From 49c7dded4539044d8053dba8d3fe24b97056c0d2 Mon Sep 17 00:00:00 2001 From: Wu Cheng-Han Date: Sun, 17 Jan 2016 09:51:27 -0600 Subject: Added private permission and clean up codes, solved potential race condition in realtime.js --- lib/response.js | 258 +++++++++++++++++++++++++++++++------------------------- 1 file changed, 143 insertions(+), 115 deletions(-) (limited to 'lib/response.js') diff --git a/lib/response.js b/lib/response.js index a30df470..e27411c8 100644 --- a/lib/response.js +++ b/lib/response.js @@ -90,21 +90,9 @@ function showIndex(req, res, next) { } function responseHackMD(res, noteId) { - if (noteId != config.featuresnotename) { - if (!Note.checkNoteIdValid(noteId)) { - responseError(res, "404", "Not Found", "oops."); - return; - } - noteId = LZString.decompressFromBase64(noteId); - if (!noteId) { - responseError(res, "404", "Not Found", "oops."); - return; - } - } db.readFromDB(noteId, function (err, data) { if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } var body = LZString.decompressFromBase64(data.rows[0].content); var meta = null; @@ -144,14 +132,18 @@ function newNote(req, res, next) { body = LZString.compressToBase64(body); var owner = null; if (req.isAuthenticated()) { - owner = req.session.passport.user; + owner = req.user._id; } db.newToDB(newId, owner, body, function (err, result) { if (err) { - responseError(res, "500", "Internal Error", "wtf."); - return; + return response.errorInternalError(res); } - res.redirect("/" + LZString.compressToBase64(newId)); + Note.newNote(newId, owner, function(err, result) { + if (err) { + return response.errorInternalError(res); + } + res.redirect("/" + LZString.compressToBase64(newId)); + }); }); } @@ -162,8 +154,7 @@ function showFeatures(req, res, next) { body = LZString.compressToBase64(body); db.newToDB(config.featuresnotename, null, body, function (err, result) { if (err) { - responseError(res, "500", "Internal Error", "wtf."); - return; + return response.errorInternalError(res); } responseHackMD(res, config.featuresnotename); }); @@ -175,11 +166,32 @@ function showFeatures(req, res, next) { function showNote(req, res, next) { var noteId = req.params.noteId; - if (!Note.checkNoteIdValid(noteId)) { - responseError(res, "404", "Not Found", "oops."); - return; + if (noteId != config.featuresnotename) { + if (!Note.checkNoteIdValid(noteId)) { + return response.errorNotFound(res); + } + noteId = LZString.decompressFromBase64(noteId); + if (!noteId) { + return response.errorNotFound(res); + } } - responseHackMD(res, noteId); + Note.findNote(noteId, function (err, note) { + if (err || !note) { + return response.errorNotFound(res); + } + db.readFromDB(note.id, function (err, data) { + if (err) { + return response.errorNotFound(res); + } + var notedata = data.rows[0]; + //check view permission + if (note.permission == 'private') { + if (!req.isAuthenticated() || notedata.owner != req.user._id) + return response.errorForbidden(res); + } + responseHackMD(res, noteId); + }); + }); } function showPublishNote(req, res, next) { @@ -187,30 +199,33 @@ function showPublishNote(req, res, next) { if (shortId.isValid(shortid)) { Note.findNote(shortid, function (err, note) { if (err || !note) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } - //increase note viewcount - Note.increaseViewCount(note, function (err, note) { - if (err || !note) { - responseError(res, "404", "Not Found", "oops."); - return; + db.readFromDB(note.id, function (err, data) { + if (err) { + return response.errorNotFound(res); + } + var notedata = data.rows[0]; + //check view permission + if (note.permission == 'private') { + if (!req.isAuthenticated() || notedata.owner != req.user._id) + return response.errorForbidden(res); } - db.readFromDB(note.id, function (err, data) { - if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + //increase note viewcount + Note.increaseViewCount(note, function (err, note) { + if (err || !note) { + return response.errorNotFound(res); } - var body = LZString.decompressFromBase64(data.rows[0].content); + var body = LZString.decompressFromBase64(notedata.content); var meta = null; try { meta = metaMarked(body).meta; } catch(err) { //na } - var updatetime = data.rows[0].update_time; + var updatetime = notedata.update_time; var text = S(body).escapeHTML().s; - var title = data.rows[0].title; + var title = notedata.title; var decodedTitle = LZString.decompressFromBase64(title); if (decodedTitle) title = decodedTitle; title = Note.generateWebTitle(title); @@ -247,7 +262,7 @@ function showPublishNote(req, res, next) { }); }); } else { - responseError(res, "404", "Not Found", "oops."); + return response.errorNotFound(res); } } @@ -271,18 +286,12 @@ function renderPublish(data, res) { function actionPublish(req, res, noteId) { db.readFromDB(noteId, function (err, data) { if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } var owner = data.rows[0].owner; - var permission = "freely"; - if (owner && owner != "null") { - permission = "editable"; - } - Note.findOrNewNote(noteId, permission, function (err, note) { + Note.findOrNewNote(noteId, owner, function (err, note) { if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } res.redirect("/s/" + note.shortid); }); @@ -292,18 +301,12 @@ function actionPublish(req, res, noteId) { function actionSlide(req, res, noteId) { db.readFromDB(noteId, function (err, data) { if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } var