From 3b92226bab160f5703d9bae85c27a6fd39e5fb89 Mon Sep 17 00:00:00 2001
From: Philip Molares <philip.molares@udo.edu>
Date: Sun, 21 Nov 2021 17:18:23 +0100
Subject: [PATCH] feat: create permissions guard

This guard protects resources and let's users only access them if they hold the correct permission

Signed-off-by: Philip Molares <philip.molares@udo.edu>
---
 src/api/utils/permissions.guard.ts | 66 ++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 src/api/utils/permissions.guard.ts

diff --git a/src/api/utils/permissions.guard.ts b/src/api/utils/permissions.guard.ts
new file mode 100644
index 000000000..5206f1c48
--- /dev/null
+++ b/src/api/utils/permissions.guard.ts
@@ -0,0 +1,66 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Request } from 'express';
+
+import { ConsoleLoggerService } from '../../logger/console-logger.service';
+import { NotesService } from '../../notes/notes.service';
+import { Permission } from '../../permissions/permissions.enum';
+import { PermissionsService } from '../../permissions/permissions.service';
+import { User } from '../../users/user.entity';
+import { getNote } from './get-note.pipe';
+
+/**
+ * This guards controller methods from access, if the user has not the appropriate permissions.
+ * The permissions are set via the {@link Permissions} decorator in addition to this guard.
+ */
+@Injectable()
+export class PermissionsGuard implements CanActivate {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private reflector: Reflector,
+    private permissionsService: PermissionsService,
+    private noteService: NotesService,
+  ) {
+    this.logger.setContext(PermissionsGuard.name);
+  }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const permissions = this.reflector.get<Permission[]>(
+      'permissions',
+      context.getHandler(),
+    );
+    // If no permissions are set this is probably an error and this guard should not let the request pass
+    if (!permissions) {
+      this.logger.error(
+        'Could not find permission metadata. This should never happen. If you see this, please open an issue at https://github.com/hedgedoc/hedgedoc/issues',
+      );
+      return false;
+    }
+    const request: Request & { user: User } = context
+      .switchToHttp()
+      .getRequest();
+    const user = request.user;
+    // handle CREATE permissions, as this does not need any note
+    if (permissions[0] === Permission.CREATE) {
+      return this.permissionsService.mayCreate(user);
+    }
+    // Get the note from the parameter noteIdOrAlias
+    // Attention: This gets the note an additional time if used in conjunction with GetNotePipe
+    const noteIdOrAlias = request.params['noteIdOrAlias'];
+    const note = await getNote(this.noteService, noteIdOrAlias);
+    switch (permissions[0]) {
+      case Permission.READ:
+        return this.permissionsService.mayRead(user, note);
+      case Permission.WRITE:
+        return this.permissionsService.mayWrite(user, note);
+      case Permission.OWNER:
+        return this.permissionsService.isOwner(user, note);
+    }
+    return false;
+  }
+}