Completed user security

User routes correctly protected. Added initialisation values to database. Added dev routes to get all values. => ! Route publicuser/new is not protected yet <=
titouanfreville · Mar 8, 2017 · cf9ea61 · cf9ea61
1 parent 1e67090
commit cf9ea61
Show file tree

Hide file tree

Showing 4 changed files with 145 additions and 18 deletions.
diff --git a/api/api.go b/api/api.go
@@ -5,7 +5,9 @@ import (
 	"crypto/rand"
 	"encoding/base32"
 	"flag"
+	"log"
 	"net/http"
+	"os"
 
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/jinzhu/gorm"
@@ -206,6 +208,26 @@ func basicRoutes(router *chi.Mux) {
 	})
 }
 
+func initDevGetter(router chi.Router) {
+	env := os.Getenv("POPCUBE_API_ENV")
+	if env == "prod" || env == "test" || env == "beta" || env == "alpha" || env == "production" {
+		return
+	}
+	log.Print("<><><><><><><> Using DEV routes <><><><><><><> \n")
+	router.Route("/devgetters", func(r chi.Router) {
+		r.Get("/avatar", getAllAvatar)
+		r.Get("/channel", getAllChannel)
+		r.Get("/emoji", getAllEmoji)
+		r.Get("/folder", getAllFolder)
+		r.Get("/member", getAllMember)
+		r.Get("/message", getAllMessage)
+		r.Get("/organisation", getAllOrganisation)
+		r.Get("/parameter", getAllParameter)
+		r.Get("/role", getAllRole)
+		r.Get("/user", getAllUser)
+	})
+}
+
 // loginMiddleware login funcion providing user && jwt auth token
 func loginMiddleware(w http.ResponseWriter, r *http.Request) {
 	var data struct {
@@ -291,7 +313,7 @@ func StartAPI(hostname string, port string, DbConnectionInfo *configs.DbConnecti
 	initParameterRoute(router)
 	initRoleRoute(router)
 	initUserRoute(router)
-
+	initDevGetter(router)
 	// Passing -routes to the program will generate docs for the above
 	// router definition. See the `routes.json` file in this folder for
 	// the output.

diff --git a/api/user_route.go b/api/user_route.go
@@ -244,12 +244,15 @@ func userContext(next http.Handler) http.Handler {
 	})
 }
 
-func canManageUser(place string, token *jwt.Token) bool {
+func canManageUser(place string, self bool, currentUser string, token *jwt.Token) bool {
 	store := datastores.Store()
 	db := dbStore.db
 	userName := token.Claims.(jwt.MapClaims)["name"].(string)
 	user := store.User().GetByUserName(userName, db)
 	userRights := store.Role().GetByID(user.IDRole, db)
+	if self && currentUser == userName {
+		return true
+	}
 	if place == "organisation" || place == "global" {
 		haveGlobalManageRight, ok := token.Claims.(jwt.MapClaims)["canManageUser"].(bool)
 		log.Print(haveGlobalManageRight)
@@ -384,7 +387,9 @@ func newUser(w http.ResponseWriter, r *http.Request) {
 		OmitID interface{} `json:"id,omitempty"`
 	}
 	store := datastores.Store()
-	if !canManageUser("global", r.Context().Value(jwtTokenKey).(*jwt.Token)) {
+	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
+	if !canManageUser("global", false, "", token) {
+
 		res := error401
 		res.Message = "You don't have the right to manage user."
 		render.JSON(w, error401.StatusCode, error401)
@@ -421,8 +426,8 @@ func inviteUser(w http.ResponseWriter, r *http.Request) {
 	organisation := store.Organisation().Get(db)
 	response := inviteOk{}
 	request := r.Body
-
-	if !canManageUser("global", r.Context().Value(jwtTokenKey).(*jwt.Token)) {
+	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
+	if !canManageUser("global", false, "", token) {
 		res := error401
 		res.Message = "You don't have the right to manage user."
 		render.JSON(w, error401.StatusCode, error401)
@@ -461,8 +466,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 	err := chiRender.Bind(request, &data)
 	user := r.Context().Value(oldUserKey).(models.User)
 	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
-	self := token.Claims.(jwt.MapClaims)["user"].(string) == user.Username
-	if !self && !canManageUser("global", token) {
+	if !canManageUser("global", true, user.Username, token) {
 		res := error401
 		res.Message = "You don't have the right to manage user."
 		render.JSON(w, error401.StatusCode, error401)
@@ -488,8 +492,7 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
 	user := r.Context().Value(oldUserKey).(models.User)
 	store := datastores.Store()
 	token := r.Context().Value(jwtTokenKey).(*jwt.Token)
-	self := token.Claims.(jwt.MapClaims)["user"].(string) == user.Username
-	if !self && !canManageUser("global", token) {
+	if !canManageUser("global", true, user.Username, token) {
 		res := error401
 		res.Message = "You don't have the right to manage user."
 		render.JSON(w, error401.StatusCode, error401)

