webgui/lib/WebGUI/Middleware/WGAccess.pm at e6535e4d1897ec86cc7ce21981db826b4ef93ccd · plainblack/webgui · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package WebGUI::Middleware::WGAccess;
use strict;
use parent qw(Plack::Middleware);
use Path::Class::File;
use Scalar::Util;
use JSON ();

=head1 NAME

WebGUI::Middleware::WGAccess - control access to .wgaccess protected uploads

=head1 DESCRIPTION

This is PSGI middleware for WebGUI that delivers static files (uploads) with .wgaccess
awareness.

This middleware should really only be used in development, for production you want
to be serving static files with something a lot faster.

=head2 call ($env)

Interface subroutine to implement the privilege checks inside the WGaccess files.

=head3 $env

A Plack environment hash

=cut

sub call {
    my $self = shift;
    my $env  = shift;
    my $session = $env->{'webgui.session'};
    if (! $session) {
        my $logger = $env->{'psgix.logger'};
        $logger && $logger->({ level => 'error', message => 'WebGUI session missing!'});
        return [500, ['Content-Type' => 'text/plain'], 'Internal Server Error'];
    }

    my $r = $self->app->($env);
    $self->response_cb($r, sub {
        my ($status, $headers, $body) = @$r;
        return
            unless Scalar::Util::blessed($body) && $body->can('path');

        my $file = Path::Class::File->new($body->path);
        my $wgaccess = $file->dir->file('.wgaccess');
        return
            unless -e $wgaccess;
        my $contents = $wgaccess->slurp;
        my $privs;
        if ($contents =~ /\A(\d+|[A-Za-z0-9_-]{22})\n(\d+|[A-Za-z0-9_-]{22})\n(\d+|[A-Za-z0-9_-]{22})/) {
            $privs = {
                users => [ $1 ],
                groups => [ $2, $3 ],
                assets => [],
            };
        }
        else {
            $privs = JSON->new->utf8->decode($contents);
        }
        # in some cases there is nothing but state; default each list to an empty array
        $privs->{user} ||= [ ];
        $privs->{groups} ||= [ ];
        $privs->{assets} ||= [ ];

        return @$r = (403, [ 'Content-Type' => 'text/plain' ], [ 'Forbidden' ])
            if $privs->{state} eq 'trash';

        require WebGUI::Asset;
        my $userId = $session->get('userId');

        return
            if grep { $_ eq '1' || $_ eq $userId }                      @{ $privs->{users} }
            or grep { $_ eq '1' || $_ eq '7' }                          @{ $privs->{groups} }
            or grep { $session->user->isInGroup($_) }                   @{ $privs->{groups} }
            or grep { WebGUI::Asset->newById($session, $_)->canView }   @{ $privs->{assets} }
            ;

        # failed auto, change response into auth failure
        @$r = (401, [ 'Content-Type' => 'text/plain' ], [ 'Authorization Required' ]);
    });
}

1;