Vulcan/packages/nova-users/lib/permissions.js

// note: using collection helpers here is probably a bad idea, 
// because they'll throw an error when the user is undefined

/**
 * @summary Telescope permissions
 * @namespace Users.can
 */
Users.can = {};

/**
 * @summary Check if a given user has access to view posts
 * @param {Object} user
 */
Users.can.view = function (user) {
  if (Telescope.settings.get('requireViewInvite', false)) {

    if (Meteor.isClient) {
      // on client only, default to the current user
      user = (typeof user === 'undefined') ? Meteor.user() : user;
    }

    return (!!user && (Users.is.admin(user) || Users.is.invited(user)));
  }
  return true;
};
Users.helpers({canView: function () {return Users.can.view(this);}});

/**
 * @summary Check if a given user can view a specific post
 * @param {Object} user
 * @param {Object} post
 */
Users.can.viewById = function (userId) {
  // if an invite is required to view, run permission check, else return true
  if (Telescope.settings.get('requireViewInvite', false)) {
    return !!userId ? Users.can.view(Meteor.users.findOne(userId)) : false;
  }
  return true;
};
Users.helpers({canViewById: function () {return Users.can.viewById(this);}});

/**
 * @summary Check if a given user can view a specific post
 * @param {Object} user - can be undefined!
 * @param {Object} post
 */
Users.can.viewPost = function (user, post) {

  if (Users.is.admin(user)) {
    return true;
  } else {

    switch (post.status) {

      case Posts.config.STATUS_APPROVED:
        return Users.can.view(user);
      
      case Posts.config.STATUS_REJECTED:
      case Posts.config.STATUS_SPAM:
      case Posts.config.STATUS_PENDING: 
        return Users.can.view(user) && Users.is.owner(user, post);
      
      case Posts.config.STATUS_DELETED:
        return false;
    
    }
  }
}
Users.helpers({canViewPost: function () {return Users.can.viewPost(this, post);}});

/**
 * @summary Check if a given user has permission to submit new posts
 * @param {Object} user
 */
Users.can.post = function (user) {

  user = (typeof user === 'undefined') ? Meteor.user() : user;

  if (!user) { // no account
    return false;
  } 

  if (Users.is.admin(user)) { //admin
    return true;
  } 

  if (Telescope.settings.get('requirePostInvite', false)) { // invite required?
    if (user.isInvited()) { // invited user
      return true;
    } else { // not invited
      return false;
    }
  } else {
    return true;
  }
};
Users.helpers({canPost: function () {return Users.can.post(this);}});

/**
 * @summary Check if a given user has permission to comment (same as posting for now)
 * @param {Object} user
 */
Users.can.comment = function (user) {
  return Users.can.post(user);
};
Users.helpers({canComment: function () {return Users.can.comment(this);}});

/**
 * @summary Check if a user has permission to vote (same as posting for now)
 * @param {Object} user
 */
Users.can.vote = function (user) {
  return Users.can.post(user);
};
Users.helpers({canVote: function () {return Users.can.vote(this);}});

/**
 * @summary Check if a user can edit a document
 * @param {Object} user - The user performing the action
 * @param {Object} document - The document being edited
 */
Users.can.edit = function (user, document) {
  user = (typeof user === 'undefined') ? Meteor.user() : user;

  if (!user || !document) {
    return false;
  }

  if (document.hasOwnProperty('isDeleted') && document.isDeleted) return false;

  var adminCheck = Users.is.admin(user);
  var ownerCheck = Users.is.owner(user, document);

  return adminCheck || ownerCheck;
};
Users.helpers({canEdit: function (document) {return Users.can.edit(this, document);}});

Users.can.editById = function (userId, document) {
  var user = Meteor.users.findOne(userId);
  return Users.can.edit(user, document);
};
Users.helpers({canEditById: function (document) {return Users.can.editById(this, document);}});

/**
 * @summary Check if a user can submit a field
 * @param {Object} user - The user performing the action
 * @param {Object} field - The field being edited or inserted
 */
Users.can.submitField = function (user, field) {
  return user && field.insertableIf && field.insertableIf(user);
};
Users.helpers({canSubmitField: function (field) {return Users.can.submitField(this, field);}});

/** @function
 * Check if a user can edit a field – for now, identical to Users.can.submitField
 * @param {Object} user - The user performing the action
 * @param {Object} field - The field being edited or inserted
 */
Users.can.editField = function (user, field, document) {
  return user && field.editableIf && field.editableIf(user, document);
};

Users.can.invite = function (user) {
  return Users.is.invited(user) || Users.is.admin(user);
};
Users.helpers({canInvite: function () {return Users.can.invite(this);}});
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								// note: using collection helpers here is probably a bad idea,
 								// because they'll throw an error when the user is undefined
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Telescope permissions
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								 * @namespace Users.can
 								 */
 								Users.can = {};
 								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a given user has access to view posts
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								 * @param {Object} user
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								 */
 								Users.can.view = function (user) {
-												making comments work

