
+++ b/lib/web/note/controller.js
@@ -110,14 +110,6 @@ exports.doAction = function (req, res, next) {
       case 'info':
         noteActions.getInfo(req, res, note)
         break
-      case 'pdf':
-        if (config.allowPDFExport) {
-          noteActions.createPDF(req, res, note)
-        } else {
-          logger.error('PDF export failed: Disabled by config. Set "allowPDFExport: true" to enable. Check the documentation for details')
-          errors.errorForbidden(res)
-        }
-        break
       case 'gist':
         noteActions.createGist(req, res, note)
         break