better use of the new xss hook plus two new organization hooks

Author: appinteractive

server/hooks/restrictReviewAndEnableChange.js

@@ -0,0 +1,29 @@
+const { getByDot, deleteByDot } = require('feathers-hooks-common');
+
+module.exports = function restrictReviewAndEnableChange () { // eslint-disable-line no-unused-vars
+  return (hook) => {
+
+    if (!getByDot(hook, 'params.before')) {
+      throw new Error('The "restrictReviewAndEnableChange" hook should be used after the "stashBefore()" hook');
+    }
+
+    const role = getByDot(hook, 'params.user.role');
+    const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
+    const isReviewed = getByDot(hook, 'params.before.isReviewed');
+    const userId = getByDot(hook, 'params.user._id');
+    const isOwner = userId && getByDot(hook, 'params.before.userId');
+
+    // only allow mods and admins to change the review status
+    if (!isModOrAdmin) {
+      deleteByDot(hook.data, 'isReviewed');
+    }
+
+    // only allow changes to mods, admin and owners (if its already reviewed)
+    if (!isModOrAdmin && (!isOwner || (isOwner && !isReviewed))) {
+      deleteByDot(hook.data, 'isEnabled');
+    }
+
+    return hook;
+  };
+};
+

server/hooks/restrictToOwnerOrModerator.js

@@ -0,0 +1,59 @@
+const { getByDot } = require('feathers-hooks-common');
+const errors = require('feathers-errors');
+
+module.exports = function restrictToOwnerOrModerator (query = {}) { // eslint-disable-line no-unused-vars
+  return function (hook) {
+    if (hook.type !== 'before') {
+      throw new Error('The "restrictToOwnerOrModerator" hook should only be used as a "before" hook.');
+    }
+    const isFindOrGet = ['find', 'get'].includes(hook.method);
+    if (!isFindOrGet && !getByDot(hook, 'params.before')) {
+      throw new Error('The "restrictToOwnerOrModerator" hook should be used after the "stashBefore()" hook');
+    }
+
+    if (!hook.params || !hook.params.user) {
+      return false;
+    }
+
+    const role = getByDot(hook, 'params.user.role');
+    const isModOrAdmin = role && ['admin', 'moderator'].includes(role);
+
+    const userId = getByDot(hook, 'params.user._id');
+    const isOwner = userId && getByDot(hook, 'params.before.userId');
+
+    // allow for mods or admins
+    if (isModOrAdmin) {
+      return hook;
+    }
+
+    // change the query if the method is find or get
+    if (isFindOrGet) {
+      // add given query on top of it
+      hook.data = Object.assign(hook.data, query);
+      // if not an mod or admin, restrict to owner
+      hook.data.userId = userId;
+
+      return hook;
+    }
+
+    let hasError = false;
+    const keys = Object.keys(query);
+    if (!isOwner && keys.length) {
+      keys.forEach((key) => {
+        if (query[key] !== getByDot(hook, `params.before.${key}`)) {
+          hasError = true;
+        }
+      });
+      if (hasError) {
+        // if any of the given query params is not identical with the current values this action is forbidden
+        throw new errors.Forbidden('You can\'t alter this record!');
+      }
+    } else if (!isOwner) {
+      // his action is forbidden if its not the owner
+      throw new errors.Forbidden('You can\'t alter this record!');
+    }
+
+    return hook;
+  };
+};
+

server/models/organizations.model.js

@@ -30,6 +30,10 @@ module.exports = function (app) {
       type: Boolean,
       default: false
     },
+    isReviewed: {
+      type: Boolean,
+      default: false
+    },
     deleted: {
       type: Boolean,
       default: false

server/seeder/development/organizations.js

@@ -21,6 +21,7 @@ module.exports = (seederstore) => {
         isVerified: () => seedHelpers.randomItem([true, false]),
         deletedAt: null,
         isEnabled: true,
+        isReviewed: true,
         createdAt: '{{date.recent}}',
         updatedAt: '{{date.recent}}',
         wasSeeded: true

server/services/contributions/contributions.hooks.js

@@ -79,9 +79,13 @@ const thumbs = {
   }
 };
 
