handler: (request, reply) => { const buildFactory = request.server.app.buildFactory; const stepFactory = request.server.app.stepFactory; const buildId = request.params.id; const stepName = request.params.name; const buildIdCred = request.auth.credentials.username; let stepIndex = -1; if (buildId !== buildIdCred) { return reply(boom.forbidden(`Credential only valid for ${buildIdCred}`)); } // Make sure build exists return buildFactory.get(buildId) .then((build) => { if (!build) { throw boom.notFound('Build does not exist'); } const now = (new Date()).toISOString(); // Check if step model exists return stepFactory.get({ buildId, name: stepName }) .then((step) => { if (!step) { // Update build steps if no step model const steps = build.steps; stepIndex = steps.findIndex(s => s.name === stepName); if (stepIndex === -1) { throw boom.notFound('Step does not exist'); } if (request.payload.code !== undefined) { steps[stepIndex].code = request.payload.code; steps[stepIndex].endTime = request.payload.endTime || now; } else if (request.payload.lines !== undefined) { steps[stepIndex].lines = request.payload.lines; } else { steps[stepIndex].startTime = request.payload.startTime || now; } build.steps = steps; return build.update() .then(b => b.steps[stepIndex]); } // Update step model directly if it exists if (request.payload.code !== undefined) { step.code = request.payload.code; step.endTime = request.payload.endTime || now; } else if (request.payload.lines !== undefined) { step.lines = request.payload.lines; } else { step.startTime = request.payload.startTime || now; } return step.update(); }); }) .then(updatedStep => reply(updatedStep).code(200)) .catch(err => reply(boom.boomify(err))); },
server.ext('onPostAuth', (request, h) => { // If skip function enabled. Call it and if returns true, do not attempt to do anything with crumb. if (settings.skip && settings.skip(request, h)) { return h.continue; } // Validate incoming crumb if (typeof request.route.settings.plugins._crumb === 'undefined') { if (request.route.settings.plugins.crumb || !request.route.settings.plugins.hasOwnProperty('crumb') && settings.autoGenerate) { request.route.settings.plugins._crumb = Hoek.applyToDefaults(routeDefaults, request.route.settings.plugins.crumb || {}); } else { request.route.settings.plugins._crumb = false; } } // Set crumb cookie and calculate crumb if ((settings.autoGenerate || request.route.settings.plugins._crumb) && (request.route.settings.cors ? checkCORS(request) : true)) { generate(request, h); } // Validate crumb let routeIsRestful; if (request.route.settings.plugins._crumb && request.route.settings.plugins._crumb.restful !== undefined) { routeIsRestful = request.route.settings.plugins._crumb.restful; } if (routeIsRestful === false || !routeIsRestful && settings.restful === false) { if (request.method !== 'post' || !request.route.settings.plugins._crumb) { return h.continue; } const content = request[request.route.settings.plugins._crumb.source]; if (!content || content instanceof Stream) { throw Boom.forbidden(); } if (content[request.route.settings.plugins._crumb.key] !== request.plugins.crumb) { throw Boom.forbidden(); } // Remove crumb delete request[request.route.settings.plugins._crumb.source][request.route.settings.plugins._crumb.key]; } else { if (request.method !== 'post' && request.method !== 'put' && request.method !== 'patch' && request.method !== 'delete' || !request.route.settings.plugins._crumb) { return h.continue; } const header = request.headers['x-csrf-token']; if (!header) { throw Boom.forbidden(); } if (header !== request.plugins.crumb) { throw Boom.forbidden(); } } return h.continue; });
method: function (request, reply) { return reply(Boom.forbidden()); },
