handler: (request, reply) => {
const buildFactory = request.server.app.buildFactory;
const stepFactory = request.server.app.stepFactory;
const buildId = request.params.id;
const stepName = request.params.name;
const buildIdCred = request.auth.credentials.username;
let stepIndex = -1;
if (buildId !== buildIdCred) {
return reply(boom.forbidden(`Credential only valid for ${buildIdCred}`));
}
// Make sure build exists
return buildFactory.get(buildId)
.then((build) => {
if (!build) {
throw boom.notFound('Build does not exist');
}
const now = (new Date()).toISOString();
// Check if step model exists
return stepFactory.get({ buildId, name: stepName })
.then((step) => {
if (!step) {
// Update build steps if no step model
const steps = build.steps;
stepIndex = steps.findIndex(s => s.name === stepName);
if (stepIndex === -1) {
throw boom.notFound('Step does not exist');
}
if (request.payload.code !== undefined) {
steps[stepIndex].code = request.payload.code;
steps[stepIndex].endTime = request.payload.endTime || now;
} else if (request.payload.lines !== undefined) {
steps[stepIndex].lines = request.payload.lines;
} else {
steps[stepIndex].startTime = request.payload.startTime || now;
}
build.steps = steps;
return build.update()
.then(b => b.steps[stepIndex]);
}
// Update step model directly if it exists
if (request.payload.code !== undefined) {
step.code = request.payload.code;
step.endTime = request.payload.endTime || now;
} else if (request.payload.lines !== undefined) {
step.lines = request.payload.lines;
} else {
step.startTime = request.payload.startTime || now;
}
return step.update();
});
})
.then(updatedStep => reply(updatedStep).code(200))
.catch(err => reply(boom.boomify(err)));
},
server.ext('onPostAuth', (request, h) => {
// If skip function enabled. Call it and if returns true, do not attempt to do anything with crumb.
if (settings.skip && settings.skip(request, h)) {
return h.continue;
}
// Validate incoming crumb
if (typeof request.route.settings.plugins._crumb === 'undefined') {
if (request.route.settings.plugins.crumb ||
!request.route.settings.plugins.hasOwnProperty('crumb') && settings.autoGenerate) {
request.route.settings.plugins._crumb = Hoek.applyToDefaults(routeDefaults, request.route.settings.plugins.crumb || {});
}
else {
request.route.settings.plugins._crumb = false;
}
}
// Set crumb cookie and calculate crumb
if ((settings.autoGenerate ||
request.route.settings.plugins._crumb) &&
(request.route.settings.cors ? checkCORS(request) : true)) {
generate(request, h);
}
// Validate crumb
let routeIsRestful;
if (request.route.settings.plugins._crumb && request.route.settings.plugins._crumb.restful !== undefined) {
routeIsRestful = request.route.settings.plugins._crumb.restful;
}
if (routeIsRestful === false || !routeIsRestful && settings.restful === false) {
if (request.method !== 'post' ||
!request.route.settings.plugins._crumb) {
return h.continue;
}
const content = request[request.route.settings.plugins._crumb.source];
if (!content || content instanceof Stream) {
throw Boom.forbidden();
}
if (content[request.route.settings.plugins._crumb.key] !== request.plugins.crumb) {
throw Boom.forbidden();
}
// Remove crumb
delete request[request.route.settings.plugins._crumb.source][request.route.settings.plugins._crumb.key];
}
else {
if (request.method !== 'post' && request.method !== 'put' && request.method !== 'patch' && request.method !== 'delete' ||
!request.route.settings.plugins._crumb) {
return h.continue;
}
const header = request.headers['x-csrf-token'];
if (!header) {
throw Boom.forbidden();
}
if (header !== request.plugins.crumb) {
throw Boom.forbidden();
}
}
return h.continue;
});
method: function (request, reply) {
return reply(Boom.forbidden());
},
getTagsAndLocationsByIds(user.tags, user.locations, function(
err,
initial
) {
// only admin can edit admin
if (user.user_type === "admin" && loggedIn.scope === "content-owner") {
return reply(Boom.forbidden());
}
user.tags = initial.tags;
getOrg(user.org_id, function(pgErrOrg, org) {
user.org_name = org.org.name;
getUsersChallenges(profileId, function(pgErr, challenges) {
Hoek.assert(!pgErr, "database error");
