search

dcycle / starterkit-node

0 stars 1 forks source link

In node.js, make it possible for different users to have different sets of permissions #38

Closed alberto56 closed 1 month ago

alberto56 commented 1 month ago

To start, get the latest master branch of https://github.com/dcycle/starterkit-node

Run ./scripts/deploy.sh

You will see at the end of the deploy script something like:

username: admin
password: 6CVR16mbSqP9pmgtvBx8yK3EuCcHwebk
=>
=> Your node app is at: http://0.0.0.0:8428
=> Log in with the username and password above.
=>

That is your admin user (the password will be different).

To create another user you can run:

./scripts/reset-password.sh another-user

You will now see:

username: another-user
password: x9atlcd6d+wrxY/mpJm5z9P3XdVM6BUE

Go to http://0.0.0.0:8428 on one browser and log in as admin

Go to http://0.0.0.0:8428 on another browser and log in as another-user

Confirm you see the Send Message page on both browsers.

On one browser, fill in the form. In Name, put "Hello". In "Your message here", put "This is a message".

Confirm you see the message on both windows.

In the other window, you can write another message, and see it appear in real time in both windows.

Your task

Start by reading and understanding the README of https://github.com/dcycle/starterkit-node, and playing around with the code.

For now, all users (in this example admin and another-user) can do everything on the site.

In ./app/code, we have a number of "modules" in the site, each has dependencies and you can call actions on them. Understand how this works.

For example, the "authentication" module has a function to add fields to users, like this:

./scripts/node-cli.sh

await app.c('authentication')
  .addNonUniqueFieldToUser('admin', 'hello', 'world');

I want to be able to do the following:

First, I'd like to add the following files to the ./app/private/ directory:

+ app
  + private
    + restricted-by-permission
      + permission-xyz
        + access
          + index.html
          + style.css
        + no-access
          + index.html

I'd like you to create a new module named "restricted by permission" which does the following:

Then, I'd like users to not have access to these files by default.

If user "admin" or user "another-user" vists http://0.0.0.0:8428/restricted-by-permission/permission-xyz/whatever.html or http://0.0.0.0:8428/restricted-by-permission/permission-xyz/index.html, they should see get the contents of ./app/private/restricted-by-permission/permission-xyz/no-access/index.html with a response code 403.

If we add the permission "view-content-permission-xyz", like this:

await app.c('authentication')
  .addNonUniqueFieldToUser('admin', 'view-content-permission-xyz', '1');

Then, if as user "admin", we visit http://0.0.0.0:8428/restricted-by-permission/permission-xyz/index.html or http://0.0.0.0:8428/restricted-by-permission/permission-xyz/style.css, we should see the contents of ./app/private/restricted-by-permission/permission-xyz/access/index.html or ./app/private/restricted-by-permission/permission-xyz/access/style.css with a response code 200.