Merge pull request #1014 from rubensworks/change/delete-permissions

kjetilk · web-flow · commit 2fbe582f8226 · 2018-12-10T10:57:56.000+01:00
Make DELETE require write permissions on container
diff --git a/lib/handlers/allow.js b/lib/handlers/allow.js
@@ -1,13 +1,14 @@
 module.exports = allow
 
 const $rdf = require('rdflib')
+const path = require('path')
 const ACL = require('../acl-checker')
 const debug = require('../debug.js').ACL
 const fs = require('fs')
 const { promisify } = require('util')
 const HTTPError = require('../http-error')
 
-function allow (mode) {
+function allow (mode, checkPermissionsForDirectory) {
   return async function allowHandler (req, res, next) {
     const ldp = req.app.locals.ldp || {}
     if (!ldp.webid) {
@@ -19,26 +20,31 @@ function allow (mode) {
 
     // Determine the actual path of the request
     // (This is used as an ugly hack to check the ACL status of other resources.)
-    let reqPath = res && res.locals && res.locals.path
+    let resourcePath = res && res.locals && res.locals.path
       ? res.locals.path
       : req.path
 
+    // Check permissions of the directory instead of the file itself.
+    if (checkPermissionsForDirectory) {
+      resourcePath = path.dirname(resourcePath)
+    }
+
     // Check whether the resource exists
     let stat
     try {
-      const ret = await ldp.exists(req.hostname, reqPath)
+      const ret = await ldp.exists(req.hostname, resourcePath)
       stat = ret.stream
     } catch (err) {
       stat = null
     }
 
     // Ensure directories always end in a slash
-    if (!reqPath.endsWith('/') && stat && stat.isDirectory()) {
-      reqPath += '/'
+    if (!resourcePath.endsWith('/') && stat && stat.isDirectory()) {
+      resourcePath += '/'
     }
 
     // Obtain and store the ACL of the requested resource
-    req.acl = new ACL(rootUrl + reqPath, {
+    req.acl = new ACL(rootUrl + resourcePath, {
       agentOrigin: req.get('origin'),
       // host: req.get('host'),
       fetch: fetchFromLdp(ldp.resourceMapper),
diff --git a/lib/ldp-middleware.js b/lib/ldp-middleware.js
@@ -26,7 +26,7 @@ function LdpMiddleware (corsSettings) {
   router.post('/*', allow('Append'), post)
   router.patch('/*', allow('Append'), patch)
   router.put('/*', allow('Write'), put)
-  router.delete('/*', allow('Write'), del)
+  router.delete('/*', allow('Write', true), del)
 
   return router
 }

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ function LdpMiddleware (corsSettings) {`
`26`	`26`	`router.post('/*', allow('Append'), post)`
`27`	`27`	`router.patch('/*', allow('Append'), patch)`
`28`	`28`	`router.put('/*', allow('Write'), put)`
`29`		`- router.delete('/*', allow('Write'), del)`
	`29`	`+ router.delete('/*', allow('Write', true), del)`
`30`	`30`
`31`	`31`	`return router`
`32`	`32`	`}`