#4 - add support for sharing pages publicly, without login

app/controllers/api/v1/Sharing.controller.js

@@ -12,17 +12,30 @@ class Sharing extends Controller {
 
     async share_page(req, res) {
         const level = req.form.level
-        await req.form.page.share_with(req.form.user, level)
+
+        if ( req.query.public ) {
+            await req.form.page.share_public(req.user, level)
+        } else if ( req.form.user ) {
+            await req.form.page.share_with(req.form.user, level)
+        }
+
         return res.api({})
     }
 
     async revoke_page(req, res) {
-        await req.form.page.unshare_with(req.form.user)
+        if ( req.query.public ) {
+            await req.form.page.unshare_public(req.user)
+        } else if ( req.form.user ) {
+            await req.form.page.unshare_with(req.form.user)
+        }
+
         return res.api({})
     }
 
     async page_info(req, res) {
-         const data = {
+        const PublicUserPermission = this.models.get('auth:PublicUserPermission')
+
+        const data = {
             view: (await req.form.page.view_users).map(x => {
                 return {username: x.uid, id: x.id, level: 'view'}
             }),
@@ -34,10 +47,25 @@ class Sharing extends Controller {
             }),
         }
 
+        const public_user_can = async perm => PublicUserPermission.can(`page:${req.form.page.UUID}:${perm}`)
+
+        if ( await public_user_can('manage') ) {
+            data.manage.push({ username: '(Public Users)', public: true, id: '0', level: 'manage' })
+        } else if ( await public_user_can('update') ) {
+            data.update.push({ username: '(Public Users)', public: true, id: '0', level: 'update' })
+        } else if ( await public_user_can('view') ) {
+            data.view.push({ username: '(Public Users)', public: true, id: '0', level: 'view' })
+        }
+
         return res.api(data)
     }
 
     async get_link(req, res) {
+        if ( req.query.public ) {
+            await req.form.page.share_public(req.user, req.form.level)
+            return res.api({})
+        }
+
         const KeyAction = this.models.get('auth:KeyAction')
         const in_1_week = new Date
         in_1_week.setDate(in_1_week.getDate() + 7)
@@ -57,6 +85,24 @@ class Sharing extends Controller {
         return res.api({ link: action.auth_url() })
     }
 
+    async permission_check(req, res) {
+        return res.api({
+            check: await req.user.can(req.form.permission),
+        })
+    }
+
+    async permission_check_page(req, res) {
+        const Page = this.models.get('api:Page')
+        const page = await Page.findOne({
+            UUID: req.params.PageId,
+            Active: true,
+        })
+
+        return res.api({
+            check: page && (await page.is_accessible_by(req.user, req.params.level)),
+        })
+    }
+
     async accept_link(req, res) {
         if ( !req.user ) return req.security.kickout()
         const Page = this.models.get('api:Page')

app/models/api/Page.model.js

@@ -106,7 +106,7 @@ class Page extends VersionedModel {
         return visible
     }
 
-    is_shared() {
+    is_shared() {  // TODO: public user sharing...
         return this.shared_users_view.length > 0 || this.shared_users_update.length > 0 || this.shared_users_manage.length > 0
     }
 
@@ -215,6 +215,46 @@ class Page extends VersionedModel {
         else return false
     }
 
+    async share_public(current_user, level = 'view') {
+        const PublicUserPermission = this.models.get('auth:PublicUserPermission')
+
+        if ( !['view', 'update', 'manage'].includes(level) ) {
+            throw new Error(`Invalid share level: ${level}`)
+        }
+
+        const possible_grants = [':view', ':manage', ':update', ''].map(x => `page:${this.UUID}${x}`)
+
+        // Remove existing sharing info
+        await PublicUserPermission.deleteMany({
+            permission: {
+                $in: possible_grants,
+            },
+        })
+
+        // Create the new sharing level
+        const share = new PublicUserPermission({
+            associated_user_id: this.OrgUserId,
+            permission: `page:${this.UUID}:${level}`,
+        })
+
+        await this.version_save(`Shared publicly (${level} access)`, current_user.id)
+        await share.save()
+    }
+
+    async unshare_public(current_user) {
+        const PublicUserPermission = this.models.get('auth:PublicUserPermission')
+        const possible_grants = [':view', ':manage', ':update', ''].map(x => `page:${this.UUID}${x}`)
+
+        // Remove existing sharing info
+        await PublicUserPermission.deleteMany({
+            permission: {
+                $in: possible_grants,
+            },
+        })
+
+        await this.version_save(`Un-shared public access)`, current_user.id)
+    }
+
     async share_with(user, level = 'view') {
         if ( !['view', 'update', 'manage'].includes(level) ) {
             throw new Error(`Invalid share level: ${level}`)

