diff --git a/server/achievements/achievement_handler.coffee b/server/achievements/achievement_handler.coffee index 211068bd1..3b9833836 100644 --- a/server/achievements/achievement_handler.coffee +++ b/server/achievements/achievement_handler.coffee @@ -16,7 +16,7 @@ class AchievementHandler extends Handler get: (req, res) -> # /db/achievement?related= if req.query.related - return @sendUnauthorizedError(res) if not @hasAccess(req) + return @sendForbiddenError(res) if not @hasAccess(req) Achievement.find {related: req.query.related}, (err, docs) => return @sendDatabaseError(res, err) if err docs = (@formatEntity(req, doc) for doc in docs) @@ -25,7 +25,7 @@ class AchievementHandler extends Handler super req, res delete: (req, res, slugOrID) -> - return @sendUnauthorizedError res unless req.user?.isAdmin() + return @sendForbiddenError res unless req.user?.isAdmin() @getDocumentForIdOrSlug slugOrID, (err, document) => # Check first return @sendDatabaseError(res, err) if err return @sendNotFoundError(res) unless document? diff --git a/server/commons/Handler.coffee b/server/commons/Handler.coffee index aea9810c1..f8392cf6e 100644 --- a/server/commons/Handler.coffee +++ b/server/commons/Handler.coffee @@ -55,7 +55,6 @@ module.exports = class Handler props # sending functions - sendUnauthorizedError: (res) -> errors.forbidden(res) #TODO: rename sendUnauthorizedError to sendForbiddenError sendForbiddenError: (res) -> errors.forbidden(res) sendNotFoundError: (res, message) -> errors.notFound(res, message) sendMethodNotAllowed: (res, message) -> errors.badMethod(res, @allowedMethods, message) @@ -86,7 +85,7 @@ module.exports = class Handler # generic handlers get: (req, res) -> - @sendUnauthorizedError(res) if not @hasAccess(req) + @sendForbiddenError(res) if not @hasAccess(req) specialParameters = ['term', 'project', 'conditions'] @@ -150,16 +149,16 @@ module.exports = class Handler @sendSuccess(res, documents) # regular users are only allowed text searches for now, without any additional filters or sorting else - return @sendUnauthorizedError(res) + return @sendForbiddenError(res) getById: (req, res, id) -> # return @sendNotFoundError(res) # for testing - return @sendUnauthorizedError(res) unless @hasAccess(req) + return @sendForbiddenError(res) unless @hasAccess(req) @getDocumentForIdOrSlug id, (err, document) => return @sendDatabaseError(res, err) if err return @sendNotFoundError(res) unless document? - return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, document) + return @sendForbiddenError(res) unless @hasAccessToDocument(req, document) @sendSuccess(res, @formatEntity(req, document)) getByRelationship: (req, res, args...) -> @@ -211,7 +210,7 @@ module.exports = class Handler setWatching: (req, res, id) -> @getDocumentForIdOrSlug id, (err, document) => - return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, document, 'get') + return @sendForbiddenError(res) unless @hasAccessToDocument(req, document, 'get') return @sendDatabaseError(res, err) if err return @sendNotFoundError(res) unless document? watchers = document.get('watchers') or [] @@ -263,7 +262,7 @@ module.exports = class Handler args.push projection @modelClass.findOne(args...).sort(sort).exec (err, doc) => return @sendNotFoundError(res) unless doc? - return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, doc) + return @sendForbiddenError(res) unless @hasAccessToDocument(req, doc) res.send(doc) res.end() @@ -273,12 +272,12 @@ module.exports = class Handler put: (req, res, id) -> return @postNewVersion(req, res) if @modelClass.schema.uses_coco_versions return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) - return @sendUnauthorizedError(res) unless @hasAccess(req) + return @sendForbiddenError(res) unless @hasAccess(req) @getDocumentForIdOrSlug req.body._id or id, (err, document) => return @sendBadInputError(res, 'Bad id.') if err and err.name is 'CastError' return @sendDatabaseError(res, err) if err return @sendNotFoundError(res) unless document? - return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, document) + return @sendForbiddenError(res) unless @hasAccessToDocument(req, document) @doWaterfallChecks req, document, (err, document) => return @sendError(res, err.code, err.res) if err @saveChangesToDocument req, document, (err) => @@ -295,7 +294,7 @@ module.exports = class Handler return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) return @sendBadInputError(res, 'id should not be included.') if req.body._id - return @sendUnauthorizedError(res) unless @hasAccess(req) + return @sendForbiddenError(res) unless @hasAccess(req) document = @makeNewInstance(req) @saveChangesToDocument req, document, (err) => return @sendBadInputError(res, err.errors) if err?.valid is false @@ -314,7 +313,7 @@ module.exports = class Handler postFirstVersion: (req, res) -> return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) return @sendBadInputError(res, 'id should not be included.') if req.body._id - return @sendUnauthorizedError(res) unless @hasAccess(req) + return @sendForbiddenError(res) unless @hasAccess(req) document = @makeNewInstance(req) document.set('original', document._id) document.set('creator', req.user._id) @@ -337,12 +336,12 @@ module.exports = class Handler """ return @sendBadInputError(res, 'This entity is not versioned') unless @modelClass.schema.uses_coco_versions return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) - return @sendUnauthorizedError(res) unless @hasAccess(req) + return @sendForbiddenError(res) unless @hasAccess(req) @getDocumentForIdOrSlug req.body._id, (err, parentDocument) => return @sendBadInputError(res, 'Bad id.') if err and err.name is 'CastError' return @sendDatabaseError(res, err) if err return @sendNotFoundError(res) unless parentDocument? - return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, parentDocument) + return @sendForbiddenError(res) unless @hasAccessToDocument(req, parentDocument) editableProperties = @getEditableProperties req, parentDocument updatedObject = parentDocument.toObject() for prop in editableProperties diff --git a/server/levels/level_handler.coffee b/server/levels/level_handler.coffee index f51f6574f..c97c3d7fc 100644 --- a/server/levels/level_handler.coffee +++ b/server/levels/level_handler.coffee @@ -50,7 +50,7 @@ LevelHandler = class LevelHandler extends Handler @getDocumentForIdOrSlug id, (err, level) => return @sendDatabaseError(res, err) if err return @sendNotFoundError(res) unless level? - return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, level, 'get') + return @sendForbiddenError(res) unless @hasAccessToDocument(req, level, 'get') callback err, level getSession: (req, res, id) -> diff --git a/server/levels/sessions/level_session_handler.coffee b/server/levels/sessions/level_session_handler.coffee index 7d7e2886d..7e94efcaf 100644 --- a/server/levels/sessions/level_session_handler.coffee +++ b/server/levels/sessions/level_session_handler.coffee @@ -20,7 +20,7 @@ class LevelSessionHandler extends Handler return _.omit documentObject, @privateProperties getActiveSessions: (req, res) -> - return @sendUnauthorizedError(res) unless req.user.isAdmin() + return @sendForbiddenError(res) unless req.user.isAdmin() start = new Date() start = new Date(start.getTime() - TIMEOUT) query = @modelClass.find({'changed': {$gt: start}}) diff --git a/server/patches/patch_handler.coffee b/server/patches/patch_handler.coffee index fd316ce4b..3a6cd4ff7 100644 --- a/server/patches/patch_handler.coffee +++ b/server/patches/patch_handler.coffee @@ -42,13 +42,13 @@ PatchHandler = class PatchHandler extends Handler targetModel.findOne(query).sort(sort).exec (err, target) => return @sendDatabaseError(res, err) if err return @sendNotFoundError(res) unless target? - return @sendUnauthorizedError(res) unless targetHandler.hasAccessToDocument(req, target, 'get') + return @sendForbiddenError(res) unless targetHandler.hasAccessToDocument(req, target, 'get') if newStatus in ['rejected', 'accepted'] - return @sendUnauthorizedError(res) unless targetHandler.hasAccessToDocument(req, target, 'put') + return @sendForbiddenError(res) unless targetHandler.hasAccessToDocument(req, target, 'put') if newStatus is 'withdrawn' - return @sendUnauthorizedError(res) unless req.user.get('_id').equals patch.get('creator') + return @sendForbiddenError(res) unless req.user.get('_id').equals patch.get('creator') patch.set 'status', newStatus diff --git a/server/users/user_handler.coffee b/server/users/user_handler.coffee index 40eed11ea..3e106e081 100644 --- a/server/users/user_handler.coffee +++ b/server/users/user_handler.coffee @@ -193,7 +193,7 @@ UserHandler = class UserHandler extends Handler super(arguments...) agreeToCLA: (req, res) -> - return @sendUnauthorizedError(res) unless req.user + return @sendForbiddenError(res) unless req.user doc = user: req.user._id+'' email: req.user.get 'email' @@ -224,7 +224,7 @@ UserHandler = class UserHandler extends Handler res.end() getLevelSessionsForEmployer: (req, res, userID) -> - return @sendUnauthorizedError(res) unless req.user._id+'' is userID or req.user.isAdmin() or ('employer' in (req.user.get('permissions') ? [])) + return @sendForbiddenError(res) unless req.user._id+'' is userID or req.user.isAdmin() or ('employer' in (req.user.get('permissions') ? [])) query = creator: userID, levelID: {$in: ['gridmancer', 'greed', 'dungeon-arena', 'brawlwood', 'gold-rush']} projection = 'levelName levelID team playtime codeLanguage submitted code totalScore teamSpells level' LevelSession.find(query).select(projection).exec (err, documents) => @@ -281,7 +281,7 @@ UserHandler = class UserHandler extends Handler isMe = userID is req.user._id + '' isAuthorized = isMe or req.user.isAdmin() isAuthorized ||= ('employer' in (req.user.get('permissions') ? [])) and (activityName in ['viewed_by_employer', 'contacted_by_employer']) - return @sendUnauthorizedError res unless isAuthorized + return @sendForbiddenError res unless isAuthorized updateUser = (user) => activity = user.trackActivity activityName, increment user.update {activity: activity}, (err) => @@ -356,7 +356,7 @@ UserHandler = class UserHandler extends Handler true getEmployers: (req, res) -> - return @sendUnauthorizedError(res) unless req.user.isAdmin() + return @sendForbiddenError(res) unless req.user.isAdmin() query = {employerAt: {$exists: true, $ne: ''}} selection = 'name firstName lastName email activity signedEmployerAgreement photoURL employerAt' User.find(query).select(selection).lean().exec (err, documents) => @@ -379,7 +379,7 @@ UserHandler = class UserHandler extends Handler hash.digest('hex') getRemark: (req, res, userID) -> - return @sendUnauthorizedError(res) unless req.user.isAdmin() + return @sendForbiddenError(res) unless req.user.isAdmin() query = user: userID projection = null if req.query.project @@ -392,7 +392,7 @@ UserHandler = class UserHandler extends Handler searchForUser: (req, res) -> # TODO: also somehow search the CLAs to find a match amongst those fields and to find GitHub ids - return @sendUnauthorizedError(res) unless req.user.isAdmin() + return @sendForbiddenError(res) unless req.user.isAdmin() search = req.body.search query = email: {$exists: true}, $or: [ {emailLower: search}