diff --git a/src/.jshintrc b/.jshintrc similarity index 100% rename from src/.jshintrc rename to .jshintrc diff --git a/src/api.js b/src/api.js index cdf2f11..d8c729b 100644 --- a/src/api.js +++ b/src/api.js @@ -36,7 +36,7 @@ Api.prototype.exec = function (session, request) { try { - return Q(method.call(this.xo, session, request)); + return Q(method.call(this, session, request)); } catch (e) { @@ -121,7 +121,35 @@ Api.err = { // Helper functions that should be written: // - checkParams(req.params, param1, ..., paramN).then(...) -// - isAuthorized(session, [permission]).then(...) +// - checkPermission(xo, session, [permission]).then(...) + +// @todo Put helpers in their own namespace. +Api.prototype.checkPermission = function (session, permission) +{ + // @todo Handle token permission. + + var user_id = session.get('user_id'); + + if (undefined === user_id) + { + return Q.reject(Api.err.UNAUTHORIZED); + } + + if (!permission) + { + /* jshint newcap:false */ + return Q(); + } + + return this.xo.users.get(user_id).then(function (user) { + if (!user.hasPermission(permission)) + { + throw Api.err.UNAUTHORIZED; + } + }); +}; + +////////////////////////////////////////////////////////////////////// Api.fn = {}; @@ -147,7 +175,7 @@ Api.fn.session = { throw Api.err.ALREADY_AUTHENTICATED; } - return this.users.findWhere({'email': p_email}).then(function (user) { + return this.xo.users.findWhere({'email': p_email}).then(function (user) { if (!user) { throw Api.err.INVALID_CREDENTIAL; @@ -178,7 +206,7 @@ Api.fn.session = { throw Api.err.ALREADY_AUTHENTICATED; } - return this.tokens.get(p_token).then(function (token) { + return this.xo.tokens.get(p_token).then(function (token) { if (!token) { throw Api.err.INVALID_CREDENTIAL; @@ -187,7 +215,6 @@ Api.fn.session = { session.set('token_id', token.get('id')); session.set('user_id', token.get('user_id')); return true; - }); }, @@ -198,8 +225,8 @@ Api.fn.session = { return null; } - return this.users.get(user_id).then(function (user) { - return _.pick(user.properties, 'id', 'email'); + return this.xo.users.get(user_id).then(function (user) { + return _.pick(user.properties, 'id', 'email', 'permission'); }); }), @@ -224,19 +251,8 @@ Api.fn.user = { throw Api.err.INVALID_PARAMS; } - var user_id = session.get('user_id'); - if (undefined === user_id) - { - throw Api.err.UNAUTHORIZED; - } - - var users = this.users; - return users.get(user_id).then(function (user) { - if (!user.hasPermission('admin')) - { - throw Api.err.UNAUTHORIZED; - } - + var users = this.xo.users; + return this.checkPermission(session, 'admin').then(function () { return users.create(p_email, p_pass, p_perm); }).then(function (user) { return (''+ user.get('id')); @@ -250,27 +266,16 @@ Api.fn.user = { throw Api.err.INVALID_PARAMS; } - var user_id = session.get('user_id'); - if (undefined === user_id) - { - throw Api.err.UNAUTHORIZED; - } - - var users = this.users; - return users.get(user_id).then(function (user) { - if (!user.hasPermission('admin')) + var users = this.xo.users; + return this.checkPermission(session, 'admin').then(function () { + return users.remove(p_id); + }).then(function (success) { + if (!success) { - throw Api.err.UNAUTHORIZED; + throw Api.err.NO_SUCH_OBJECT; } - return users.remove(p_id).then(function (success) { - if (!success) - { - throw Api.err.NO_SUCH_OBJECT; - } - - return true; - }); + return true; }); }, @@ -289,7 +294,7 @@ Api.fn.user = { } var user; - var users = this.users; + var users = this.xo.users; return users.get(user_id).then(function (u) { user = u; @@ -308,39 +313,44 @@ Api.fn.user = { }, 'getAll': function (session) { - var user_id = session.get('user_id'); - if (undefined === user_id) - { - throw Api.err.UNAUTHORIZED; - } - - var users = this.users; - return users.get(user_id).then(function (user) { - if (!user.hasPermission('admin')) - { - throw Api.err.UNAUTHORIZED; - } - + var users = this.xo.users; + return this.checkPermission(session, 'admin').then(function () { return users.where(); }).then(function (all_users) { - _.each(all_users, function (user, i) { - all_users[i] = _.pick(user, 'id', 'email', 'permission'); - }); + for (var i = 0, n = all_users.length; i < n; ++i) + { + all_users[i] = _.pick( + all_users[i], + 'id', 'email', 'permission' + ); + } return all_users; }); }, 'set': function (session, request) { + var p_id = request.params.id; + var p_email = request.params.email; + var p_password = request.params.password; + var p_permission = request.params.permission; + + /* jshint laxbreak: true */ + if ((undefined === p_id) + || ((undefined === p_email) + && (undefined === p_password) + && (undefined === p_permission))) + { + throw Api.err.INVALID_PARAMS; + } + var user_id = session.get('user_id'); if (undefined === user_id) { throw Api.err.UNAUTHORIZED; } - var p_email, p_password, p_permission; - - var users = this.users; + var users = this.xo.users; return users.get(user_id).then(function (user) { // Get the current user to check its permission. @@ -350,19 +360,6 @@ Api.fn.user = { throw Api.err.UNAUTHORIZED; } - var p_id = request.params.id; - p_email = request.params.email; - p_password = request.params.password; - p_permission = request.params.permission; - - /* jshint laxbreak: true */ - if ((undefined === p_id) - || ((undefined === p_email) - && (undefined === p_password) - && (undefined === p_permission))) - { - throw Api.err.INVALID_PARAMS; - } // @todo Check there are no invalid parameter. @@ -407,7 +404,7 @@ Api.fn.token = { // @todo Token permission. - return this.tokens.generate(user_id).then(function (token) { + return this.xo.tokens.generate(user_id).then(function (token) { return token.get('id'); }); }, @@ -415,7 +412,7 @@ Api.fn.token = { 'delete': function (session, req) { var p_token = req.params.token; - var tokens = this.tokens; + var tokens = this.xo.tokens; return tokens.get(p_token).then(function (token) { if (!token) { @@ -441,19 +438,8 @@ Api.fn.server = { throw Api.err.INVALID_PARAMS; } - var user_id = session.get('user_id'); - if (undefined === user_id) - { - throw Api.err.UNAUTHORIZED; - } - - var servers = this.servers; - return this.users.get(user_id).then(function (user) { - if (!user.hasPermission('admin')) - { - throw Api.err.UNAUTHORIZED; - } - + var servers = this.xo.servers; + return this.checkPermission(session, 'admin').then(function () { // @todo We are storing passwords which is bad! // Can we use tokens instead? return servers.add({ @@ -476,19 +462,8 @@ Api.fn.server = { throw Api.err.INVALID_PARAMS; } - var user_id = session.get('user_id'); - if (undefined === user_id) - { - throw Api.err.UNAUTHORIZED; - } - - var servers = this.servers; - return this.users.get(user_id).then(function (user) { - if (!user.hasPermission('admin')) - { - throw Api.err.UNAUTHORIZED; - } - + var servers = this.xo.servers; + return this.checkPermission(session, 'admin').then(function () { return servers.remove(p_id); }).then(function(success) { if (!success) @@ -501,19 +476,8 @@ Api.fn.server = { }, 'getAll': function (session) { - var user_id = session.get('user_id'); - if (undefined === user_id) - { - throw Api.err.UNAUTHORIZED; - } - - var servers = this.servers; - return this.users.get(user_id).then(function (user) { - if (!user.hasPermission('admin')) - { - throw Api.err.UNAUTHORIZED; - } - + var servers = this.xo.servers; + return this.checkPermission(session, 'admin').then(function () { return servers.where(); }).then(function (all_servers) { _.each(all_servers, function (server, i) {