Remove sendUnauthorizedError, as it merely returned the same value (HTTP 403) as sendForbiddenError

This commit is contained in:
David Beckley 2014-09-19 02:26:18 -07:00
parent 121ff0a4af
commit b9a511155e
6 changed files with 25 additions and 26 deletions

View file

@ -16,7 +16,7 @@ class AchievementHandler extends Handler
get: (req, res) -> get: (req, res) ->
# /db/achievement?related=<ID> # /db/achievement?related=<ID>
if req.query.related if req.query.related
return @sendUnauthorizedError(res) if not @hasAccess(req) return @sendForbiddenError(res) if not @hasAccess(req)
Achievement.find {related: req.query.related}, (err, docs) => Achievement.find {related: req.query.related}, (err, docs) =>
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
docs = (@formatEntity(req, doc) for doc in docs) docs = (@formatEntity(req, doc) for doc in docs)
@ -25,7 +25,7 @@ class AchievementHandler extends Handler
super req, res super req, res
delete: (req, res, slugOrID) -> delete: (req, res, slugOrID) ->
return @sendUnauthorizedError res unless req.user?.isAdmin() return @sendForbiddenError res unless req.user?.isAdmin()
@getDocumentForIdOrSlug slugOrID, (err, document) => # Check first @getDocumentForIdOrSlug slugOrID, (err, document) => # Check first
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless document? return @sendNotFoundError(res) unless document?

View file

@ -55,7 +55,6 @@ module.exports = class Handler
props props
# sending functions # sending functions
sendUnauthorizedError: (res) -> errors.forbidden(res) #TODO: rename sendUnauthorizedError to sendForbiddenError
sendForbiddenError: (res) -> errors.forbidden(res) sendForbiddenError: (res) -> errors.forbidden(res)
sendNotFoundError: (res, message) -> errors.notFound(res, message) sendNotFoundError: (res, message) -> errors.notFound(res, message)
sendMethodNotAllowed: (res, message) -> errors.badMethod(res, @allowedMethods, message) sendMethodNotAllowed: (res, message) -> errors.badMethod(res, @allowedMethods, message)
@ -86,7 +85,7 @@ module.exports = class Handler
# generic handlers # generic handlers
get: (req, res) -> get: (req, res) ->
@sendUnauthorizedError(res) if not @hasAccess(req) @sendForbiddenError(res) if not @hasAccess(req)
specialParameters = ['term', 'project', 'conditions'] specialParameters = ['term', 'project', 'conditions']
@ -150,16 +149,16 @@ module.exports = class Handler
@sendSuccess(res, documents) @sendSuccess(res, documents)
# regular users are only allowed text searches for now, without any additional filters or sorting # regular users are only allowed text searches for now, without any additional filters or sorting
else else
return @sendUnauthorizedError(res) return @sendForbiddenError(res)
getById: (req, res, id) -> getById: (req, res, id) ->
# return @sendNotFoundError(res) # for testing # return @sendNotFoundError(res) # for testing
return @sendUnauthorizedError(res) unless @hasAccess(req) return @sendForbiddenError(res) unless @hasAccess(req)
@getDocumentForIdOrSlug id, (err, document) => @getDocumentForIdOrSlug id, (err, document) =>
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless document? return @sendNotFoundError(res) unless document?
return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, document) return @sendForbiddenError(res) unless @hasAccessToDocument(req, document)
@sendSuccess(res, @formatEntity(req, document)) @sendSuccess(res, @formatEntity(req, document))
getByRelationship: (req, res, args...) -> getByRelationship: (req, res, args...) ->
@ -211,7 +210,7 @@ module.exports = class Handler
setWatching: (req, res, id) -> setWatching: (req, res, id) ->
@getDocumentForIdOrSlug id, (err, document) => @getDocumentForIdOrSlug id, (err, document) =>
return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, document, 'get') return @sendForbiddenError(res) unless @hasAccessToDocument(req, document, 'get')
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless document? return @sendNotFoundError(res) unless document?
watchers = document.get('watchers') or [] watchers = document.get('watchers') or []
@ -263,7 +262,7 @@ module.exports = class Handler
args.push projection args.push projection
@modelClass.findOne(args...).sort(sort).exec (err, doc) => @modelClass.findOne(args...).sort(sort).exec (err, doc) =>