getTagsAndLocationsByIds(user.tags, user.locations, function( err, initial ) { // only admin can edit admin if (user.user_type === "admin" && loggedIn.scope === "content-owner") { return reply(Boom.forbidden()); } user.tags = initial.tags; getOrg(user.org_id, function(pgErrOrg, org) { user.org_name = org.org.name; getUsersChallenges(profileId, function(pgErr, challenges) { Hoek.assert(!pgErr, "database error"); var userTypes = helpers.userTypeRadios(user.user_type); var tagList = tags.tags; challenges.forEach(function(c) { c.org_name = org.org.name; c.org_id = org.org.id; c.creator_id = parseInt(profileId); }); var tagCat = {}; var locCat = {}; var options = Object.assign( permissions, { user: user }, { initialTags: JSON.stringify(initial.tags) }, { tagList: tagList }, { initialLocations: JSON.stringify(initial.locations) }, { challenges: challenges }, { loggedInUser: request.pre.user } ); var initialCategories = options.tagList .filter(function(t) { return t.selected; }) .map(function(t) { return { category_id: t.category_id, category_name: t.category_name }; }); options.initialCategories = JSON.stringify(initialCategories); // crate a map tag -> catgory tagList.forEach(function(cat) { cat.tags.forEach(function(t) { tagCat[t.tag_id] = { category_id: cat.category_id, category_name: cat.category_name }; }); }); options.tagCat = JSON.stringify(tagCat); options.locCat = JSON.stringify([]); return reply.view("people/profile", options); }); }); });
.then(function(running) { if (running) { return true; } else { return Promise.reject(Boom.forbidden('Poll is Expired')); } });
const Boom = require('boom'); const Operation = require('../models/Operation'); /** * @module OperationsPolicy * @description Operations Policy */ module.exports = { async canUpdateOperation(request) { // If user is a global manager or admin, allow it if (request.auth.credentials.is_admin || request.auth.credentials.isManager) { return true; } // Otherwise check if it is a manager of the operation list const op = await Operation.findOne({ _id: request.params.id }).populate('managers'); if (!op) { throw Boom.notFound(); } if (op.managersIndex(request.auth.credentials) !== -1) { return true; } throw Boom.forbidden(); }, };
.then(function(voted) { if (!voted) { return true; } else { return Promise.reject(Boom.forbidden('Already Voted')); } });
.then(function(locked) { if (!locked) { return true; } else { return Promise.reject(Boom.forbidden('Poll is Locked')); } });
module.exports = function (server, auth, params, payload) { var threadId = params.threadId; var pollId = params.pollId; var answerLength = payload.answerIds.length; var userId = auth.credentials.id; // check base permission var allowed = server.authorization.build({ error: Boom.forbidden(), type: 'hasPermission', server: server, auth: auth, permission: 'threads.vote.allow' }); // read board var read = server.authorization.build({ error: Boom.notFound('Board Not Found'), type: 'dbValue', method: server.db.threads.getThreadsBoardInBoardMapping, args: [threadId, server.plugins.acls.getUserPriority(auth)] }); // is requester active var active = server.authorization.build({ error: Boom.forbidden('Account Not Active'), type: 'isActive', server: server, userId: userId }); // Check that user isn't banned from this board var notBannedFromBoard = server.authorization.common.isNotBannedFromBoard(Boom.forbidden('You are banned from this board'), server, userId, { threadId: threadId }); // Check if has poll exists var exists = server.db.polls.exists(threadId) .then(function(exists) { if (exists) { return true; } else { return Promise.reject(Boom.badRequest('Poll Does Not Exists')); } }); // Check if has voted already var vote = server.db.polls.hasVoted(threadId, userId) .then(function(voted) { if (!voted) { return true; } else { return Promise.reject(Boom.forbidden('Already Voted')); } }); // Check if poll is unlocked var unlocked = server.db.polls.isLocked(pollId) .then(function(locked) { if (!locked) { return true; } else { return Promise.reject(Boom.forbidden('Poll is Locked')); } }); // Check if poll is still running var running = server.db.polls.isRunning(pollId) .then(function(running) { if (running) { return true; } else { return Promise.reject(Boom.forbidden('Poll is Expired')); } }); // Check if vote is valid var valid = server.db.polls.maxAnswers(pollId) .then(function(maxAnswers) { if (maxAnswers && maxAnswers >= answerLength) { return true; } else { return Promise.reject(Boom.badRequest('Too Many Answers')); } }); return Promise.all([allowed, read, notBannedFromBoard, active, exists, vote, unlocked, running, valid]); };
