Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#########################################################################
2
# This file is part of CoCalc: Copyright © 2020 Sagemath, Inc.
3
# License: MS-RSL – see LICENSE.md for details
4
#########################################################################
5

6
###
7
Access permissions related to projects for a given user (or project)
8
###
9

10
async   = require('async')
11
winston = require('./logger').getLogger('access')
12

13
misc    = require('@cocalc/util/misc')
14
{defaults, required} = misc
15

16
user_is_in_project_group = (opts) ->
17
    opts = defaults opts,
18
        project_id     : required
19
        account_id     : undefined
20
        account_groups : undefined
21
        groups         : required
22
        database       : required
23
        cb             : required        # cb(err, true or false)
24
    dbg = (m) -> winston.debug("user_is_in_project_group -- #{m}")
25
    dbg()
26
    if not opts.account_id?
27
        dbg("not logged in, so for now we just say 'no' -- this may change soon.")
28
        opts.cb(undefined, false) # do not have access
29
        return
30
    if opts.account_id == opts.project_id
31
        # special case, e.g., project accessing "itself" for a project api key.
32
        opts.cb(undefined, true)
33
        return
34

35
    access = false
36
    async.series([
37
        (cb) ->
38
            dbg("check if admin or in appropriate group -- #{misc.to_json(opts.account_groups)}")
39
            if opts.account_groups? and 'admin' in opts.account_groups  # check also done below!
40
                access = true
41
                cb()
42
            else
43
                opts.database.user_is_in_project_group
44
                    project_id     : opts.project_id
45
                    account_id     : opts.account_id
46
                    groups         : opts.groups
47
                    cb             : (err, x) ->
48
                        access = x
49
                        cb(err)
50
        (cb) ->
51
            if access
52
                cb() # done
53
            else if opts.account_groups?
54
                # already decided above
55
                cb()
56
            else
57
                # User does not have access in normal way and account_groups not provided, so
58
                # we do an extra group check before denying user.
59
                opts.database.get_account
60
                    columns    : ['groups']
61
                    account_id : opts.account_id
62
                    cb         : (err, r) ->
63
                        if err
64
                            cb(err)
65
                        else
66
                            access = 'admin' in (r['groups'] ? [])
67
                            cb()
68
        ], (err) ->
69
            dbg("done with tests -- now access=#{access}, err=#{err}")
70
            opts.cb(err, access)
71
        )
72

73
exports.user_has_write_access_to_project = (opts) ->
74
    opts.groups = ['owner', 'collaborator']
75
    user_is_in_project_group(opts)
76

77
exports.user_has_read_access_to_project = (opts) ->
78
    # Read access is granted if user is in any of the groups listed below (owner, collaborator, or *viewer*).
79
    #dbg = (m) -> winston.debug("user_has_read_access_to_project #{opts.project_id}, #{opts.account_id}; #{m}")
80
    opts.groups = ['owner', 'collaborator', 'viewer']
81
    user_is_in_project_group(opts)
82

83