codeninjasllc/codecombat
1
0
Fork 0
mirror of https://github.com/codeninjasllc/codecombat.git synced 2024-11-23 23:58:02 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Log classroom forbidden errors for debugging

Browse source
This commit is contained in:
phoenixeliot 2016-05-26 12:35:46 -07:00
parent 8f7e4e2278
commit dfcbbb7c9c
2 changed files with 24 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
server/handlers/classroom_handler.coffee
View file

@ -5,6 +5,7 @@ Classroom = require './../models/Classroom'
User = require '../models/User' User = require '../models/User'
sendwithus = require '../sendwithus' sendwithus = require '../sendwithus'
utils = require '../lib/utils' utils = require '../lib/utils'
log = require 'winston'
UserHandler = require './user_handler' UserHandler = require './user_handler'
ClassroomHandler = class ClassroomHandler extends Handler ClassroomHandler = class ClassroomHandler extends Handler
@ -74,7 +75,9 @@ ClassroomHandler = class ClassroomHandler extends Handler
Classroom.findById classroomID, (err, classroom) => Classroom.findById classroomID, (err, classroom) =>
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendNotFoundError(res) unless classroom return @sendNotFoundError(res) unless classroom
return @sendForbiddenError(res) unless classroom.get('ownerID').equals(req.user.get('_id')) unless classroom.get('ownerID').equals(req.user.get('_id'))
log.debug "classroom_handler.inviteStudents: Can't invite to classroom (#{classroom.id}) you (#{req.user.get('_id')}) don't own"
return @sendForbiddenError(res)
for email in req.body.emails for email in req.body.emails
joinCode = (classroom.get('codeCamel') or classroom.get('code')) joinCode = (classroom.get('codeCamel') or classroom.get('code'))
@ -91,13 +94,17 @@ ClassroomHandler = class ClassroomHandler extends Handler
get: (req, res) -> get: (req, res) ->
if ownerID = req.query.ownerID if ownerID = req.query.ownerID
return @sendForbiddenError(res) unless req.user and (req.user.isAdmin() or ownerID is req.user.id) unless req.user and (req.user.isAdmin() or ownerID is req.user.id)
log.debug "classroom_handler.get: ownerID (#{ownerID}) must be yourself (#{req.user.id})"
return @sendForbiddenError(res)
return @sendBadInputError(res, 'Bad ownerID') unless utils.isID ownerID return @sendBadInputError(res, 'Bad ownerID') unless utils.isID ownerID
Classroom.find {ownerID: mongoose.Types.ObjectId(ownerID)}, (err, classrooms) => Classroom.find {ownerID: mongoose.Types.ObjectId(ownerID)}, (err, classrooms) =>
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err
return @sendSuccess(res, (@formatEntity(req, classroom) for classroom in classrooms)) return @sendSuccess(res, (@formatEntity(req, classroom) for classroom in classrooms))
else if memberID = req.query.memberID else if memberID = req.query.memberID
return @sendForbiddenError(res) unless req.user and (req.user.isAdmin() or memberID is req.user.id) unless req.user and (req.user.isAdmin() or memberID is req.user.id)
log.debug "classroom_handler.get: memberID (#{memberID}) must be yourself (#{req.user.id})"
return @sendForbiddenError(res)
return @sendBadInputError(res, 'Bad memberID') unless utils.isID memberID return @sendBadInputError(res, 'Bad memberID') unless utils.isID memberID
Classroom.find {members: mongoose.Types.ObjectId(memberID)}, (err, classrooms) => Classroom.find {members: mongoose.Types.ObjectId(memberID)}, (err, classrooms) =>
return @sendDatabaseError(res, err) if err return @sendDatabaseError(res, err) if err