var userTypes = helpers.userTypeRadios(user.user_type);
var tagList = tags.tags;
challenges.forEach(function(c) {
c.org_name = org.org.name;
c.org_id = org.org.id;
c.creator_id = parseInt(profileId);
});
var tagCat = {};
var locCat = {};
var options = Object.assign(
permissions,
{ user: user },
{ initialTags: JSON.stringify(initial.tags) },
{ tagList: tagList },
{ initialLocations: JSON.stringify(initial.locations) },
{ challenges: challenges },
{ loggedInUser: request.pre.user }
);
var initialCategories = options.tagList
.filter(function(t) {
return t.selected;
})
.map(function(t) {
return {
category_id: t.category_id,
category_name: t.category_name
};
});
options.initialCategories = JSON.stringify(initialCategories);
// crate a map tag -> catgory
tagList.forEach(function(cat) {
cat.tags.forEach(function(t) {
tagCat[t.tag_id] = {
category_id: cat.category_id,
category_name: cat.category_name
};
});
});
options.tagCat = JSON.stringify(tagCat);
options.locCat = JSON.stringify([]);
return reply.view("people/profile", options);
});
});
});
.then(function(running) {
if (running) { return true; }
else { return Promise.reject(Boom.forbidden('Poll is Expired')); }
});
const Boom = require('boom');
const Operation = require('../models/Operation');
/**
* @module OperationsPolicy
* @description Operations Policy
*/
module.exports = {
async canUpdateOperation(request) {
// If user is a global manager or admin, allow it
if (request.auth.credentials.is_admin || request.auth.credentials.isManager) {
return true;
}
// Otherwise check if it is a manager of the operation list
const op = await Operation.findOne({ _id: request.params.id }).populate('managers');
if (!op) {
throw Boom.notFound();
}
if (op.managersIndex(request.auth.credentials) !== -1) {
return true;
}
throw Boom.forbidden();
},
};
.then(function(voted) {
if (!voted) { return true; }
else { return Promise.reject(Boom.forbidden('Already Voted')); }
});
.then(function(locked) {
if (!locked) { return true; }
else { return Promise.reject(Boom.forbidden('Poll is Locked')); }
});
module.exports = function (server, auth, params, payload) {
var threadId = params.threadId;
var pollId = params.pollId;
var answerLength = payload.answerIds.length;
var userId = auth.credentials.id;
// check base permission
var allowed = server.authorization.build({
error: Boom.forbidden(),
type: 'hasPermission',
server: server,
auth: auth,
permission: 'threads.vote.allow'
});
// read board
var read = server.authorization.build({
error: Boom.notFound('Board Not Found'),
type: 'dbValue',
method: server.db.threads.getThreadsBoardInBoardMapping,
args: [threadId, server.plugins.acls.getUserPriority(auth)]
});
// is requester active
var active = server.authorization.build({
error: Boom.forbidden('Account Not Active'),
type: 'isActive',
server: server,
userId: userId
});
// Check that user isn't banned from this board
var notBannedFromBoard = server.authorization.common.isNotBannedFromBoard(Boom.forbidden('You are banned from this board'), server, userId, { threadId: threadId });
// Check if has poll exists
var exists = server.db.polls.exists(threadId)
.then(function(exists) {
if (exists) { return true; }
else { return Promise.reject(Boom.badRequest('Poll Does Not Exists')); }
});
// Check if has voted already
var vote = server.db.polls.hasVoted(threadId, userId)
.then(function(voted) {
if (!voted) { return true; }
else { return Promise.reject(Boom.forbidden('Already Voted')); }
});
// Check if poll is unlocked
var unlocked = server.db.polls.isLocked(pollId)
.then(function(locked) {
if (!locked) { return true; }
else { return Promise.reject(Boom.forbidden('Poll is Locked')); }
});
// Check if poll is still running
var running = server.db.polls.isRunning(pollId)
.then(function(running) {
if (running) { return true; }
else { return Promise.reject(Boom.forbidden('Poll is Expired')); }
});
// Check if vote is valid
var valid = server.db.polls.maxAnswers(pollId)
.then(function(maxAnswers) {
if (maxAnswers && maxAnswers >= answerLength) { return true; }
else { return Promise.reject(Boom.badRequest('Too Many Answers')); }
});