return @sendNotFoundError(res) unless doc? return @sendNotFoundError(res) unless doc?
return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, doc) return @sendForbiddenError(res) unless @hasAccessToDocument(req, doc)
res.send(doc) res.send(doc)
res.end() res.end()
@ -273,12 +272,12 @@ module.exports = class Handler
put: (req, res, id) -> put: (req, res, id) ->
return @postNewVersion(req, res) if @modelClass.schema.uses_coco_versions return @postNewVersion(req, res) if @modelClass.schema.uses_coco_versions
return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body)
return @sendUnauthorizedError(res) unless @hasAccess(req) return @sendForbiddenError(res) unless @hasAccess(req)
@getDocumentForIdOrSlug req.body._id or id, (err, document) => @getDocumentForIdOrSlug req.body._id or id, (err, document) =>
return @sendBadInputError(res, 'Bad id.') if err and err.name is 'CastError' return @sendBadInputError(res, 'Bad id.') if err and err.name is 'CastError'
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless document? return @sendNotFoundError(res) unless document?
return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, document) return @sendForbiddenError(res) unless @hasAccessToDocument(req, document)
@doWaterfallChecks req, document, (err, document) => @doWaterfallChecks req, document, (err, document) =>
return @sendError(res, err.code, err.res) if err return @sendError(res, err.code, err.res) if err
@saveChangesToDocument req, document, (err) => @saveChangesToDocument req, document, (err) =>
@ -295,7 +294,7 @@ module.exports = class Handler
return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body)
return @sendBadInputError(res, 'id should not be included.') if req.body._id return @sendBadInputError(res, 'id should not be included.') if req.body._id
return @sendUnauthorizedError(res) unless @hasAccess(req) return @sendForbiddenError(res) unless @hasAccess(req)
document = @makeNewInstance(req) document = @makeNewInstance(req)
@saveChangesToDocument req, document, (err) => @saveChangesToDocument req, document, (err) =>
return @sendBadInputError(res, err.errors) if err?.valid is false return @sendBadInputError(res, err.errors) if err?.valid is false
@ -314,7 +313,7 @@ module.exports = class Handler
postFirstVersion: (req, res) -> postFirstVersion: (req, res) ->
return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body)
return @sendBadInputError(res, 'id should not be included.') if req.body._id return @sendBadInputError(res, 'id should not be included.') if req.body._id
return @sendUnauthorizedError(res) unless @hasAccess(req) return @sendForbiddenError(res) unless @hasAccess(req)
document = @makeNewInstance(req) document = @makeNewInstance(req)
document.set('original', document._id) document.set('original', document._id)
document.set('creator', req.user._id) document.set('creator', req.user._id)
@ -337,12 +336,12 @@ module.exports = class Handler
""" """
return @sendBadInputError(res, 'This entity is not versioned') unless @modelClass.schema.uses_coco_versions return @sendBadInputError(res, 'This entity is not versioned') unless @modelClass.schema.uses_coco_versions
return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body) return @sendBadInputError(res, 'No input.') if _.isEmpty(req.body)
return @sendUnauthorizedError(res) unless @hasAccess(req) return @sendForbiddenError(res) unless @hasAccess(req)
@getDocumentForIdOrSlug req.body._id, (err, parentDocument) => @getDocumentForIdOrSlug req.body._id, (err, parentDocument) =>
return @sendBadInputError(res, 'Bad id.') if err and err.name is 'CastError' return @sendBadInputError(res, 'Bad id.') if err and err.name is 'CastError'
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless parentDocument? return @sendNotFoundError(res) unless parentDocument?
return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, parentDocument) return @sendForbiddenError(res) unless @hasAccessToDocument(req, parentDocument)
editableProperties = @getEditableProperties req, parentDocument editableProperties = @getEditableProperties req, parentDocument
updatedObject = parentDocument.toObject() updatedObject = parentDocument.toObject()
for prop in editableProperties for prop in editableProperties