diff --git a/scripts/init.sql b/scripts/init.sql
@@ -147,13 +147,6 @@ CREATE TABLE IF NOT EXISTS `popcube_test`.`members` (
 ENGINE = InnoDB
 COMMENT = 'Store information about member of organisation.';
 
-CREATE UNIQUE INDEX `User_UNIQUE` ON `popcube_test`.`members` (`idUser` ASC);
-
-CREATE UNIQUE INDEX `Role_UNIQUE` ON `popcube_test`.`members` (`idRole` ASC);
-
-CREATE UNIQUE INDEX `channel_UNIQUE` ON `popcube_test`.`members` (`idChannel` ASC);
-
-
 -- -----------------------------------------------------
 -- Table `popcube_test`.`messages`
 -- -----------------------------------------------------

diff --git a/scripts/init_values.sql b/scripts/init_values.sql
@@ -6,7 +6,116 @@ INSERT INTO roles (roleName, canUsePrivate, canModerate, canArchive, canInvite,
 VALUES ("admin", true, true, true, true, true, true);
 
 INSERT INTO roles (roleName, canUsePrivate, canModerate, canArchive, canInvite, canManage, canManageUser) 
-VALUES ("standart", true, true, true, false, false, false);
+VALUES ("standard", true, true, true, false, false, false);
 
