cartodb4/Windshaft-cartodb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add XML processor to change database user when authenticated

Browse Source
This commit is contained in:
Sandro Santilli 2012-09-03 14:54:23 +02:00
parent de24f55e20
commit 1c9f63c901
4 changed files with 13 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/cartodb/carto_data.js
View File

@ -90,7 +90,7 @@ module.exports = function() {
that.getId(req, function(err, user_id) {
if (err) throw new Error(err);
var dbuser = _.template(global.settings.postgres.db_user, {user_id: user_id});
_.extend(req.params, {dbuser:dbuser});
_.extend(req, {dbuser:dbuser});
callback(err, true);
});
} else {

35
lib/cartodb/cartodb_windshaft.js
View File

@ -27,45 +27,12 @@ var CartodbWindshaft = function(serverOptions) {
serverOptions.beforeStateChange = function(req, callback) {
var err = null;
if ( ! req.params.hasOwnProperty('dbuser') ) {
if ( ! req.hasOwnProperty('dbuser') ) {
err = new Error("map state cannot be changed by unauthenticated request!");
}
callback(err, req);
}
serverOptions.afterStyleChange = function(req, data, callback) {
if ( req.params.hasOwnProperty('dbuser') ) {
// also change the style of the anonim. request
var params = _.extend(req.params); // make a copy here
delete params.dbuser;
var style = req.body.style;
var that = this;
this.setStyle(params, style, function(err, data) {
if ( err ) callback(err, null);
else that.afterStateChange(req, data, callback);
});
} else {
callback(new Error("map style cannot be changed by unauthenticated request!"));
}
}
serverOptions.afterStyleDelete = function(req, data, callback) {
if ( req.params.hasOwnProperty('dbuser') ) {
// also change the style of the anonim. request
var params = _.extend(req.params); // make a copy here
delete params.dbuser;
var that = this;
this.delStyle(params, function(err, data) {
if ( err ) callback(err, null);
else that.afterStateChange(req, data, callback);
});
} else {
callback(new Error("map style cannot be deleted by unauthenticated request!"));
}
}
// boot
var ws = new Windshaft.Server(serverOptions);

8
lib/cartodb/server_options.js
View File

@ -35,6 +35,14 @@ module.exports = function(){
// for cartodb, ensure interactivity is cartodb_id or user specified
req.params.interactivity = req.params.interactivity || 'cartodb_id';
req.params.processXML = function(req, xml, callback) {
if ( req.dbuser ) {
// Only edit XML when authenticated
xml = xml.replace(/(<Parameter name="user"><!\[CDATA\[)[^\]]*(]]><\/Parameter>)/, "$1" + req.dbuser + "$2");
}
callback(null, xml);
}
Step(
function getPrivacy(){
cartoData.authorize(req, this);

6
test/unit/cartodb/req2params.test.js
View File

@ -21,7 +21,7 @@ suite('req2params', function() {
assert.ok(req.hasOwnProperty('params'), 'request has params');
assert.ok(req.params.hasOwnProperty('interactivity'), 'request params have interactivity');
assert.ok(_.isNull(req.params.dbname), 'could forge dbname');
assert.ok(!req.params.hasOwnProperty('dbuser'), 'could inject dbuser ('+req.params.dbuser+')');
assert.ok(!req.hasOwnProperty('dbuser'), 'could inject dbuser ('+req.params.dbuser+')');
done();
});
});
@ -53,11 +53,11 @@ suite('req2params', function() {
// database_name for user "vizzuality" (see test/support/prepare_db.sh)
assert.equal(req.params.dbname, 'cartodb_test_user_1_db');
// id for user "vizzuality" (see test/support/prepare_db.sh)
assert.equal(req.params.dbuser, 'test_cartodb_user_1');
assert.equal(req.dbuser, 'test_cartodb_user_1');
opts.req2params({headers: { host:'vizzuality' }, query: {map_key: '1235'} }, function(err, req) {
// wrong key resets params to no user
assert.ok(!req.params.hasOwnProperty('dbuser'), 'could inject dbuser ('+req.params.dbuser+')');
assert.ok(!req.hasOwnProperty('dbuser'), 'could inject dbuser ('+req.params.dbuser+')');
done();
});
});