Made the GET /db/* endpoints generally accessible without needing to have a user object associated with the request.

server/achievements/earned_achievement_handler.coffee

@@ -12,6 +12,7 @@ class EarnedAchievementHandler extends Handler
 
   # Don't allow POSTs or anything yet
   hasAccess: (req) ->
+    return false unless req.user
     req.method in ['GET', 'POST'] # or req.user.isAdmin()
 
   get: (req, res) ->

server/commons/Handler.coffee

@@ -56,7 +56,7 @@ module.exports = class Handler
     isBrandNew = req.method is 'POST' and not req.body.original
     props = props.concat @postEditableProperties if isBrandNew
 
-    if @modelClass.schema.uses_coco_permissions
+    if @modelClass.schema.uses_coco_permissions and req.user
       # can only edit permissions if this is a brand new property,
       # or you are an owner of the old one
       isOwner = document.getAccessForUserObjectId(req.user._id) is 'owner'
@@ -523,7 +523,7 @@ module.exports = class Handler
 
   # This is not a Mongoose user
   projectionForUser: (req, model, ownerID) ->
-    return {} if 'privateProperties' not of model or req.user._id + '' is ownerID + '' or req.user.isAdmin()
+    return {} if 'privateProperties' not of model or req.user?._id + '' is ownerID + '' or req.user.isAdmin()
     projection = {}
     projection[field] = 0 for field in model.privateProperties
     projection

server/levels/level_handler.coffee

@@ -102,6 +102,7 @@ LevelHandler = class LevelHandler extends Handler
       # of model, like in this case. Refactor to move that logic to the model instead.
 
   getMySessions: (req, res, slugOrID) ->
+    return @sendForbiddenError(res) if not req.user
     findParameters = {}
     if Handler.isID slugOrID
       findParameters['_id'] = slugOrID
@@ -271,6 +272,7 @@ LevelHandler = class LevelHandler extends Handler
     @doGetFeedback req, res, levelID, false
 
   getAllFeedback: (req, res, levelID) ->
+    return @sendNotFoundError(res) unless req.user
     @doGetFeedback req, res, levelID, true
 
   doGetFeedback: (req, res, levelID, multiple) ->

server/levels/sessions/level_session_handler.coffee

@@ -20,7 +20,7 @@ class LevelSessionHandler extends Handler
       return _.omit documentObject, @privateProperties
 
   getActiveSessions: (req, res) ->
-    return @sendForbiddenError(res) unless req.user.isAdmin()
+    return @sendForbiddenError(res) unless req.user?.isAdmin()
     start = new Date()
     start = new Date(start.getTime() - TIMEOUT)
     query = @modelClass.find({'changed': {$gt: start}})

server/plugins/plugins.coffee

@@ -116,7 +116,7 @@ module.exports.PermissionsPlugin = (schema) ->
     allowed = allowed[method] or []
 
     for permission in @permissions
-      if permission.target is 'public' or actor._id.equals(permission.target)
+      if permission.target is 'public' or actor?._id.equals(permission.target)
         return true if permission.access in allowed
 
     return false

server/routes/db.coffee

@@ -25,7 +25,8 @@ module.exports.setup = (app) ->
     parts = module.split('/')
     module = parts[0]
     return getSchema(req, res, module) if parts[1] is 'schema'
-    return errors.unauthorized(res, 'Must have an identity to do anything with the db. Do you have cookies enabled?') unless req.user
+    if (not req.user) and req.route.method isnt 'get' 
+      return errors.unauthorized(res, 'Must have an identity to do anything with the db. Do you have cookies enabled?')
 