 INSERT INTO roles (roleName, canUsePrivate, canModerate, canArchive, canInvite, canManage, canManageUser) 
-VALUES ("guest", false, false, false, false, false, false);
+VALUES ("guest", false, false, false, false, false, false);
+
+-- CHANNEL INITIALISATION ------------------------------------------------------------------------
+INSERT INTO channels (webId, channelName, type, lastUpdate, private, avatar, description, subject) 
+VALUES ("generaltextchannel", "general", "text", 1, false, "defaultAvatar", "Speak on general subjects", "General");
+
+INSERT INTO channels (webId, channelName, type, lastUpdate, private, avatar,description) 
+VALUES ("randomtextchannel", "random", "text", 1, false, "defaultAvatar","Speak about any thing");
+
+INSERT INTO channels (webId, channelName, type, lastUpdate, private, avatar) 
+VALUES ("generalvocchannel", "general - voc", "audio", 1, false, "defaultAvatar");
+
+INSERT INTO channels (webId, channelName, type, lastUpdate, private, avatar) 
+VALUES ("randomvocchannel", "random - voc", "audio", 1, false, "defaultAvatar");
+
+INSERT INTO channels (webId, channelName, type, lastUpdate, private, avatar) 
+VALUES ("generalvidchannel", "general - vid", "video", 1, false, "defaultAvatar");
+
+INSERT INTO channels (webId, channelName, type, lastUpdate, private, avatar) 
+VALUES ("randomvidchannel", "random - vid", "video", 1, false, "defaultAvatar");
+
+-- PARMETER INITIALISATION ------------------------------------------------------------------------
+INSERT INTO parameters (local, timeZone) 
+VALUES ("en_EN", "UTC-1");
+
+-- UNCOMMENT THE FOLLOWINGS FOR LOCAL DEV TEST ---------------------------------------------------
+
+-- USER INITIALISATION <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+INSERT INTO users (webId, userName, email, lastUpdate, password, idRole, avatar, nickName, firstName, lastName)
+VALUES ("TestUserOwner", "devowner", "[email protected]", 1105154015461, "$2a$10$IU8oU9dseYZytHcr54VXj.H9tX78hS2xUuPrzMeVN6rFG7k89i6EW", 1, "user/owned.svg", "owner", "owner", "dev");
+
+
+INSERT INTO users (webId, userName, email, lastUpdate, password, idRole, avatar, nickName, firstName, lastName)
+VALUES ("TestUserAdmin", "devadmin", "[email protected]", 1105154015461, "$2a$10$IU8oU9dseYZytHcr54VXj.H9tX78hS2xUuPrzMeVN6rFG7k89i6EW", 2, "user/avatar.svg", "admin", "admin", "dev");
+
+INSERT INTO users (webId, userName, email, lastUpdate, password, idRole, avatar, nickName, firstName, lastName)
+VALUES ("TestUserStandard", "devstandard", "[email protected]", 1105154015461, "$2a$10$IU8oU9dseYZytHcr54VXj.H9tX78hS2xUuPrzMeVN6rFG7k89i6EW", 3, "user/avatar.svg", "standard", "standard", "dev");
+
+INSERT INTO users (webId, userName, email, lastUpdate, password, idRole, avatar, nickName, firstName, lastName)
+VALUES ("TestUserGuest", "devguest", "[email protected]", 1105154015461, "$2a$10$IU8oU9dseYZytHcr54VXj.H9tX78hS2xUuPrzMeVN6rFG7k89i6EW", 4, "user/avatar.svg", "guest", "guest", "dev");
+
+-- ORGANISATION INITIALISATION <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+INSERT INTO organisations (dockerStack, organisationName, description, avatar, domain) 
+VALUES (1, "Popcube Dev", "Test for popcube", "popcube.svg", "popcubedev.popbcube.xyz");
+
+-- MEMBERS INITITIALISATION  <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+INSERT INTO members (idUser, idChannel)
+VALUES (1, 1);
+INSERT INTO members (idUser, idChannel)
+VALUES (2, 1);
+INSERT INTO members (idUser, idChannel)
+VALUES (3, 1);
+INSERT INTO members (idUser, idChannel)
+VALUES (4, 1);
+
+INSERT INTO members (idUser, idChannel)
+VALUES (1, 2);
+INSERT INTO members (idUser, idChannel)
+VALUES (2, 2);
+INSERT INTO members (idUser, idChannel)
+VALUES (3, 2);
+INSERT INTO members (idUser, idChannel)
+VALUES (4, 2);
+
+INSERT INTO members (idUser, idChannel)
+VALUES (1, 3);
+INSERT INTO members (idUser, idChannel, idRole)
+VALUES (2, 3,3);
+INSERT INTO members (idUser, idChannel)
+VALUES (3, 3);
+INSERT INTO members (idUser, idChannel)
+VALUES (4, 3);
+
+INSERT INTO members (idUser, idChannel)
+VALUES (1, 4);
+INSERT INTO members (idUser, idChannel)
+VALUES (2, 4);
+INSERT INTO members (idUser, idChannel, idRole)
+VALUES (3, 4, 2);
+INSERT INTO members (idUser, idChannel)
+VALUES (4, 4);
+
+-- MESSAGE INITIALISATION <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+INSERT INTO messages (idUser, idChannel, date, content) 
+VALUES (1, 1, 10210541, "Test message.");
+INSERT INTO messages (idUser, idChannel, date, content) 
+VALUES (1, 1, 10210542, "");
+INSERT INTO messages (idUser, idChannel, date, content) 
+VALUES (1, 1, 10210543, "Test message with folder.");
+
+-- FOLDER INITIALISATION <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+INSERT INTO folders (idMessage, type, link, name) 
+VALUES (2, "txt", "folders/text.txt", "text");
+
+INSERT INTO folders (idMessage) 
+VALUES (3);
+
+-- EMOJIS INITIALISATION <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+INSERT INTO emojis (name, shortcut, link)
+VALUE ("troll face", ":troll:", "emojis/troll.svg");
+
+INSERT INTO emojis (name, shortcut, link)
+VALUE ("love", "<3", "emojis/love.svg");
+
+-- AVATARS INITIALISATION <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
+INSERT INTO avatars (name, link)
+VALUE ("troll face", "emojis/troll.svg");
+
+INSERT INTO avatars (name, link)
+VALUE ("Strawberrie", "emojis/straw.svg");