diff --git a/app/controllers/api/v1/File.controller.js b/app/controllers/api/v1/File.controller.js index 798e32f..68b6981 100644 --- a/app/controllers/api/v1/File.controller.js +++ b/app/controllers/api/v1/File.controller.js @@ -15,16 +15,7 @@ class File extends Controller { } async create_config(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) + const { page, node } = req.form const group = new FileGroup({ NodeId: node.UUID, @@ -47,70 +38,30 @@ class File extends Controller { } async get_config(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user)) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const group = await FileGroup.findOne({UUID: req.params.FilesId}) - if ( !group ) return res.status(404).message('Invalid file group.').api({}) - // if ( !group.accessible_by(req.user) ) return req.security.deny() + const { page, node, file_group } = req.form const File = this.models.get('upload::File') - const files = await File.find({_id: {$in: group.FileIds.map(x => ObjectId(x))}}) - group.files = files + file_group.files = await File.find({_id: {$in: file_group.FileIds.map(x => ObjectId(x))}}) - return res.api(group) + return res.api(file_group) } async save_upload(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const group = await FileGroup.findOne({UUID: req.params.FilesId}) - if ( !group ) return res.status(404).message('Invalid file group.').api({}) - // if ( !group.accessible_by(req.user) ) return req.security.deny() + const { page, node, file_group } = req.form let file_name = '' if ( req.uploads.uploaded_file ) { - group.FileIds.push(req.uploads.uploaded_file.id) + file_group.FileIds.push(req.uploads.uploaded_file.id) } - await group.version_save(`Added file${file_name ? ' "'+file_name+'"' : ''}`, req.user.id) + await file_group.version_save(`Added file${file_name ? ' "'+file_name+'"' : ''}`, req.user.id) return res.redirect(req.body.redirectTo ? req.body.redirectTo : '/') } async download(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user)) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) + const { page, node, file_group } = req.form - const group = await FileGroup.findOne({UUID: req.params.FilesId}) - if ( !group ) return res.status(404).message('Invalid file group.').api({}) - // if ( !group.accessible_by(req.user) ) return req.security.deny() - - if ( !group.FileIds.includes(req.params.FileId) ) { + if ( !file_group.FileIds.includes(req.params.FileId) ) { return req.security.deny() } @@ -122,22 +73,9 @@ class File extends Controller { } async delete_group(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const group = await FileGroup.findOne({UUID: req.params.FilesId}) - if ( !group ) return res.status(404).message('Invalid file group.').api({}) - // if ( !group.accessible_by(req.user) ) return req.security.deny() + const { page, node, file_group } = req.form - await group.delete() + await file_group.delete() return res.api({}) } } diff --git a/app/controllers/api/v1/FormCode.controller.js b/app/controllers/api/v1/FormCode.controller.js index 36b0e35..880afa3 100644 --- a/app/controllers/api/v1/FormCode.controller.js +++ b/app/controllers/api/v1/FormCode.controller.js @@ -1,7 +1,5 @@ const Controller = require('libflitter/controller/Controller') const Codium = require('../../../models/api/Codium.model') -const Page = require('../../../models/api/Page.model') -const Node = require('../../../models/api/Node.model') /* * FormCode Controller @@ -11,16 +9,7 @@ const Node = require('../../../models/api/Node.model') class FormCode extends Controller { async create_new(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) + const { page, node } = req.form const code = new Codium({ NodeId: node.UUID, @@ -48,63 +37,25 @@ class FormCode extends Controller { } async get_config(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user)) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const code = await Codium.findOne({UUID: req.params.CodiumId}) - if ( !code ) return res.status(404).message('Unable to find code with that ID.').api({}) - - return res.api(code) + return res.api(req.form.codium) } async set_values(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const code = await Codium.findOne({UUID: req.params.CodiumId}) - if ( !code ) return res.status(404).message('Unable to find code with that ID.').api({}) - - code.code = req.body.code - code.Language = req.body.Language - code.NodeId = node.UUID - code.PageId = page.UUID - await code.version_save(`Updated in page "${page.Name}"`, req.user.id) - return res.api(code) + const { page, node, codium } = req.form + + codium.code = req.body.code + codium.Language = req.body.Language + codium.NodeId = node.UUID + codium.PageId = page.UUID + await codium.version_save(`Updated in page "${page.Name}"`, req.user.id) + return res.api(codium) } async drop_code(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const code = await Codium.findOne({UUID: req.params.CodiumId}) - if ( !code ) return res.status(404).message('Unable to find code with that ID.').api({}) + const { codium } = req.form - code.Active = false - await code.version_save(`Deleted`, req.user.id) + codium.Active = false + await codium.version_save(`Deleted`, req.user.id) return res.api({}) } } diff --git a/app/controllers/api/v1/FormDatabase.controller.js b/app/controllers/api/v1/FormDatabase.controller.js index 4eb1e6f..adfa8e7 100644 --- a/app/controllers/api/v1/FormDatabase.controller.js +++ b/app/controllers/api/v1/FormDatabase.controller.js @@ -1,6 +1,4 @@ const Controller = require('libflitter/controller/Controller') -const Page = require('../../../models/api/Page.model') -const Node = require('../../../models/api/Node.model') const Database = require('../../../models/api/db/Database.model') const ColumnDef = require('../../../models/api/db/ColumnDef.model') const DBEntry = require('../../../models/api/db/DBEntry.model') @@ -13,16 +11,7 @@ const DBEntry = require('../../../models/api/db/DBEntry.model') class FormDatabase extends Controller { async create_new(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) + const { page, node } = req.form const db = new Database({ Name: req.body.name || req.body.Name || 'New Database', @@ -46,43 +35,16 @@ class FormDatabase extends Controller { } async get_config(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user)) ) return req.security.deny() - - const NodeId = req.params.NodeId + const { page, node, database } = req.form - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const DatabaseId = req.params.DatabaseId - const db = await Database.findOne({UUID: DatabaseId}) - if ( !db ) return res.status(404).message('Database not found with that ID.').api({}) - // if ( !db.accessible_by(req.user) ) return req.security.deny() - - return res.api(db) + return res.api(database) } async get_columns(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user)) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const DatabaseId = req.params.DatabaseId - const db = await Database.findOne({UUID: DatabaseId}) - if ( !db ) return res.status(404).message('Database not found with that ID.').api({}) + const { page, node, database } = req.form const columns = [] - for ( const col_id of db.ColumnIds ) { + for ( const col_id of database.ColumnIds ) { const rec = await ColumnDef.findOne({UUID: col_id}) if ( rec ) { rec.additionalData = rec.data() @@ -92,7 +54,7 @@ class FormDatabase extends Controller { // Fallback for backwards compat if ( columns.length < 1 ) { - return res.api((await ColumnDef.find({DatabaseId: db.UUID})).map(x => { + return res.api((await ColumnDef.find({DatabaseId: database.UUID})).map(x => { x.additionalData = x.data() return x })) @@ -108,50 +70,22 @@ class FormDatabase extends Controller { .api() } - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() + const { page, node, database } = req.form - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const DatabaseId = req.params.DatabaseId - const db = await Database.findOne({UUID: DatabaseId}) - if ( !db ) return res.status(404).message('Database not found with that ID.').api({}) - // if ( !db.accessible_by(req.user, 'update') ) return req.security.deny() - - if ( req.body.Name !== db.Name ) { - db.Name = req.body.Name - await db.version_save(`Changed database name to "${req.body.Name}"`, req.user.id) + if ( req.body.Name !