     try
       moduleName = module.replace new RegExp('\\.', 'g'), '_'

server/users/user_handler.coffee

@@ -224,6 +224,7 @@ UserHandler = class UserHandler extends Handler
       res.end()
 
   getLevelSessionsForEmployer: (req, res, userID) ->
+    return @sendForbiddenError(res) unless req.user
     return @sendForbiddenError(res) unless req.user._id+'' is userID or req.user.isAdmin() or ('employer' in (req.user.get('permissions') ? []))
     query = creator: userID, levelID: {$in: ['criss-cross', 'gridmancer', 'greed', 'dungeon-arena', 'brawlwood', 'gold-rush']}
     projection = 'levelName levelID team playtime codeLanguage submitted code totalScore teamSpells level'
@@ -241,7 +242,7 @@ UserHandler = class UserHandler extends Handler
       return @sendDatabaseError res, err if err
       return @sendNotFoundError res unless userID?
       query = creator: userID + ''
-      isAuthorized = req.user._id+'' is userID or req.user.isAdmin()
+      isAuthorized = req.user?._id+'' is userID or req.user?.isAdmin()
       projection = {}
       if req.query.project
         projection[field] = 1 for field in req.query.project.split(',') when isAuthorized or not (field in LevelSessionHandler.privateProperties)
@@ -278,9 +279,9 @@ UserHandler = class UserHandler extends Handler
 
   trackActivity: (req, res, userID, activityName, increment=1) ->
     return @sendMethodNotAllowed res unless req.method is 'POST'
-    isMe = userID is req.user._id + ''
-    isAuthorized = isMe or req.user.isAdmin()
-    isAuthorized ||= ('employer' in (req.user.get('permissions') ? [])) and (activityName in ['viewed_by_employer', 'contacted_by_employer'])
+    isMe = userID is req.user?._id + ''
+    isAuthorized = isMe or req.user?.isAdmin()
+    isAuthorized ||= ('employer' in (req.user?.get('permissions') ? [])) and (activityName in ['viewed_by_employer', 'contacted_by_employer'])
     return @sendForbiddenError res unless isAuthorized
     updateUser = (user) =>
       activity = user.trackActivity activityName, increment
@@ -322,6 +323,7 @@ UserHandler = class UserHandler extends Handler
         res.end()
 
   getCandidates: (req, res) ->
+    return @sendForbiddenError(res) unless req.user
     authorized = req.user.isAdmin() or ('employer' in (req.user.get('permissions') ? []))
     months = if req.user.isAdmin() then 12 else 2
     since = (new Date((new Date()) - months * 30.4 * 86400 * 1000)).toISOString()
@@ -356,7 +358,7 @@ UserHandler = class UserHandler extends Handler
     true
 
   getEmployers: (req, res) ->
-    return @sendForbiddenError(res) unless req.user.isAdmin()
+    return @sendForbiddenError(res) unless req.user?.isAdmin()
     query = {employerAt: {$exists: true, $ne: ''}}
     selection = 'name firstName lastName email activity signedEmployerAgreement photoURL employerAt'
     User.find(query).select(selection).lean().exec (err, documents) =>
@@ -379,7 +381,7 @@ UserHandler = class UserHandler extends Handler
     hash.digest('hex')
 
   getRemark: (req, res, userID) ->
-    return @sendForbiddenError(res) unless req.user.isAdmin()
+    return @sendForbiddenError(res) unless req.user?.isAdmin()
     query = user: userID
     projection = null
     if req.query.project
@@ -392,7 +394,7 @@ UserHandler = class UserHandler extends Handler
 
   searchForUser: (req, res) ->
     # TODO: also somehow search the CLAs to find a match amongst those fields and to find GitHub ids
-    return @sendForbiddenError(res) unless req.user.isAdmin()
+    return @sendForbiddenError(res) unless req.user?.isAdmin()
     search = req.body.search
     query = email: {$exists: true}, $or: [
       {emailLower: search}
@@ -605,7 +607,7 @@ UserHandler = class UserHandler extends Handler
     @statRecalculators[statName] done
 
   recalculate: (req, res, statName) ->
-    return @sendForbiddenError(res) unless req.user.isAdmin()
+    return @sendForbiddenError(res) unless req.user?.isAdmin()
     log.debug 'recalculate'
     return @sendNotFoundError(res) unless statName of @statRecalculators
     @recalculateStats statName