allow PUT Append for new resource

bourgeoa · bourgeoa · commit 2dd0789dd1de · 2023-11-28T10:48:40.000+01:00
diff --git a/lib/handlers/put.js b/lib/handlers/put.js
@@ -21,10 +21,49 @@ async function handler (req, res, next) {
   return putStream(req, res, next)
 }
 
-// TODO could be renamed as putResource (it now covers container and non-container)
+// Verifies whether the user is allowed to perform Append PUT on the target
+async function checkPermission (request, resourceExists) {
+  // If no ACL object was passed down, assume permissions are okay.
+  if (!request.acl) return Promise.resolve()
+  // At this point, we already assume append access,
+  // we might need to perform additional checks.
+  let modes = []
+  // acl:default Write is required for PUT when Resource Exists
+  if (resourceExists) modes = ['Write']
+  const { acl, session: { userId } } = request
+
+  const allowed = await Promise.all(modes.map(mode => acl.can(userId, mode, request.method, resourceExists)))
+  const allAllowed = allowed.reduce((memo, allowed) => memo && allowed, true)
+  if (!allAllowed) {
+    // check owner with Control
+    const ldp = request.app.locals.ldp
+    if (request.path.endsWith('.acl') && userId === await ldp.getOwner(request.hostname)) return Promise.resolve()
+
+    const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
+    const error = errors.filter(error => !!error)
+      .reduce((prevErr, err) => prevErr.status > err.status ? prevErr : err, { status: 0 })
+    return Promise.reject(error)
+  }
+  return Promise.resolve()
+}
+
 async function putStream (req, res, next, stream = req) {
   const ldp = req.app.locals.ldp
+  // try {
+  // Obtain details of the target resource
+  // const ldp = req.app.locals.ldp
+  // let path, contentType
+  let resourceExists = true
   try {
+    // First check if the file already exists
+    // ({ path, contentType } = await ldp.resourceMapper.mapUrlToFile({ url: req }))
+    await ldp.resourceMapper.mapUrlToFile({ url: req, createIfNotExists: true })
+  } catch (err) {
+    // await ldp.checkItemName(req)
+    resourceExists = false
+  }
+  try {
+    await checkPermission(req, resourceExists)
     debug('test ' + req.get('content-type') + getContentType(req.headers))
     await ldp.put(req, stream, getContentType(req.headers))
     debug('succeded putting the file/folder')
@@ -37,6 +76,22 @@ async function putStream (req, res, next, stream = req) {
   }
 }
 
+// TODO could be renamed as putResource (it now covers container and non-container)
+/* async function putStream (req, res, next, stream = req) {
+  const ldp = req.app.locals.ldp
+  try {
+    debug('test ' + req.get('content-type') + getContentType(req.headers))
+    await ldp.put(req, stream, getContentType(req.headers))
+    debug('succeded putting the file/folder')
+    res.sendStatus(201)
+    return next()
+  } catch (err) {
+    debug('error putting the file/folder:' + err.message)
+    err.message = 'Can\'t write file/folder: ' + err.message
+    return next(err)
+  }
+} */
+
 // needed to avoid breaking access with bad acl
 // or breaking containement triples for meta
 function putValidRdf (req, res, next) {
diff --git a/lib/ldp-middleware.js b/lib/ldp-middleware.js
@@ -25,7 +25,7 @@ function LdpMiddleware (corsSettings) {
   router.get('/*', index, allow('Read'), header.addPermissions, get)
   router.post('/*', allow('Append'), post)
   router.patch('/*', allow('Append'), patch)
-  router.put('/*', allow('Write'), put)
+  router.put('/*', allow('Append'), put)
   router.delete('/*', allow('Write'), del)
 
   return router