											
										
										
											2016-02-16 16:12:13 +09:00
+								  if (Telescope.settings.get('requireViewInvite', false)) {
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
 								    if (Meteor.isClient) {
 								      // on client only, default to the current user
 								      user = (typeof user === 'undefined') ? Meteor.user() : user;
 								    }
-												namespacing user roles

											
										
										
											2015-04-27 17:14:07 +09:00
+								    return (!!user && (Users.is.admin(user) || Users.is.invited(user)));
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								  }
 								  return true;
 								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canView: function () {return Users.can.view(this);}});
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a given user can view a specific post
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								 * @param {Object} user
 								 * @param {Object} post
 								 */
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
+								Users.can.viewById = function (userId) {
 								  // if an invite is required to view, run permission check, else return true
-												making comments work

											
										
										
											2016-02-16 16:12:13 +09:00
+								  if (Telescope.settings.get('requireViewInvite', false)) {
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
+								    return !!userId ? Users.can.view(Meteor.users.findOne(userId)) : false;
 								  }
 								  return true;
 								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canViewById: function () {return Users.can.viewById(this);}});
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a given user can view a specific post
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								 * @param {Object} user - can be undefined!
 								 * @param {Object} post
 								 */
 								Users.can.viewPost = function (user, post) {
-												working on documentation

											
										
										
											2015-05-10 13:37:42 +09:00
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								  if (Users.is.admin(user)) {
 								    return true;
 								  } else {
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								    switch (post.status) {
 								      case Posts.config.STATUS_APPROVED:
 								        return Users.can.view(user);
 								      case Posts.config.STATUS_REJECTED:
 								      case Posts.config.STATUS_SPAM:
 								      case Posts.config.STATUS_PENDING:
 								        return Users.can.view(user) && Users.is.owner(user, post);
 								      case Posts.config.STATUS_DELETED:
 								        return false;
 								    }
 								  }
 								}
 								Users.helpers({canViewPost: function () {return Users.can.viewPost(this, post);}});
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a given user has permission to submit new posts
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								 * @param {Object} user
 								 */
 								Users.can.post = function (user) {
-												make properties required again, pass components differently in routes.jsx, use smart forms for user edit form

											
										
										
											2016-03-15 11:19:48 +09:00
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								  user = (typeof user === 'undefined') ? Meteor.user() : user;
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								  if (!user) { // no account
 								    return false;
 								  }
-												make properties required again, pass components differently in routes.jsx, use smart forms for user edit form

											
										
										
											2016-03-15 11:19:48 +09:00
+								  if (Users.is.admin(user)) { //admin
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								    return true;
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								  }
-												making comments work

											
										
										
											2016-02-16 16:12:13 +09:00
+								  if (Telescope.settings.get('requirePostInvite', false)) { // invite required?
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								    if (user.isInvited()) { // invited user
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								      return true;
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								    } else { // not invited
-												fix #972 and fix uninvited users being allowed to post bug

											
										
										
											2015-05-17 12:04:46 +09:00
+								      return false;
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								    }
 								  } else {
 								    return true;
 								  }
 								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canPost: function () {return Users.can.post(this);}});
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a given user has permission to comment (same as posting for now)
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								 * @param {Object} user
 								 */
 								Users.can.comment = function (user) {
 								  return Users.can.post(user);
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canComment: function () {return Users.can.comment(this);}});
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a user has permission to vote (same as posting for now)
-												refactor permission code; make spam/pending/etc. posts unaccessible (fix #1219)

											
										
										
											2016-02-06 12:31:12 +09:00
+								 * @param {Object} user
 								 */
 								Users.can.vote = function (user) {
 								  return Users.can.post(user);
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canVote: function () {return Users.can.vote(this);}});
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a user can edit a document
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
+								 * @param {Object} user - The user performing the action
 								 * @param {Object} document - The document being edited
 								 */
 								Users.can.edit = function (user, document) {
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								  user = (typeof user === 'undefined') ? Meteor.user() : user;
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
+								  if (!user || !document) {
 								    return false;
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								  }
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
-												Complete soft delete feature for comments

- Add deleteComment function to CommentsItem.jsx
- Add Delete link next to Edit link in CommentsItem.jsx
- Hide reply link if comment.isDeleted
- Add styling for Delete link element in _comments.scss
- Add check for document.isDeleted in Users.can.edit in permissions.js
											
										
										