View file

@ -50,7 +50,7 @@ LevelHandler = class LevelHandler extends Handler
@getDocumentForIdOrSlug id, (err, level) => @getDocumentForIdOrSlug id, (err, level) =>
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless level? return @sendNotFoundError(res) unless level?
return @sendUnauthorizedError(res) unless @hasAccessToDocument(req, level, 'get') return @sendForbiddenError(res) unless @hasAccessToDocument(req, level, 'get')
callback err, level callback err, level
getSession: (req, res, id) -> getSession: (req, res, id) ->

View file

@ -20,7 +20,7 @@ class LevelSessionHandler extends Handler
return _.omit documentObject, @privateProperties return _.omit documentObject, @privateProperties
getActiveSessions: (req, res) -> getActiveSessions: (req, res) ->
return @sendUnauthorizedError(res) unless req.user.isAdmin() return @sendForbiddenError(res) unless req.user.isAdmin()
start = new Date() start = new Date()
start = new Date(start.getTime() - TIMEOUT) start = new Date(start.getTime() - TIMEOUT)
query = @modelClass.find({'changed': {$gt: start}}) query = @modelClass.find({'changed': {$gt: start}})

View file

@ -42,13 +42,13 @@ PatchHandler = class PatchHandler extends Handler
targetModel.findOne(query).sort(sort).exec (err, target) => targetModel.findOne(query).sort(sort).exec (err, target) =>
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless target? return @sendNotFoundError(res) unless target?
return @sendUnauthorizedError(res) unless targetHandler.hasAccessToDocument(req, target, 'get') return @sendForbiddenError(res) unless targetHandler.hasAccessToDocument(req, target, 'get')
if newStatus in ['rejected', 'accepted'] if newStatus in ['rejected', 'accepted']
return @sendUnauthorizedError(res) unless targetHandler.hasAccessToDocument(req, target, 'put') return @sendForbiddenError(res) unless targetHandler.hasAccessToDocument(req, target, 'put')
if newStatus is 'withdrawn' if newStatus is 'withdrawn'
return @sendUnauthorizedError(res) unless req.user.get('_id').equals patch.get('creator') return @sendForbiddenError(res) unless req.user.get('_id').equals patch.get('creator')
patch.set 'status', newStatus patch.set 'status', newStatus

View file

@ -193,7 +193,7 @@ UserHandler = class UserHandler extends Handler
super(arguments...) super(arguments...)
agreeToCLA: (req, res) -> agreeToCLA: (req, res) ->
return @sendUnauthorizedError(res) unless req.user return @sendForbiddenError(res) unless req.user
doc = doc =
user: req.user._id+'' user: req.user._id+''
email: req.user.get 'email' email: req.user.get 'email'
@ -224,7 +224,7 @@ UserHandler = class UserHandler extends Handler
res.end() res.end()
getLevelSessionsForEmployer: (req, res, userID) -> getLevelSessionsForEmployer: (req, res, userID) ->
return @sendUnauthorizedError(res) unless req.user._id+'' is userID or req.user.isAdmin() or ('employer' in (req.user.get('permissions') ? [])) return @sendForbiddenError(res) unless req.user._id+'' is userID or req.user.isAdmin() or ('employer' in (req.user.get('permissions') ? []))
query = creator: userID, levelID: {$in: ['gridmancer', 'greed', 'dungeon-arena', 'brawlwood', 'gold-rush']} query = creator: userID, levelID: {$in: ['gridmancer', 'greed', 'dungeon-arena', 'brawlwood', 'gold-rush']}
projection = 'levelName levelID team playtime codeLanguage submitted code totalScore teamSpells level' projection = 'levelName levelID team playtime codeLanguage submitted code totalScore teamSpells level'
LevelSession.find(query).select(projection).exec (err, documents) => LevelSession.find(query).select(projection).exec (err, documents) =>
@ -281,7 +281,7 @@ UserHandler = class UserHandler extends Handler
isMe = userID is req.user._id + '' isMe = userID is req.user._id + ''
isAuthorized = isMe or req.user.isAdmin() isAuthorized = isMe or req.user.isAdmin()
isAuthorized ||= ('employer' in (req.user.get('permissions') ? [])) and (activityName in ['viewed_by_employer', 'contacted_by_employer']) isAuthorized ||= ('employer' in (req.user.get('permissions') ? [])) and (activityName in ['viewed_by_employer', 'contacted_by_employer'])
return @sendUnauthorizedError res unless isAuthorized return @sendForbiddenError res unless isAuthorized
updateUser = (user) => updateUser = (user) =>
activity = user.trackActivity activityName, increment activity = user.trackActivity activityName, increment
user.update {activity: activity}, (err) => user.update {activity: activity}, (err) =>
@ -356,7 +356,7 @@ UserHandler = class UserHandler extends Handler
true true
getEmployers: (req, res) -> getEmployers: (req, res) ->
return @sendUnauthorizedError(res) unless req.user.isAdmin() return @sendForbiddenError(res) unless req.user.isAdmin()
query = {employerAt: {$exists: true, $ne: ''}} query = {employerAt: {$exists: true, $ne: ''}}
selection = 'name firstName lastName email activity signedEmployerAgreement photoURL employerAt' selection = 'name firstName lastName email activity signedEmployerAgreement photoURL employerAt'
User.find(query).select(selection).lean().exec (err, documents) => User.find(query).select(selection).lean().exec (err, documents) =>
@ -379,7 +379,7 @@ UserHandler = class UserHandler extends Handler
hash.digest('hex') hash.digest('hex')
getRemark: (req, res, userID) -> getRemark: (req, res, userID) ->
return @sendUnauthorizedError(res) unless req.user.isAdmin() return @sendForbiddenError(res) unless req.user.isAdmin()
query = user: userID query = user: userID
projection = null projection = null
if req.query.project if req.query.project
@ -392,7 +392,7 @@ UserHandler = class UserHandler extends Handler
searchForUser: (req, res) -> searchForUser: (req, res) ->
# TODO: also somehow search the CLAs to find a match amongst those fields and to find GitHub ids # TODO: also somehow search the CLAs to find a match amongst those fields and to find GitHub ids
return @sendUnauthorizedError(res) unless req.user.isAdmin() return @sendForbiddenError(res) unless req.user.isAdmin()
search = req.body.search search = req.body.search
query = email: {$exists: true}, $or: [ query = email: {$exists: true}, $or: [
{emailLower: search} {emailLower: search}