app/models/auth/PublicUserPermission.model.js

@@ -12,10 +12,18 @@ class PublicUserPermissionModel extends Model {
     }
 
     static async can(permission) {
-        const permission_parts = permission.split(':');
+        const permission_parts = permission.split(':')
+        const permission_checks = []
+        const current_check = []
+
+        for ( const part of permission_parts ) {
+            current_check.push(part)
+            permission_checks.push(current_check.join(':'))
+        }
+
         const match = await this.findOne({
             permission: {
-                $in: permission_parts
+                $in: permission_checks
             }
         })
 

app/models/auth/User.model.js

@@ -76,6 +76,14 @@ class User extends AuthUser {
     is_public_user() {
         return false
     }
+
+    async can(permission) {
+        if ( super.can(permission) ) return true
+
+        const PublicUserPermission = this.models.get('auth:PublicUserPermission')
+        return await PublicUserPermission.can(permission)
+    }
 }
 
+
 module.exports = exports = User

app/routing/middleware/api/UserRoute.middleware.js

@@ -16,14 +16,14 @@ class UserRoute extends Middleware {
      * It should either call the next function in the stack,
      * or it should handle the response accordingly.
      */
-    async test(req, res, next, args = {}){
+    async test(req, res, next, {allow_public_user = false}){
         const User = this.models.get('auth:User')
         const user_id = req.form.user_id ? req.form.user_id : req.params.user_id
 
         if ( !user_id ) return res.status(400).message('Midding user_id.').api({})
 
         const user = await User.findById(user_id)
-        if ( !user ) return res.status(404).message('Unable to find user with that ID.').api({})
+        if ( !user && !allow_public_user ) return res.status(404).message('Unable to find user with that ID.').api({})
 
         if ( !req.form ) req.form = {}
         req.form.user = user

app/routing/middleware/auth/ApiRoute.middleware.js

@@ -5,7 +5,7 @@ class ApiRoute extends Middleware {
         return [...super.services, 'models']
     }
 
-    async test(req, res, next, { allow_public = false }) {
+    async test(req, res, next, { allow_public = true }) {
         // If we have an authenticated session, just continue
         if ( req.is_auth ) {
             return next()

app/routing/routers/api/v1/sharing.routes.js

@@ -7,17 +7,15 @@ const index = {
 
     prefix: '/api/v1/share',
 
-    middleware: [
-        'auth:UserOnly',
-    ],
-
     get: {
         '/page/:PageId/info': [
+            'middleware::auth:UserOnly',
             ['middleware::api:RequiredFields', { form: 'sharing.page' }],
             ['middleware::api:PageRoute', {level: 'manage'}],
             'controller::api:v1:Sharing.page_info',
         ],
         '/page/:PageId/link/:level': [
+            'middleware::auth:UserOnly',
             ['middleware::api:RequiredFields', { form: 'sharing.page_link'}],
             ['middleware::api:PageRoute', {level: 'manage'}],
             'controller::api:v1:Sharing.get_link',
@@ -27,19 +25,34 @@ const index = {
     post: {
         // Share a page with the specified user.
         '/page/:PageId/share': [
+            'middleware::auth:UserOnly',
             ['middleware::api:RequiredFields', { form: 'sharing.page_level' }],
             ['middleware::api:PageRoute', {level: 'manage'}],
-            'middleware::api:UserRoute',
+            ['middleware::api:UserRoute', { allow_public_user: true }],
             'controller::api:v1:Sharing.share_page',
         ],
 
         // Unshare a page with the specified user.
         '/page/:PageId/revoke': [
+            'middleware::auth:UserOnly',
             ['middleware::api:RequiredFields', { form: 'sharing.page_user' }],
             ['middleware::api:PageRoute', {level: 'manage'}],
-            'middleware::api:UserRoute',
+            ['middleware::api:UserRoute', { allow_public_user: true }],
             'controller::api:v1:Sharing.revoke_page',
         ],
+
+        // Check the public user's access to a given resource
+        '/check': [
+            ['middleware::api:RequiredFields', { form: 'sharing.permission_check'}],
+            ['middleware::auth:ApiRoute', { allow_public: true }],
+            'controller::api:v1:Sharing.permission_check',
+        ],
+
+        // Check the public user's access to a given page
+        '/check-page/:PageId/:level': [
+            ['middleware::auth:ApiRoute', { allow_public: true }],
+            'controller::api:v1:Sharing.permission_check_page',
+        ],
     },
 }
 

config/api/forms/sharing.config.js

@@ -52,4 +52,13 @@ module.exports = exports = {
             },
         },
     },
+
+    permission_check: {
+        fields: {
+            permission: {
+                required: true,
+                coerce: String,
+            },
+        },
+    },
 }