											2016-05-06 17:07:40 -04:00
+								  if (document.hasOwnProperty('isDeleted') && document.isDeleted) return false;
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
+								  var adminCheck = Users.is.admin(user);
 								  var ownerCheck = Users.is.owner(user, document);
 								  return adminCheck || ownerCheck;
 								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canEdit: function (document) {return Users.can.edit(this, document);}});
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
 								Users.can.editById = function (userId, document) {
 								  var user = Meteor.users.findOne(userId);
 								  return Users.can.edit(user, document);
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
+								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canEditById: function (document) {return Users.can.editById(this, document);}});
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
-												use fields method to restrict fields after all

											
										
										
											2015-04-28 11:32:53 +09:00
+								/**
-												adding @summary for jsdocs compatibility

											
										
										
											2016-04-09 09:41:20 +09:00
+								 * @summary Check if a user can submit a field
-												use fields method to restrict fields after all

											
										
										
											2015-04-28 11:32:53 +09:00
+								 * @param {Object} user - The user performing the action
 								 * @param {Object} field - The field being edited or inserted
 								 */
 								Users.can.submitField = function (user, field) {
-												using smart publications and smart methods

											
										
										
											2016-02-28 13:12:36 +09:00
+								  return user && field.insertableIf && field.insertableIf(user);
-												Improve jsHint consistency

This commit touch a lot of lines of code with the goal to be more
rigorous about JavaScript code conventions defined in the `.jshintrc`.

Some modification:

* Add a list of used global symbols in the corresponding section of
  `.jshintrc`
* Use local variables instead of global in a lot of places where the
  keyword `var` was mistakenly forgotten
* Add missing semi-colons after instructions
* Add new lines at the end of files
* Remove trailing whitespaces
* Use newer name of some Meteor APIs, eg `addFiles` instead of
  `add_files`
* Add missing `break` statements in `switch` blocks
* Use `===` instead of `==` and `!==` instead of `!=`
* Remove unused variables

This commit should also fix a few bugs due to this lack of rigor. One
example of that was the test `typeof navElements === "array"` that was
never true because in JavaScript, `typeof [] === "object"`, we
replaced this test by the `_.isArray` method provided by underscore.
It might also fix some potential collision related to global
variables.

There is still plenty of work until Telescope code base passes jsHint
validation, but at least this commit is a step in the right direction.

											
										
										
											2015-05-01 18:22:00 +02:00
+								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canSubmitField: function (field) {return Users.can.submitField(this, field);}});
-												Using AutoForm for comment submit form

											
										
										
											2015-04-28 09:44:43 +09:00
-												working on documentation

											
										
										
											2015-05-10 13:37:42 +09:00
+								/** @function
-												owner -> member; set allow/deny for posts, comments, users

											
										
										
											2015-04-28 17:15:53 +09:00
+								 * Check if a user can edit a field – for now, identical to Users.can.submitField
-												use fields method to restrict fields after all

											
										
										
											2015-04-28 11:32:53 +09:00
+								 * @param {Object} user - The user performing the action
 								 * @param {Object} field - The field being edited or inserted
 								 */
-												using smart publications and smart methods

											
										
										
											2016-02-28 13:12:36 +09:00
+								Users.can.editField = function (user, field, document) {
 								  return user && field.editableIf && field.editableIf(user, document);
 								};
-												bringing packages back into core repo after all

											
										
										
											2015-04-22 07:50:11 +09:00
 								Users.can.invite = function (user) {
-												namespacing user roles

											
										
										
											2015-04-27 17:14:07 +09:00
+								  return Users.is.invited(user) || Users.is.admin(user);
-												Improve jsHint consistency

This commit touch a lot of lines of code with the goal to be more
rigorous about JavaScript code conventions defined in the `.jshintrc`.

Some modification:

* Add a list of used global symbols in the corresponding section of
  `.jshintrc`
* Use local variables instead of global in a lot of places where the
  keyword `var` was mistakenly forgotten
* Add missing semi-colons after instructions
* Add new lines at the end of files
* Remove trailing whitespaces
* Use newer name of some Meteor APIs, eg `addFiles` instead of
  `add_files`
* Add missing `break` statements in `switch` blocks
* Use `===` instead of `==` and `!==` instead of `!=`
* Remove unused variables

This commit should also fix a few bugs due to this lack of rigor. One
example of that was the test `typeof navElements === "array"` that was
never true because in JavaScript, `typeof [] === "object"`, we
replaced this test by the `_.isArray` method provided by underscore.
It might also fix some potential collision related to global
variables.

There is still plenty of work until Telescope code base passes jsHint
validation, but at least this commit is a step in the right direction.

											
										
										
											2015-05-01 18:22:00 +02:00
+								};
-												working on permissions and router filters

											
										
										
											2015-09-19 10:33:37 +09:00
+								Users.helpers({canInvite: function () {return Users.can.invite(this);}});