Add perm to ensure agreement is own (#298)

* Add perm to ensure agreement is own

* Change require path for test

Author: Wardormeur

config/perm/agreements.js

@@ -4,6 +4,10 @@ module.exports = function(){
   return {
     'load': [{
       role: 'basic-user',
+      customValidator: [{
+        role: 'cd-agreements',
+        cmd: 'is_own_agreement',
+      }],
     }],
 
     'save': [{
@@ -14,6 +18,10 @@ module.exports = function(){
     }],
     'loadUserAgreement': [{
       role: 'basic-user',
+      customValidator: [{
+        role: 'cd-users',
+        cmd: 'is_self'
+      }]
     }],
     'list': [{
       role: 'cdf-admin',

agreements.js renamed to lib/agreements/index.js

@@ -13,6 +13,7 @@ module.exports = function (options) {
   seneca.add({role: plugin, cmd: 'load'}, cmd_load);
   seneca.add({role: plugin, cmd: 'getVersion'}, cmd_get_version);
   seneca.add({role: plugin, cmd: 'loadUserAgreement'}, cmd_load_user_agreement);
+  seneca.add({role: plugin, cmd: 'is_own_agreement'}, require('./is-own-agreement'));
 
   function cmd_get_version (args, done) {
     var version = 2;

lib/agreements/is-own-agreement.js

@@ -0,0 +1,24 @@
+'use strict';
+var async = require('async');
+var _ = require('lodash');
+
+
+function isOwnAgreement (args, cb) {
+  const seneca = this;
+  const plugin = args.role;
+  const userId = args.user.id;
+  const id = args.params.id;
+  seneca.act({ role: 'cd-agreements', cmd: 'load', id }, function (err, agreement) {
+    if (err) {
+      seneca.log.error(seneca.customValidatorLogFormatter('cd-agreements', 'isOwnAgreement', err, { id, userId }));
+      return cb(null, {'allowed': false});
+    }
+    var isSelf = false;
+    if (agreement.userId === userId) {
+      isSelf = true;
+    }
+    return cb(null, {'allowed': isSelf});
+  });
+}
+
+module.exports = isOwnAgreement;

service.js

@@ -52,7 +52,7 @@ require('./migrate-psql-db.js')(function (err) {
   console.log('Migrations ok');
 
   seneca.use(require('./email-notifications.js'));
-  seneca.use(require('./agreements.js'));
+  seneca.use(require('./lib/agreements'));
   seneca.use(require('./profiles.js'),
             { postgresql: config['postgresql-store'],
               logger: log.logger

test/users-spec.js

@@ -20,7 +20,7 @@ if (using_postgres) seneca.use('postgresql-store', config["postgresql-store"]);
 
 seneca
   .use(__dirname + '/../users.js', { 'postgresql': config['postgresql-store'], 'users': config['users']})
-  .use(__dirname + '/../agreements.js')
+  .use(__dirname + '/../lib/agreements')
   .use(__dirname + '/../profiles.js')
   .use(__dirname + '/../email-notifications.js')
   .use(__dirname + '/stubs/cd-nodebb-api.js')