owner = data.rows[0].owner; - var permission = "freely"; - if (owner && owner != "null") { - permission = "editable"; - } - Note.findOrNewNote(noteId, permission, function (err, note) { + Note.findOrNewNote(noteId, owner, function (err, note) { if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } res.redirect("/p/" + note.shortid); }); @@ -313,8 +316,7 @@ function actionSlide(req, res, noteId) { function actionDownload(req, res, noteId) { db.readFromDB(noteId, function (err, data) { if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } var body = LZString.decompressFromBase64(data.rows[0].content); var title = Note.getNoteTitle(body); @@ -331,8 +333,7 @@ function actionDownload(req, res, noteId) { function actionPDF(req, res, noteId) { db.readFromDB(noteId, function (err, data) { if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } var body = LZString.decompressFromBase64(data.rows[0].content); try { @@ -365,57 +366,81 @@ function noteActions(req, res, next) { var noteId = req.params.noteId; if (noteId != config.featuresnotename) { if (!Note.checkNoteIdValid(noteId)) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } noteId = LZString.decompressFromBase64(noteId); if (!noteId) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } } - var action = req.params.action; - switch (action) { - case "publish": - case "pretty": //pretty deprecated - actionPublish(req, res, noteId); - break; - case "slide": - actionSlide(req, res, noteId); - break; - case "download": - actionDownload(req, res, noteId); - break; - case "pdf": - actionPDF(req, res, noteId); - break; - default: - if (noteId != config.featuresnotename) - res.redirect('/' + LZString.compressToBase64(noteId)); - else - res.redirect('/' + noteId); - break; - } + Note.findNote(noteId, function (err, note) { + if (err || !note) { + return response.errorNotFound(res); + } + db.readFromDB(note.id, function (err, data) { + if (err) { + return response.errorNotFound(res); + } + var notedata = data.rows[0]; + //check view permission + if (note.permission == 'private') { + if (!req.isAuthenticated() || notedata.owner != req.user._id) + return response.errorForbidden(res); + } + var action = req.params.action; + switch (action) { + case "publish": + case "pretty": //pretty deprecated + actionPublish(req, res, noteId); + break; + case "slide": + actionSlide(req, res, noteId); + break; + case "download": + actionDownload(req, res, noteId); + break; + case "pdf": + actionPDF(req, res, noteId); + break; + default: + if (noteId != config.featuresnotename) + res.redirect('/' + LZString.compressToBase64(noteId)); + else + res.redirect('/' + noteId); + break; + } + }); + }); } function publishNoteActions(req, res, next) { - var action = req.params.action; - switch (action) { - case "edit": - var shortid = req.params.shortid; - if (shortId.isValid(shortid)) { - Note.findNote(shortid, function (err, note) { - if (err || !note) { - responseError(res, "404", "Not Found", "oops."); - return; + var shortid = req.params.shortid; + if (shortId.isValid(shortid)) { + Note.findNote(shortid, function (err, note) { + if (err || !note) { + return response.errorNotFound(res); + } + db.readFromDB(note.id, function (err, data) { + if (err) { + return response.errorNotFound(res); + } + var notedata = data.rows[0]; + //check view permission + if (note.permission == 'private') { + if (!req.isAuthenticated() || notedata.owner != req.user._id) + return response.errorForbidden(res); + } + var action = req.params.action; + switch (action) { + case "edit": + if (note.id != config.featuresnotename) + res.redirect('/' + LZString.compressToBase64(note.id)); + else + res.redirect('/' + note.id); + break; } - if (note.id != config.featuresnotename) - res.redirect('/' + LZString.compressToBase64(note.id)); - else - res.redirect('/' + note.id); }); - } - break; + }); } } @@ -424,27 +449,30 @@ function showPublishSlide(req, res, next) { if (shortId.isValid(shortid)) { Note.findNote(shortid, function (err, note) { if (err || !note) { - responseError(res, "404", "Not Found", "oops."); - return; + return response.errorNotFound(res); } - //increase note viewcount - Note.increaseViewCount(note, function (err, note) { - if (err || !note) { - responseError(res, "404", "Not Found", "oops."); - return; + db.readFromDB(note.id, function (err, data) { + if (err) { + return response.errorNotFound(res); + } + var notedata = data.rows[0]; + //check view permission + if (note.permission == 'private') { + if (!req.isAuthenticated() || notedata.owner != req.user._id) + return response.errorForbidden(res); } - db.readFromDB(note.id, function (err, data) { - if (err) { - responseError(res, "404", "Not Found", "oops."); - return; + //increase note viewcount + Note.increaseViewCount(note, function (err, note) { + if (err || !note) { + return response.errorNotFound(res); } - var body = LZString.decompressFromBase64(data.rows[0].content); + var body = LZString.decompressFromBase64(notedata.content); try { body = metaMarked(body).markdown; } catch(err) { //na } - var title = data.rows[0].title; + var title = notedata.title; var decodedTitle = LZString.decompressFromBase64(title); if (decodedTitle) title = decodedTitle; title = Note.generateWebTitle(title); @@ -454,7 +482,7 @@ function showPublishSlide(req, res, next) { }); }); } else { - responseError(res, "404", "Not Found", "oops."); + return response.errorNotFound(res); } } -- cgit v1.2.3