== database.Name ) { + database.Name = req.body.Name + await database.version_save(`Changed database name to "${req.body.Name}"`, req.user.id) } else { - await db.save() + await database.save() } - return res.api(db) + return res.api(database) } async set_columns(req, res) { - const PageId = req.params.PageId + const { page, node, database } = req.form - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const DatabaseId = req.params.DatabaseId - const db = await Database.findOne({UUID: DatabaseId}) - if ( !db ) return res.status(404).message('Database not found with that ID.').api({}) - // if ( !db.accessible_by(req.user, 'update') ) return req.security.deny() - - const existing_columns = await ColumnDef.find({ DatabaseId: db.UUID }) + const existing_columns = await ColumnDef.find({ DatabaseId: database.UUID }) const assoc_columns = [] existing_columns.forEach(col => assoc_columns[col.UUID] = col) @@ -160,7 +94,7 @@ class FormDatabase extends Controller { if ( col.UUID && assoc_columns[col.UUID] ) { assoc_columns[col.UUID].headerName = col.headerName assoc_columns[col.UUID].field = col.field - assoc_columns[col.UUID].DatabaseId = db.UUID + assoc_columns[col.UUID].DatabaseId = database.UUID assoc_columns[col.UUID].Type = col.Type assoc_columns[col.UUID].additionalData = JSON.stringify(col.additionalData) await assoc_columns[col.UUID].version_save(`Updated in page "${page.Name}"`, req.user.id) @@ -169,7 +103,7 @@ class FormDatabase extends Controller { const new_col = new ColumnDef({ headerName: col.headerName, field: col.field, - DatabaseId: db.UUID, + DatabaseId: database.UUID, Type: col.Type, additionalData: JSON.stringify(col.additionalData), }) @@ -193,62 +127,34 @@ class FormDatabase extends Controller { } const new_cols = update_columns.map(x => x.UUID) - const no_updates = (new_cols.length === db.ColumnIds.length) && (new_cols.every(val => db.ColumnIds.includes(val))); + const no_updates = (new_cols.length === database.ColumnIds.length) && (new_cols.every(val => database.ColumnIds.includes(val))); if ( !no_updates ) { - db.ColumnIds = new_cols - await db.version_save('Updated columns', req.user.id) + database.ColumnIds = new_cols + await database.version_save('Updated columns', req.user.id) } else { - await db.save() + await database.save() } return res.api(update_columns) } async get_data(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user)) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const DatabaseId = req.params.DatabaseId - const db = await Database.findOne({UUID: DatabaseId}) - if ( !db ) return res.status(404).message('Database not found with that ID.').api({}) - // if ( !db.accessible_by(req.user) ) return req.security.deny() + const { page, node, database } = req.form - const entries = await DBEntry.find({DatabaseId: db.UUID}) + const entries = await DBEntry.find({DatabaseId: database.UUID}) entries.forEach(entry => entry.RowData.UUID = entry.UUID) return res.api(entries) } async set_data(req, res) { - const PageId = req.params.PageId + const { page, node, database } = req.form - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const DatabaseId = req.params.DatabaseId - const db = await Database.findOne({UUID: DatabaseId}) - if ( !db ) return res.status(404).message('Database not found with that ID.').api({}) - // if ( !db.accessible_by(req.user) ) return req.security.deny() - - await DBEntry.deleteMany({DatabaseId: db.UUID}) + await DBEntry.deleteMany({DatabaseId: database.UUID}) const new_recs = [] for ( const rec of req.body ) { - const data = {DatabaseId: db.UUID} + const data = {DatabaseId: database.UUID} if ( rec.UUID ) data.UUID = rec.UUID delete rec.UUID data.RowData = rec @@ -259,30 +165,16 @@ class FormDatabase extends Controller { new_recs.push(dbe) } - await db.version_save('Updated data', req.user.id) - return res.api(await this._set_indices(db, new_recs)) + await database.version_save('Updated data', req.user.id) + return res.api(await this._set_indices(database, new_recs)) } async drop_database(req, res) { - const PageId = req.params.PageId - - let page = await Page.findOne({UUID: PageId}) - if ( !page ) return res.status(404).message('Page not found with that ID.').api({}) - if ( !(await page.is_accessible_by(req.user, 'update')) ) return req.security.deny() - - const NodeId = req.params.NodeId - - let node = await Node.findOne({UUID: NodeId}) - if ( !node ) return res.status(404).message('Node not found with that ID.').api({}) - - const DatabaseId = req.params.DatabaseId - const db = await Database.findOne({UUID: DatabaseId}) - if ( !db ) return res.status(404).message('Database not found with that ID.').api({}) - // if ( !db.accessible_by(req.user) ) return req.security.deny() + const { page, node, database } = req.form - await DBEntry.deleteMany({DatabaseId: db.UUID}) - await db.version_save('Deleted', req.user.id) - await db.delete() + await DBEntry.deleteMany({DatabaseId: database.UUID}) + await