Make DELETE require write permissions on container

Author: rubensworks

lib/handlers/allow.js

@@ -1,13 +1,14 @@
 module.exports = allow
 
 const $rdf = require('rdflib')
+const path = require('path')
 const ACL = require('../acl-checker')
 const debug = require('../debug.js').ACL
 const fs = require('fs')
 const { promisify } = require('util')
 const HTTPError = require('../http-error')
 
-function allow (mode) {
+function allow (mode, relativePath = '') {
   return async function allowHandler (req, res, next) {
     const ldp = req.app.locals.ldp || {}
     if (!ldp.webid) {
@@ -23,6 +24,11 @@ function allow (mode) {
       ? res.locals.path
       : req.path
 
+    // If a relativePath has been provided, check permissions based on that
+    if (relativePath) {
+      reqPath = path.join(reqPath, relativePath)
+    }
+
     // Check whether the resource exists
     let stat
     try {

lib/ldp-middleware.js

@@ -26,7 +26,7 @@ function LdpMiddleware (corsSettings) {
   router.post('/*', allow('Append'), post)
   router.patch('/*', allow('Append'), patch)
   router.put('/*', allow('Write'), put)
-  router.delete('/*', allow('Write'), del)
+  router.delete('/*', allow('Write', '..'), del)
 
   return router
 }