Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Return 404 for read/delete requests if there is no resource

Browse Source
This commit is contained in:
Joachim Van Herwegen
2022-02-28 11:46:38 +01:00
parent 9a29cc2257
commit e86e0cf36b
4 changed files with 49 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/authorization/PermissionBasedAuthorizer.ts
View File

@@ -1,10 +1,13 @@
import type { CredentialSet } from '../authentication/Credentials';
import { getLoggerFor } from '../logging/LogUtil';
import type { ResourceSet } from '../storage/ResourceSet';
import { ForbiddenHttpError } from '../util/errors/ForbiddenHttpError';
import { NotFoundHttpError } from '../util/errors/NotFoundHttpError';
import { UnauthorizedHttpError } from '../util/errors/UnauthorizedHttpError';
import type { AuthorizerInput } from './Authorizer';
import { Authorizer } from './Authorizer';
import type { AccessMode, PermissionSet } from './permissions/Permissions';
import type { PermissionSet } from './permissions/Permissions';
import { AccessMode } from './permissions/Permissions';
/**
* Authorizer that bases its decision on the output it gets from its PermissionReader.
@@ -15,14 +18,39 @@ import type { AccessMode, PermissionSet } from './permissions/Permissions';
export class PermissionBasedAuthorizer extends Authorizer {
protected readonly logger = getLoggerFor(this);
private readonly resourceSet: ResourceSet;
/**
* The existence of the target resource determines the output status code for certain situations.
* The provided {@link ResourceSet} will be used for that.
* @param resourceSet - {@link ResourceSet} that can verify the target resource existence.
*/
public constructor(resourceSet: ResourceSet) {
super();
this.resourceSet = resourceSet;
}
public async handle(input: AuthorizerInput): Promise<void> {
const { credentials, modes, identifier, permissionSet } = input;
const modeString = [ ...modes ].join(',');
this.logger.debug(`Checking if ${credentials.agent?.webId} has ${modeString} permissions for ${identifier.path}`);
// Ensure all required modes are within the agent's permissions.
for (const mode of modes) {
this.requireModePermission(credentials, permissionSet, mode);
try {
this.requireModePermission(credentials, permissionSet, mode);
} catch (error: unknown) {
// If we know the operation will return a 404 regardless (= resource does not exist and is not being created),
// and the agent is allowed to know about its existence (= the agent has Read permissions),
// then immediately send the 404 here, as it makes any other agent permissions irrelevant.
const exposeExistence = this.hasModePermission(permissionSet, AccessMode.read);
if (exposeExistence && !modes.has(AccessMode.create) && !await this.resourceSet.hasResource(identifier)) {
throw new NotFoundHttpError();
}
// Otherwise, deny access based on existing grounds.
throw error;
}
}
this.logger.debug(`${JSON.stringify(credentials)} has ${modeString} permissions for ${identifier.path}`);
}