database.version_save('Deleted', req.user.id) + await database.delete() return res.api({}) } diff --git a/app/routing/middleware/api/DataInjection.middleware.js b/app/routing/middleware/api/DataInjection.middleware.js new file mode 100644 index 0000000..d3b0c24 --- /dev/null +++ b/app/routing/middleware/api/DataInjection.middleware.js @@ -0,0 +1,110 @@ +const { Middleware } = require('libflitter') + +class DataInjectionMiddleware extends Middleware { + static get services() { + return [...super.services, 'models'] + } + + // manage, update, view + async test(req, res, next, { access_level = 'view' }) { + if ( !req.user ) { + return res.status(401) + .message('Unauthenticated session.') + .api() + } + + if ( !req.form ) req.form = {} + + // Try to load in the page + if ( !req.params.PageId ) return next() + + const Page = this.models.get('api:Page') + const page = await Page.findOne({ UUID: req.params.PageId }) + if ( !page ) { + return res.status(404) + .message('Invalid page ID.') + .api() + } + + // Make sure the user has access to the given page + if ( !(await page.is_accessible_by(req.user, access_level)) ) { + return res.status(401).api() + } + + req.form.page = page + + // Try to load in the node + if ( req.params.NodeId ) { + const Node = this.models.get('api:Node') + const node = await Node.findOne({ UUID: req.params.NodeId }) + + if ( !node || !page.NodeIds.includes(node.UUID) ) { + return res.status(404) + .message('Invalid node ID.') + .api() + } + + req.form.node = node + } + + // Try to load in the code snippets + if ( req.params.CodiumId ) { + const Codium = this.models.get('api:Codium') + const codium = await Codium.findOne({ + UUID: req.params.CodiumId, + Active: true, + PageId: req.params.PageId, + ...(req.form.node ? {NodeId: req.form.node.UUID} : {}), + }) + + if ( !codium ) { + return res.status(404) + .message('Invalid code snippet ID.') + .api() + } + + req.form.codium = codium + } + + // Try to load in the database + if ( req.params.DatabaseId ) { + const Database = this.models.get('api:db:Database') + const database = await Database.findOne({ + UUID: req.params.DatabaseId, + Active: true, + PageId: req.params.PageId, + ...(req.form.node ? {NodeId: req.form.node.UUID} : {}), + }) + + if ( !database ) { + return res.status(404) + .message('Invalid database ID.') + .api() + } + + req.form.database = database + } + + // Try to load in the file group + if ( req.params.FilesId ) { + const FileGroup = this.models.get('api:FileGroup') + const file_group = await FileGroup.findOne({ + UUID: req.params.FilesId, + PageId: req.params.PageId, + ...(req.form.node ? {NodeId: req.form.node.UUID} : {}), + }) + + if ( !file_group ) { + return res.status(404) + .message('Invalid file group ID.') + .api() + } + + req.form.file_group = file_group + } + + return next() + } +} + +module.exports = exports = DataInjectionMiddleware diff --git a/app/routing/routers/api/v1/code.routes.js b/app/routing/routers/api/v1/code.routes.js index a2f9640..7cf0eb9 100644 --- a/app/routing/routers/api/v1/code.routes.js +++ b/app/routing/routers/api/v1/code.routes.js @@ -6,17 +6,33 @@ module.exports = exports = { get: { // Get the code ref node config for the specified code editor - '/:PageId/:NodeId/get/:CodiumId': ['middleware::auth:ApiRoute', 'controller::api:v1:FormCode.get_config'], + '/:PageId/:NodeId/get/:CodiumId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'view' }], + 'controller::api:v1:FormCode.get_config', + ], }, post: { // Create a new code ref config - '/:PageId/:NodeId/create': ['middleware::auth:ApiRoute', 'controller::api:v1:FormCode.create_new'], + '/:PageId/:NodeId/create': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormCode.create_new', + ], // Set the data for the specified code ref - '/:PageId/:NodeId/set/:CodiumId': ['middleware::auth:ApiRoute', 'controller::api:v1:FormCode.set_values'], + '/:PageId/:NodeId/set/:CodiumId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormCode.set_values', + ], // delete the specified code ref - '/:PageId/:NodeId/delete/:CodiumId': ['middleware::auth:ApiRoute', 'controller::api:v1:FormCode.drop_code'], + '/:PageId/:NodeId/delete/:CodiumId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormCode.drop_code', + ], }, } diff --git a/app/routing/routers/api/v1/db.routes.js b/app/routing/routers/api/v1/db.routes.js index 791d32a..2d15458 100644 --- a/app/routing/routers/api/v1/db.routes.js +++ b/app/routing/routers/api/v1/db.routes.js @@ -6,29 +6,61 @@ module.exports = exports = { get: { // Get the database ref node config for the specified database - '/:PageId/:NodeId/get/:DatabaseId': ['middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.get_config'], + '/:PageId/:NodeId/get/:DatabaseId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'view' }], + 'controller::api:v1:FormDatabase.get_config', + ], // Get the column config records for the specified database - '/:PageId/:NodeId/get/:DatabaseId/columns': [ 'middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.get_columns' ], + '/:PageId/:NodeId/get/:DatabaseId/columns': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'view' }], + 'controller::api:v1:FormDatabase.get_columns', + ], // Get the row records for the specified database - '/:PageId/:NodeId/get/:DatabaseId/data': [ 'middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.get_data' ], + '/:PageId/:NodeId/get/:DatabaseId/data': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'view' }], + 'controller::api:v1:FormDatabase.get_data', + ], }, post: { // Create a new database ref config - '/:PageId/:NodeId/create': ['middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.create_new'], + '/:PageId/:NodeId/create': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormDatabase.create_new', + ], // Set the column configs for a database ref - '/:PageId/:NodeId/set/:DatabaseId/columns': [ 'middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.set_columns' ], + '/:PageId/:NodeId/set/:DatabaseId/columns': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormDatabase.set_columns', + ], // Set the database name - '/:PageId/:NodeId/set/:DatabaseId/Name': [ 'middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.set_name' ], + '/:PageId/:NodeId/set/:DatabaseId/Name': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormDatabase.set_name', + ], // Delete the specified database ref - '/:PageId/:NodeId/drop/:DatabaseId': [ 'middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.drop_database' ], + '/:PageId/:NodeId/drop/:DatabaseId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormDatabase.drop_database', + ], // Set the row data for the specified database ref - '/:PageId/:NodeId/set/:DatabaseId/data': ['middleware::auth:ApiRoute', 'controller::api:v1:FormDatabase.set_data'], + '/:PageId/:NodeId/set/:DatabaseId/data': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:FormDatabase.set_data', + ], }, } diff --git a/app/routing/routers/api/v1/files.routes.js b/app/routing/routers/api/v1/files.routes.js index da5a19f..dc22758 100644 --- a/app/routing/routers/api/v1/files.routes.js +++ b/app/routing/routers/api/v1/files.routes.js @@ -6,21 +6,42 @@ module.exports = exports = { get: { // Get the file ref node config for the specified file ref - '/:PageId/:NodeId/get/:FilesId': ['middleware::auth:ApiRoute', 'controller::api:v1:File.get_config'], + '/:PageId/:NodeId/get/:FilesId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'view' }], + 'controller::api:v1:File.get_config', + ], // Download the specified file ID from the specified file ref node - '/:PageId/:NodeId/get/:FilesId/:FileId': ['middleware::auth:ApiRoute', 'controller::api:v1:File.download'], + '/:PageId/:NodeId/get/:FilesId/:FileId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'view' }], + 'controller::api:v1:File.download', + ], }, post: { // FIXME - files, not file. Fix in front-end! // Upload the file in the 'uploaded_file' key to the specified file ref node - '/file/upload/:PageId/:NodeId/:FilesId': ['middleware::auth:ApiRoute', 'middleware::upload:UploadFile', 'controller::api:v1:File.save_upload'], + '/file/upload/:PageId/:NodeId/:FilesId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'middleware::upload:UploadFile', + 'controller::api:v1:File.save_upload', + ], // Create a new file ref node - '/:PageId/:NodeId/create': ['middleware::auth:ApiRoute', 'controller::api:v1:File.create_config'], + '/:PageId/:NodeId/create': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:File.create_config', + ], // Delete a file ref node and its files - '/:PageId/:NodeId/delete/:FilesId': ['middleware::auth:ApiRoute', 'controller::api:v1:File.delete_group'], + '/:PageId/:NodeId/delete/:FilesId': [ + 'middleware::auth:ApiRoute', + ['middleware::api:DataInjection', { access_level: 'update' }], + 'controller::api:v1:File.delete_group', + ], }, }