Logic in patch-handler required use of throw

Author: megoth

lib/acl-checker.js

@@ -47,20 +47,13 @@ class ACLChecker {
     // aclCheck.checkAccess(acl.graph, this.resource)
 
     // Check the resource's permissions
-<<<<<<< 2740f8873bfe7d7edcf0c2c31f927a106dc0abc7
-    this.acl = this.acl || await this.getNearestACL().catch(err => {
-      throw new HTTPError(500, `Found no ACL file:\n${err}`)
+    const acl = await this.getNearestACL().catch(err => {
+      this.messagesCached[cacheKey].push(new HTTPError(err.status || 500, err.message || err))
     })
-=======
-    const acl = await this.getNearestACL()
-      .catch(err => {
-        this.messagesCached[cacheKey].push(new HTTPError(500, err))
-      })
     if (!acl) {
       this.aclCached[cacheKey] = Promise.resolve(false)
       return this.aclCached[cacheKey]
     }
->>>>>>> Trying another approach to acl.can
     // console.log('TEST', this.acl)
     const resource = rdf.sym(this.resource)
     // const directory = acl.isContainer ? this.resource : null
@@ -75,24 +68,17 @@ class ACLChecker {
     const agentOrigin = this.agentOrigin ? rdf.sym(this.agentOrigin) : null
     const trustedOrigins = this.trustedOrigins ? this.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null
     const accessDenied = aclCheck.accessDenied(acl.graph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins)
-    console.log('BAR', accessDenied)
     if (accessDenied && user) {
-<<<<<<< 2740f8873bfe7d7edcf0c2c31f927a106dc0abc7
-      throw new HTTPError(403, accessDenied)
-    } else if (accessDenied) {
-      throw new HTTPError(401, 'Unauthenticated')
-=======
-      this.messagesCached[cacheKey].push(new HTTPError(403, `Access to ${this.resource} denied for ${user}: ${accessDenied}`))
+      this.messagesCached[cacheKey].push(new HTTPError(403, `No permission: Access to ${this.resource} denied for ${user}: ${accessDenied}`))
     } else if (accessDenied) {
       this.messagesCached[cacheKey].push(new HTTPError(401, `Access to ${this.resource} requires authorization: ${accessDenied}`))
->>>>>>> Trying another approach to acl.can
     }
     console.log('ACCESS ALLOWED', !accessDenied, user, '\n\n')
     this.aclCached[cacheKey] = Promise.resolve(!accessDenied)
-    return this.aclCached
+    return this.aclCached[cacheKey]
   }
 
-  async getError (mode, user) {
+  async getError (user, mode) {
     const cacheKey = `${mode}-${user}`
     this.aclCached[cacheKey] = this.aclCached[cacheKey] || this.can(user, mode)
     const isAllowed = await this.aclCached[cacheKey]
@@ -123,26 +109,6 @@ class ACLChecker {
     // let directory = null
     // Create a cascade of reject handlers (one for each possible ACL)
     const possibleACLs = this.getPossibleACLs()
-<<<<<<< 2740f8873bfe7d7edcf0c2c31f927a106dc0abc7
-    const nearestACL = possibleACLs.reduce((prevACL, acl) => {
-      return prevACL.catch(() => new Promise((resolve, reject) => {
-        this.fetch(acl, (err, graph) => {
-          if (err && err.code !== 'ENOENT') {
-            isContainer = true
-            reject(err)
-          } else {
-            if (resource.endsWith('/' + this.suffix)) {
-              isContainer = true
-            }
-            const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
-            debug(`Using ACL ${acl} for ${relative}`)
-            resolve({ acl, graph, isContainer })
-          }
-        })
-      }))
-    }, Promise.reject())
-    return nearestACL.catch(e => { throw new Error(`No ACL resource found, searched in \n- ${possibleACLs.join('\n- ')}`) })
-=======
     const acls = [...possibleACLs]
     let returnAcl = null
     while (possibleACLs.length > 0 && !returnAcl) {
@@ -153,18 +119,18 @@ class ACLChecker {
         debug(`Using ACL ${acl} for ${relative}`)
         returnAcl = { acl, graph, isContainer }
       } catch (err) {
-        if (err && err.code === 'ENOENT') {
+        if (err && (err.code === 'ENOENT' || err.status === 404)) {
           isContainer = true
-          return
+          continue
         } else if (err) {
-          console.error('ERROR IN getNearestACL', err)
+          console.error('ERROR IN getNearestACL', err.code, err)
           debug(err)
           throw err
         }
       }
     }
     if (!returnAcl) {
-      throw new Error(`No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
+      throw new HTTPError(403, `No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
     }
     return returnAcl
     // const nearestACL = possibleACLs.reduce((prevACL, acl) => {
@@ -182,7 +148,6 @@ class ACLChecker {
     //   }))
     // }, Promise.reject())
     // return nearestACL.catch(e => { throw new Error(`No ACL resource found, searched in \n- ${possibleACLs.join('\n- ')}`) })
->>>>>>> Trying another approach to acl.can
   }
 
