2015-04-22 07:50:11 +09:00
|
|
|
|
/**
|
|
|
|
|
|
* Telescope permissions
|
|
|
|
|
|
* @namespace Users.can
|
|
|
|
|
|
*/
|
|
|
|
|
|
Users.can = {};
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Permissions checks. Return true if all is well.
|
|
|
|
|
|
* @param {Object} user - Meteor.user()
|
|
|
|
|
|
*/
|
|
|
|
|
|
Users.can.view = function (user) {
|
|
|
|
|
|
if (Settings.get('requireViewInvite', false)) {
|
|
|
|
|
|
|
|
|
|
|
|
if (Meteor.isClient) {
|
|
|
|
|
|
// on client only, default to the current user
|
|
|
|
|
|
user = (typeof user === 'undefined') ? Meteor.user() : user;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-04-27 17:14:07 +09:00
|
|
|
|
return (!!user && (Users.is.admin(user) || Users.is.invited(user)));
|
2015-04-22 07:50:11 +09:00
|
|
|
|
}
|
|
|
|
|
|
return true;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2015-04-28 17:15:53 +09:00
|
|
|
|
Users.can.viewById = function (userId) {
|
|
|
|
|
|
// if an invite is required to view, run permission check, else return true
|
|
|
|
|
|
if (Settings.get('requireViewInvite', false)) {
|
|
|
|
|
|
return !!userId ? Users.can.view(Meteor.users.findOne(userId)) : false;
|
|
|
|
|
|
}
|
|
|
|
|
|
return true;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2015-04-22 07:50:11 +09:00
|
|
|
|
Users.can.viewPendingPosts = function (user) {
|
|
|
|
|
|
user = (typeof user === 'undefined') ? Meteor.user() : user;
|
2015-04-27 17:14:07 +09:00
|
|
|
|
return Users.is.admin(user);
|
2015-04-22 07:50:11 +09:00
|
|
|
|
};
|
|
|
|
|
|
|
2015-05-10 13:37:42 +09:00
|
|
|
|
Users.can.viewPendingPost = function (user, post) {
|
|
|
|
|
|
return Users.is.owner(user, post) || Users.can.viewPendingPosts(user);
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
2015-04-22 07:50:11 +09:00
|
|
|
|
Users.can.viewRejectedPosts = function (user) {
|
|
|
|
|
|
user = (typeof user === 'undefined') ? Meteor.user() : user;
|
2015-04-27 17:14:07 +09:00
|
|
|
|
return Users.is.admin(user);
|
2015-04-22 07:50:11 +09:00
|
|
|
|
};
|
|
|
|
|
|
|
2015-05-10 13:37:42 +09:00
|
|
|
|
Users.can.viewRejectedPost = function (user, post) {
|
|
|
|
|
|
return Users.is.owner(user, post) || Users.can.viewRejectedPosts(user);
|
|
|
|
|
|
};
|
2015-04-22 07:50:11 +09:00
|
|
|
|
|
|
|
|
|
|
Users.can.post = function (user, returnError) {
|
|
|
|
|
|
user = (typeof user === 'undefined') ? Meteor.user() : user;
|
|
|
|
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
|
|
return returnError ? "no_account" : false;
|
2015-04-27 17:14:07 +09:00
|
|
|
|
} else if (Users.is.admin(user)) {
|
2015-04-22 07:50:11 +09:00
|
|
|
|
return true;
|
|
|
|
|
|
} else if (Settings.get('requirePostInvite')) {
|
|
|
|
|
|
if (user.isInvited) {
|
|
|
|
|
|
return true;
|
|
|
|
|
|
} else {
|
|
|
|
|
|
return returnError ? "no_invite" : false;
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
Users.can.comment = function (user, returnError) {
|
|
|
|
|
|
return Users.can.post(user, returnError);
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
Users.can.vote = function (user, returnError) {
|
|
|
|
|
|
return Users.can.post(user, returnError);
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2015-04-28 17:15:53 +09:00
|
|
|
|
/**
|
|
|
|
|
|
* Check if a user can edit a document
|
|
|
|
|
|
* @param {Object} user - The user performing the action
|
|
|
|
|
|
* @param {Object} document - The document being edited
|
|
|
|
|
|
*/
|
|
|
|
|
|
Users.can.edit = function (user, document) {
|
2015-04-22 07:50:11 +09:00
|
|
|
|
user = (typeof user === 'undefined') ? Meteor.user() : user;
|
|
|
|
|
|
|
2015-04-28 17:15:53 +09:00
|
|
|
|
if (!user || !document) {
|
|
|
|
|
|
return false;
|
2015-04-22 07:50:11 +09:00
|
|
|
|
}
|
2015-04-28 17:15:53 +09:00
|
|
|
|
|
|
|
|
|
|
var adminCheck = Users.is.admin(user);
|
|
|
|
|
|
var ownerCheck = Users.is.owner(user, document);
|
|
|
|
|
|
|
|
|
|
|
|
return adminCheck || ownerCheck;
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
Users.can.editById = function (userId, document) {
|
|
|
|
|
|
var user = Meteor.users.findOne(userId);
|
|
|
|
|
|
return Users.can.edit(user, document);
|
2015-04-22 07:50:11 +09:00
|
|
|
|
};
|
|
|
|
|
|
|
2015-04-28 11:32:53 +09:00
|
|
|
|
/**
|
|
|
|
|
|
* Check if a user can submit a field
|
|
|
|
|
|
* @param {Object} user - The user performing the action
|
|
|
|
|
|
* @param {Object} field - The field being edited or inserted
|
|
|
|
|
|
*/
|
|
|
|
|
|
Users.can.submitField = function (user, field) {
|
2015-04-28 09:44:43 +09:00
|
|
|
|
|
2015-04-27 17:14:07 +09:00
|
|
|
|
if (!field.editableBy || !user) {
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-04-28 17:15:53 +09:00
|
|
|
|
var adminCheck = _.contains(field.editableBy, "admin") && Users.is.admin(user); // is the field editable by admins?
|
|
|
|
|
|
var memberCheck = _.contains(field.editableBy, "member"); // is the field editable by regular users?
|
2015-04-28 11:32:53 +09:00
|
|
|
|
|
2015-04-28 17:15:53 +09:00
|
|
|
|
return adminCheck || memberCheck;
|
2015-05-01 18:22:00 +02:00
|
|
|
|
|
|
|
|
|
|
};
|
2015-04-28 09:44:43 +09:00
|
|
|
|
|
2015-05-10 13:37:42 +09:00
|
|
|
|
/** @function
|
2015-04-28 17:15:53 +09:00
|
|
|
|
* Check if a user can edit a field – for now, identical to Users.can.submitField
|
2015-04-28 11:32:53 +09:00
|
|
|
|
* @param {Object} user - The user performing the action
|
|
|
|
|
|
* @param {Object} field - The field being edited or inserted
|
|
|
|
|
|
*/
|
2015-05-01 18:22:00 +02:00
|
|
|
|
Users.can.editField = Users.can.submitField;
|
2015-04-22 07:50:11 +09:00
|
|
|
|
|
|
|
|
|
|
Users.can.currentUserEdit = function (item) {
|
|
|
|
|
|
return Users.can.edit(Meteor.user(), item);
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
Users.can.invite = function (user) {
|
2015-04-27 17:14:07 +09:00
|
|
|
|
return Users.is.invited(user) || Users.is.admin(user);
|
2015-05-01 18:22:00 +02:00
|
|
|
|
};
|