Product.searchProduct(query, function(err, result) { if (!err) { return reply(result); } else reply(Boom.forbidden(err)); });
Product.createProduct(request.payload, function(err, response) { if (!err) reply(response); else reply(Boom.forbidden(err)); });
.then(function(note) { if (note.user_id === userId) { return true; } else { return Promise.reject(Boom.forbidden('Only the author can update this note')); } });
module.exports = function postsDelete(server, auth, postId) { var userId = auth.credentials.id; // check base permissions var allowed = server.authorization.build({ error: Boom.forbidden(), type: 'hasPermission', server: server, auth: auth, permission: 'posts.delete.allow' }); // is not first post var notFirst = server.authorization.build({ error: Boom.forbidden(), type: 'isNotFirstPost', method: server.db.posts.getThreadFirstPost, args: [postId] }); // Is user self moderator and do they have priority to hide post var selfModCond = [ { // permission based override error: Boom.forbidden(), type: 'isMod', method: server.db.moderators.isModeratorSelfModerated, args: [userId, postId], permission: 'posts.delete.bypass.owner.selfMod' }, common.hasPriority(server, auth, 'posts.delete.bypass.owner.selfMod', postId) ]; var selfMod = server.authorization.stitch(Boom.forbidden(), selfModCond, 'all'); // User has priority permission var prioritySelfModCond = [ { // permission based override error: Boom.forbidden(), type: 'isMod', method: server.db.moderators.isModeratorSelfModerated, args: [userId, postId], permission: 'posts.delete.bypass.owner.priority' }, // The boolean at the end tells hasPriority to pass if auth user is Patroller and post creator is a user common.hasPriority(server, auth, 'posts.delete.bypass.owner.priority', postId, true) ]; var prioritySelfMod = server.authorization.stitch(Boom.forbidden(), prioritySelfModCond, 'all'); // is post alright to delete var deleteCond = [ { // permission based override type: 'hasPermission', error: Boom.forbidden(), server: server, auth: auth, permission: 'posts.delete.bypass.owner.admin' }, { // is post owner type: 'isOwner', method: server.db.posts.find, args: [postId], userId: userId }, { // is board mod type: 'isMod', method: server.db.moderators.isModeratorWithPostId, args: [userId, postId], permission: server.plugins.acls.getACLValue(auth, 'posts.delete.bypass.owner.mod') }, selfMod, // Has priority permission prioritySelfMod, common.hasPriority(server, auth, 'posts.delete.bypass.owner.priority', postId) ]; var deleted = server.authorization.stitch(Boom.forbidden(), deleteCond, 'any'); // is thread locked var tLockedCond = [ { // permission based override type: 'hasPermission', server: server, auth: auth, permission: 'posts.delete.bypass.locked.admin' }, { // is thread locked type: 'dbNotProp', method: server.db.posts.getPostsThread, args: [postId], prop: 'locked' }, { // is board moderator type: 'isMod', method: server.db.moderators.isModeratorWithPostId, args: [userId, postId], permission: server.plugins.acls.getACLValue(auth, 'posts.delete.bypass.locked.mod') } ]; var tLocked = server.authorization.stitch(Boom.forbidden('Thread Locked'), tLockedCond, 'any'); // post locked var pLocked = server.authorization.build({ error: Boom.forbidden('Post is locked'), type: 'dbNotProp', method: server.db.posts.find, args: [postId], prop: 'locked' }); // read board var read = server.authorization.build({ error: Boom.notFound('Board Not Found'), type: 'dbValue', method: server.db.posts.getPostsBoardInBoardMapping, args: [postId, server.plugins.acls.getUserPriority(auth)] }); // write board var write = server.authorization.build({ error: Boom.forbidden('No Write Access'), type: 'dbValue', method: server.db.posts.getBoardWriteAccess, args: [postId, server.plugins.acls.getUserPriority(auth)] }); // is requester active var active = server.authorization.build({ error: Boom.forbidden('Account Not Active'), type: 'isActive', server: server, userId: userId }); return Promise.all([allowed, notFirst, deleted, read, write, tLocked, pLocked, active]); };