 // Gets all possible ACL paths that apply to the resource

lib/handlers/allow.js

@@ -55,7 +55,7 @@ function allow (mode) {
     if (isAllowed) {
       return next()
     }
-    const error = await req.acl.getError(mode, userId)
+    const error = await req.acl.getError(userId, mode)
     console.log('ERROR', error)
     debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
     res.status(error.status).send(error.message)

lib/handlers/patch.js

@@ -74,19 +74,20 @@ async function patchHandler (req, res, next) {
 function handler (req, res, next) {
   readEntity(req, res, () => patchHandler(req, res, next))
 }
+
 const readEntity = bodyParser.text({ type: () => true })
 
 // Reads the RDF graph in the given resource
 function readGraph (resource) {
   // Read the resource's file
   return new Promise((resolve, reject) =>
-    fs.readFile(resource.path, {encoding: 'utf8'}, function (err, fileContents) {
+    fs.readFile(resource.path, { encoding: 'utf8' }, function (err, fileContents) {
       if (err) {
         // If the file does not exist, assume empty contents
         // (it will be created after a successful patch)
         if (err.code === 'ENOENT') {
           fileContents = ''
-        // Fail on all other errors
+          // Fail on all other errors
         } else {
           return reject(error(500, `Original file read error: ${err}`))
         }
@@ -109,27 +110,38 @@ function readGraph (resource) {
   })
 }
 
+
 // Verifies whether the user is allowed to perform the patch on the target
-function checkPermission (request, patchObject) {
+async function checkPermission (request, patchObject) {
   // If no ACL object was passed down, assume permissions are okay.
   if (!request.acl) return Promise.resolve(patchObject)
   // At this point, we already assume append access,
   // as this can be checked upfront before parsing the patch.
   // Now that we know the details of the patch,
   // we might need to perform additional checks.
-  let checks = []
+  let modes = []
   const { acl, session: { userId } } = request
   // Read access is required for DELETE and WHERE.
   // If we would allows users without read access,
   // they could use DELETE or WHERE to trigger 200 or 409,
   // and thereby guess the existence of certain triples.
   // DELETE additionally requires write access.
   if (patchObject.delete) {
-    checks = [acl.can(userId, 'Read'), acl.can(userId, 'Write')]
+    modes = ['Read', 'Write']
+    // checks = [acl.can(userId, 'Read'), acl.can(userId, 'Write')]
   } else if (patchObject.where) {
-    checks = [acl.can(userId, 'Read')]
+    modes = ['Read']
+    // checks = [acl.can(userId, 'Read')]
+  }
+  const allowed = await Promise.all(modes.map(mode => acl.can(userId, mode)))
+  const allAllowed = allowed.reduce((memo, allowed) => memo && allowed, true)
+  if (!allAllowed) {
+    const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
+    const error = errors.filter(error => !!error)
+      .reduce((prevErr, err) => prevErr.status > err.status ? prevErr : err, { status: 0 })
+    throw error
   }
-  return Promise.all(checks).then(() => patchObject)
+  return Promise.resolve(patchObject)
 }
 
 // Applies the patch to the RDF graph
@@ -161,7 +173,7 @@ function writeGraph (graph, resource, root, serverUri) {
           'User has exceeded their storage quota'))
       }
 
-      fs.writeFile(resource.path, serialized, {encoding: 'utf8'}, function (err) {
+      fs.writeFile(resource.path, serialized, { encoding: 'utf8' }, function (err) {
         if (err) {
           return reject(error(500, `Failed to write file after patch: ${err}`))
         }

lib/header.js

@@ -110,27 +110,25 @@ function parseMetadataFromHeader (linkHeader) {
 }
 
 // Adds a header that describes the user's permissions
-function addPermissions (req, res, next) {
+async function addPermissions (req, res, next) {
   const { acl, session } = req
   if (!acl) return next()
 
   // Turn permissions for the public and the user into a header
   const resource = req.app.locals.ldp.resourceMapper.resolveUrl(req.hostname, req.path)
-  Promise.all([
+  const [publicPerms, userPerms] = await Promise.all([
     getPermissionsFor(acl, null, req),
     getPermissionsFor(acl, session.userId, req)
   ])
-  .then(([publicPerms, userPerms]) => {
-    debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
-    debug.ACL(`Permissions on ${resource} for public: ${publicPerms}`)
-    res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)
-  })
-  .then(next, next)
+  debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
+  debug.ACL(`Permissions on ${resource} for public: ${publicPerms}`)
+  res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)
+  next()
 }
 
 // Gets the permissions string for the given user and resource
-function getPermissionsFor (acl, user, req) {
+async function getPermissionsFor (acl, user, req) {
   const accesses = MODES.map(mode => acl.can(user, mode))
-  return Promise.all(accesses)
-    .then(allowed => PERMISSIONS.filter((_, i) => allowed[i]).join(' '))
+  const allowed = await Promise.all(accesses)
+  return PERMISSIONS.filter((mode, i) => allowed[i]).join(' ')
 }