Raise 403 forbidden on missing requested signature

Closes #170 Includes testcase
2014-03-03 18:06:39 +01:00 · 2014-03-03 18:06:39 +01:00 · 40a254922a
commit 40a254922a
parent 7bc5bab432
3 changed files with 43 additions and 10 deletions
--- a/NEWS.md
+++ b/NEWS.md
@ -4,6 +4,8 @@
 Enhancements:

 - Set statsd prefix for all endpoints 
+ - Raise 403 forbidden on attempt to access map tiles waiving
+   signature of someone who had not left any (#170)

 1.8.4 -- 2014-03-03
 -------------------
--- a/lib/cartodb/server_options.js
+++ b/lib/cartodb/server_options.js
@ -640,12 +640,25 @@ module.exports = function(){
                }

                if ( ! signed_by ) {
-                  // request not authorized by signer,
-                  // continue to check table privacy,
-                  // if table was given
+                  // request not authorized by signer.
+  
+                  // if table was given, continue to check table privacy
                  if ( req.params.table ) return null;
-                  // otherwise return no authorization
-                  callback(err, null);
+
+                  // if no signer name was given, let dbparams and
+                  // PostgreSQL do the rest.
+                  // 
+                  if ( ! req.params.signer ) {
+                    callback(null, true); // authorized so far
+                    return;
+                  }
+
+                  // if signer name was given, return no authorization
+                  err = new Error("No authorization left by '"
+                                  + req.params.signer + "' on map '"
+                                  + req.params.token + "'");
+                  err.http_status = 403;
+                  callback(err);
                  return;
                }

@ -667,7 +680,7 @@ module.exports = function(){
            },
            function(err, privacy){
                if (req.profiler) req.profiler.done('getTablePrivacy');
-                callback(err, privacy);
+                callback(err, privacy !== "0");
            }
        );
    };
@ -754,13 +767,13 @@ module.exports = function(){
            function getPrivacy(){
                me.authorize(req, this);
            },
-            function gatekeep(err, data){
+            function gatekeep(err, authorized){
                if (req.profiler) req.profiler.done('authorize');
                if(err) throw err;
-                if(data === "0") throw new Error("Sorry, you are unauthorized (permission denied)");
-                return data;
+                if(!authorized) throw new Error("Sorry, you are unauthorized (permission denied)");
+                return null;
            },
-            function getDatabase(err, data){
+            function getDatabase(err){
                if(err) throw err;
                that.setDBConn(user, req.params, this);
            },
--- a/test/acceptance/multilayer.js
+++ b/test/acceptance/multilayer.js
@ -127,6 +127,24 @@ suite('multilayer', function() {
              });
          });
        },
+        // See https://github.com/CartoDB/Windshaft-cartodb/issues/170
+        function do_get_tile_nosignature(err)
+        {
+          if ( err ) throw err;
+          var next = this;
+          assert.response(server, {
+              url: '/tiles/layergroup/localhost@' + expected_token + ':cb0/0/0/0.png',
+              method: 'GET',
+              headers: {host: 'localhost' },
+              encoding: 'binary'
+          }, {}, function(res) {
+              assert.equal(res.statusCode, 403, res.statusCode + ':' + res.body);
+              var parsed = JSON.parse(res.body);
+              var msg = parsed.error; // TODO: should it be "errors" ?
+              assert.ok(msg.match(/no authorization left/i), msg);
+              next(err);
+          });
+        },
        function do_get_grid_layer0(err)
        {
          if ( err ) throw err;