return Promise.all([allowed, read, notBannedFromBoard, active, exists, vote, unlocked, running, valid]);
};
Product.searchProduct(query, function(err, result) {
if (!err) {
return reply(result);
} else reply(Boom.forbidden(err));
});
Product.createProduct(request.payload, function(err, response) {
if (!err) reply(response);
else reply(Boom.forbidden(err));
});
.then(function(note) {
if (note.user_id === userId) { return true; }
else { return Promise.reject(Boom.forbidden('Only the author can update this note')); }
});
module.exports = function postsDelete(server, auth, postId) {
var userId = auth.credentials.id;
// check base permissions
var allowed = server.authorization.build({
error: Boom.forbidden(),
type: 'hasPermission',
server: server,
auth: auth,
permission: 'posts.delete.allow'
});
// is not first post
var notFirst = server.authorization.build({
error: Boom.forbidden(),
type: 'isNotFirstPost',
method: server.db.posts.getThreadFirstPost,
args: [postId]
});
// Is user self moderator and do they have priority to hide post
var selfModCond = [
{
// permission based override
error: Boom.forbidden(),
type: 'isMod',
method: server.db.moderators.isModeratorSelfModerated,
args: [userId, postId],
permission: 'posts.delete.bypass.owner.selfMod'
},
common.hasPriority(server, auth, 'posts.delete.bypass.owner.selfMod', postId)
];
var selfMod = server.authorization.stitch(Boom.forbidden(), selfModCond, 'all');
// User has priority permission
var prioritySelfModCond = [
{
// permission based override
error: Boom.forbidden(),
type: 'isMod',
method: server.db.moderators.isModeratorSelfModerated,
args: [userId, postId],
permission: 'posts.delete.bypass.owner.priority'
},
// The boolean at the end tells hasPriority to pass if auth user is Patroller and post creator is a user
common.hasPriority(server, auth, 'posts.delete.bypass.owner.priority', postId, true)
];
var prioritySelfMod = server.authorization.stitch(Boom.forbidden(), prioritySelfModCond, 'all');
// is post alright to delete
var deleteCond = [
{
// permission based override
type: 'hasPermission',
error: Boom.forbidden(),
server: server,
auth: auth,
permission: 'posts.delete.bypass.owner.admin'
},
{
// is post owner
type: 'isOwner',
method: server.db.posts.find,
args: [postId],
userId: userId
},
{
// is board mod
type: 'isMod',
method: server.db.moderators.isModeratorWithPostId,
args: [userId, postId],
permission: server.plugins.acls.getACLValue(auth, 'posts.delete.bypass.owner.mod')
},
selfMod,
// Has priority permission
prioritySelfMod,
common.hasPriority(server, auth, 'posts.delete.bypass.owner.priority', postId)
];
var deleted = server.authorization.stitch(Boom.forbidden(), deleteCond, 'any');
// is thread locked
var tLockedCond = [
{
// permission based override
type: 'hasPermission',
server: server,
auth: auth,
permission: 'posts.delete.bypass.locked.admin'
},
{
// is thread locked
type: 'dbNotProp',
method: server.db.posts.getPostsThread,
args: [postId],
prop: 'locked'
},
{
// is board moderator
type: 'isMod',
method: server.db.moderators.isModeratorWithPostId,
args: [userId, postId],
permission: server.plugins.acls.getACLValue(auth, 'posts.delete.bypass.locked.mod')
}
];
var tLocked = server.authorization.stitch(Boom.forbidden('Thread Locked'), tLockedCond, 'any');
// post locked
var pLocked = server.authorization.build({
error: Boom.forbidden('Post is locked'),
type: 'dbNotProp',
method: server.db.posts.find,
args: [postId],
prop: 'locked'
});
// read board
var read = server.authorization.build({
error: Boom.notFound('Board Not Found'),
type: 'dbValue',
method: server.db.posts.getPostsBoardInBoardMapping,
args: [postId, server.plugins.acls.getUserPriority(auth)]
});
// write board
var write = server.authorization.build({
error: Boom.forbidden('No Write Access'),
type: 'dbValue',
method: server.db.posts.getBoardWriteAccess,
args: [postId, server.plugins.acls.getUserPriority(auth)]
});
// is requester active
var active = server.authorization.build({
error: Boom.forbidden('Account Not Active'),
type: 'isActive',
server: server,
userId: userId
});
return Promise.all([allowed, notFirst, deleted, read, write, tLocked, pLocked, active]);
};