+const xssFields = ['content', 'contentExcerpt', 'cando.reason'];
+
 module.exports = {
   before: {
-    all: [],
+    all: [
+      xss({ fields: xssFields })
+    ],
     find: [
       unless(isModerator(),
         excludeDisabled()
@@ -103,7 +107,6 @@ module.exports = {
         isVerified()
       ),
       associateCurrentUser(),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       createSlug({ field: 'title' }),
       saveRemoteImages(['teaserImg']),
       createExcerpt()
@@ -117,7 +120,6 @@ module.exports = {
         excludeDisabled(),
         restrictToOwner()
       ),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       saveRemoteImages(['teaserImg']),
       createExcerpt()
     ],
@@ -130,7 +132,6 @@ module.exports = {
         excludeDisabled(),
         restrictToOwner()
       ),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       saveRemoteImages(['teaserImg']),
       createExcerpt()
     ],
@@ -146,6 +147,7 @@ module.exports = {
 
   after: {
     all: [
+      xss({ fields: xssFields }),
       populate({ schema: userSchema }),
       populate({ schema: categoriesSchema }),
       populate({ schema: candosSchema }),
@@ -155,27 +157,22 @@ module.exports = {
       when(isSingleItem(),
         getAssociatedCanDos()
       ),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       thumbnails(thumbs)
     ],
     get: [
       getAssociatedCanDos(),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       thumbnails(thumbs)
     ],
     create: [
       createMentionNotifications(),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       thumbnails(thumbs)
     ],
     update: [
       createMentionNotifications(),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       thumbnails(thumbs)
     ],
     patch: [
       createMentionNotifications(),
-      xss({ fields: ['content', 'contentExcerpt'] }),
       thumbnails(thumbs)
     ],
     remove: []

server/services/organizations/organizations.hooks.js

@@ -1,13 +1,16 @@
-const { unless, isProvider, softDelete } = require('feathers-hooks-common');
+const { unless, when, isProvider, softDelete, stashBefore } = require('feathers-hooks-common');
 const { isVerified } = require('feathers-authentication-management').hooks;
 const { authenticate } = require('feathers-authentication').hooks;
-const { associateCurrentUser, restrictToOwner } = require('feathers-authentication-hooks');
+const { associateCurrentUser } = require('feathers-authentication-hooks');
 const createSlug = require('../../hooks/create-slug');
 const saveRemoteImages = require('../../hooks/save-remote-images');
 const createExcerpt = require('../../hooks/create-excerpt');
 const isModerator = require('../../hooks/is-moderator-boolean');
-const excludeDisabled = require('../../hooks/exclude-disabled');
+// const excludeDisabled = require('../../hooks/exclude-disabled');
 const thumbnails = require('../../hooks/thumbnails');
+const restrictToOwnerOrModerator = require('../../hooks/restrictToOwnerOrModerator');
+const restrictReviewAndEnableChange = require('../../hooks/restrictReviewAndEnableChange');
+const xss = require('../../hooks/xss');
 
 const thumbnailOptions = {
   logo: {
@@ -22,25 +25,32 @@ const thumbnailOptions = {
   }
 };
 
+const xssFields = ['description', 'descriptionExcerpt'];
+
 module.exports = {
   before: {
-    all: softDelete(),
+    all: [
+      softDelete(),
+      xss({ fields: xssFields })
+    ],
     find: [
-      unless(isModerator(),
-        excludeDisabled()
-      )
+      restrictToOwnerOrModerator({ isEnabled: true, isReviewed: true })
     ],
     get: [
-      unless(isModerator(),
-        excludeDisabled()
-      )
+      restrictToOwnerOrModerator({ isEnabled: true, isReviewed: true })
     ],
     create: [
       authenticate('jwt'),
       // Allow seeder to seed contributions
       unless(isProvider('server'),
         isVerified()
       ),
+      when(isModerator(),
+        hook => {
+          hook.data.isReviewed = true;
+          return hook;
+        }
+      ),
       associateCurrentUser(),
       createSlug({ field: 'name' }),
       createExcerpt({ field: 'description' }),
@@ -51,10 +61,9 @@ module.exports = {
       unless(isProvider('server'),
         isVerified()
       ),
-      unless(isModerator(),
-        excludeDisabled(),
-        restrictToOwner()
-      ),
+      stashBefore(),
+      restrictReviewAndEnableChange(),
+      restrictToOwnerOrModerator({ isEnabled: true }),
       createSlug({ field: 'name', overwrite: true }),
       createExcerpt({ field: 'description' }),
       saveRemoteImages(['logo', 'coverImg'])
@@ -64,26 +73,24 @@ module.exports = {
       unless(isProvider('server'),
         isVerified()
       ),
-      unless(isModerator(),
-        excludeDisabled(),
-        restrictToOwner()
-      ),
+      stashBefore(),
+      restrictReviewAndEnableChange(),
+      restrictToOwnerOrModerator({ isEnabled: true }),
       createSlug({ field: 'name', overwrite: true }),
       createExcerpt({ field: 'description' }),
       saveRemoteImages(['logo', 'coverImg'])
     ],
     remove: [
       authenticate('jwt'),
       isVerified(),
-      unless(isModerator(),
-        excludeDisabled(),
-        restrictToOwner()
-      )
+      stashBefore(),
+      restrictToOwnerOrModerator({ isEnabled: true })
     ]
   },
 
   after: {
     all: [
+      xss({ fields: xssFields })
       // populate({ schema: userSchema }),
       // populate({ schema: followerSchema })
     ],