18
server/middleware/classrooms.coffee
View file

@ -3,6 +3,7 @@ utils = require '../lib/utils'
errors = require '../commons/errors' errors = require '../commons/errors'
schemas = require '../../app/schemas/schemas' schemas = require '../../app/schemas/schemas'
wrap = require 'co-express' wrap = require 'co-express'
log = require 'winston'
Promise = require 'bluebird' Promise = require 'bluebird'
database = require '../commons/database' database = require '../commons/database'
mongoose = require 'mongoose' mongoose = require 'mongoose'
@ -21,6 +22,7 @@ module.exports =
return next() unless code return next() unless code
classroom = yield Classroom.findOne({ code: code.toLowerCase() }).select('name ownerID aceConfig') classroom = yield Classroom.findOne({ code: code.toLowerCase() }).select('name ownerID aceConfig')
if not classroom if not classroom
log.debug("classrooms.fetchByCode: Couldn't find Classroom with code: #{code}")
throw new errors.NotFound('Classroom not found.') throw new errors.NotFound('Classroom not found.')
classroom = classroom.toObject() classroom = classroom.toObject()
# Tack on the teacher's name for display to the user # Tack on the teacher's name for display to the user
@ -33,7 +35,9 @@ module.exports =
return next() unless ownerID return next() unless ownerID
throw new errors.UnprocessableEntity('Bad ownerID') unless utils.isID ownerID throw new errors.UnprocessableEntity('Bad ownerID') unless utils.isID ownerID
throw new errors.Unauthorized() unless req.user throw new errors.Unauthorized() unless req.user
throw new errors.Forbidden('"ownerID" must be yourself') unless req.user.isAdmin() or ownerID is req.user.id unless req.user.isAdmin() or ownerID is req.user.id
log.debug("classrooms.getByOwner: Can't fetch classroom you don't own. User: #{req.user.id} Owner: #{ownerID}")
throw new errors.Forbidden('"ownerID" must be yourself')
sanitizedOptions = {} sanitizedOptions = {}
unless _.isUndefined(options.archived) unless _.isUndefined(options.archived)
# Handles when .archived is true, vs false-or-null # Handles when .archived is true, vs false-or-null
@ -114,6 +118,7 @@ module.exports =
isOwner = classroom.get('ownerID').equals(req.user._id) isOwner = classroom.get('ownerID').equals(req.user._id)
isMember = req.user.id in (m.toString() for m in classroom.get('members')) isMember = req.user.id in (m.toString() for m in classroom.get('members'))
unless req.user.isAdmin() or isOwner or isMember unless req.user.isAdmin() or isOwner or isMember
log.debug "classrooms.fetchMembers: Can't fetch members for class (#{classroom.id}) you (#{req.user.id}) don't own and aren't a member of."
throw new errors.Forbidden('You do not own this classroom.') throw new errors.Forbidden('You do not own this classroom.')
memberIDs = classroom.get('members') or [] memberIDs = classroom.get('members') or []
memberIDs = memberIDs.slice(memberSkip, memberSkip + memberLimit) memberIDs = memberIDs.slice(memberSkip, memberSkip + memberLimit)
@ -126,7 +131,9 @@ module.exports =
post: wrap (req, res) -> post: wrap (req, res) ->
throw new errors.Unauthorized() unless req.user and not req.user.isAnonymous() throw new errors.Unauthorized() unless req.user and not req.user.isAnonymous()
throw new errors.Forbidden() unless req.user?.isTeacher() unless req.user?.isTeacher()
console.log "classrooms.post: Can't create classroom if you (#{req.user?.id}) aren't a teacher."
throw new errors.Forbidden()
classroom = database.initDoc(req, Classroom) classroom = database.initDoc(req, Classroom)
classroom.set 'ownerID', req.user._id classroom.set 'ownerID', req.user._id
classroom.set 'members', [] classroom.set 'members', []
@ -159,11 +166,13 @@ module.exports =
unless req.body?.code unless req.body?.code
throw new errors.UnprocessableEntity('Need a code') throw new errors.UnprocessableEntity('Need a code')
if req.user.isTeacher() if req.user.isTeacher()
log.debug("classrooms.join: Cannot join a classroom as a teacher: #{req.user.id}")
throw new errors.Forbidden('Cannot join a classroom as a teacher') throw new errors.Forbidden('Cannot join a classroom as a teacher')
code = req.body.code.toLowerCase() code = req.body.code.toLowerCase()
classroom = yield Classroom.findOne({code: code}) classroom = yield Classroom.findOne({code: code})
if not classroom if not classroom
throw new errors.NotFound('Classroom not found.') log.debug("classrooms.join: Classroom not found with code #{code}")
throw new errors.NotFound("Classroom not found with code #{code}")
members = _.clone(classroom.get('members')) members = _.clone(classroom.get('members'))
if _.any(members, (memberID) -> memberID.equals(req.user._id)) if _.any(members, (memberID) -> memberID.equals(req.user._id))
return res.send(classroom.toObject({req: req})) return res.send(classroom.toObject({req: req}))
@ -199,7 +208,8 @@ module.exports =
return next() unless memberID in ownedStudentIDs return next() unless memberID in ownedStudentIDs
student = yield User.findById(memberID) student = yield User.findById(memberID)
if student.get('emailVerified') if student.get('emailVerified')
return next new errors.Forbidden("Can't reset password for a student that has verified their email address.") log.debug "classrooms.setStudentPassword: Can't reset password for a student (#{memberID}) that has verified their email address."
throw new errors.Forbidden("Can't reset password for a student that has verified their email address.")
{ valid, error } = tv4.validateResult(newPassword, schemas.passwordString) { valid, error } = tv4.validateResult(newPassword, schemas.passwordString)
unless valid unless valid
throw new errors.UnprocessableEntity(error.message) throw new errors.UnprocessableEntity(error.message)