123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126 |
- import { throwError } from "./utils.js";
- export const ownerOrAdminOrNewHooks = async (context) => {
- let existingGame = null;
- const { userId, store, resourceId, body, boxId, method } = context;
- // Is it the `game` box ?
- if (boxId !== "game") {
- return context;
- }
- // Is it a modification action ?
- if (!["POST", "UPDATE", "DELETE"].includes(method)) {
- return context;
- }
- // It's a game modification...
- if (!userId) {
- throwError(
- "Game creation/modification not allowed for unauthenticated users",
- 403
- );
- }
- const nextContext = {
- ...context,
- allow: true,
- body: { ...body, owner: userId },
- };
- if (!resourceId) {
- // Creation
- return nextContext;
- }
- try {
- existingGame = await store.get("game", resourceId);
- } catch {
- console.log("Game not found");
- // Creation but with resourceId
- return nextContext;
- }
- let isAdmin = false;
- try {
- const currentUser = await store.get("user", userId);
- isAdmin = Boolean(currentUser?.isAdmin);
- } catch (e) {
- if (e.statusCode !== 404) {
- throw e;
- }
- }
- if (existingGame.owner !== userId && !isAdmin) {
- throwError("Modification allowed only for owner or Admin", 403);
- }
- const owner = existingGame.owner || userId;
- // Update with good user (and force user)
- return {
- ...nextContext,
- body: { ...body, owner: owner },
- };
- };
- export const onlySelfOrPublicGames = async (context) => {
- const { boxId, userId, method, response, resourceId, store } = context;
- if (boxId !== "game") {
- return context;
- }
- if (!["GET"].includes(method) || resourceId) {
- return context;
- }
- // Get current user account
- let userIsAdmin = false;
- try {
- const { isAdmin = false } = await store.get("user", userId);
- userIsAdmin = isAdmin;
- } catch (e) {
- if (e.statusCode !== 404) {
- throw e;
- }
- }
- const newContext = { ...context };
- newContext.response = response.filter(
- ({ board: { published }, owner }) =>
- published || owner === userId || userIsAdmin
- );
- return newContext;
- };
- export const onlySelfUser = async (context) => {
- const { boxId, userId, method, resourceId, store } = context;
- if (boxId !== "user") {
- return context;
- }
- if (method !== "GET") {
- throwError("Method not allowed", 405);
- }
- if (resourceId !== userId) {
- throwError("You can only access your account", 403);
- }
- // Create user account if missing
- try {
- await store.get("user", userId);
- } catch (e) {
- if (e.statusCode === 404) {
- await store.save("user", userId, {});
- } else {
- throw e;
- }
- }
- return { ...context, allow: true };
- };
|