kjao/archive
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed bugs in securityCheck and test implemented into createWork

Browse Source
This commit is contained in:
Yaman Qalieh 2016-10-26 21:52:47 -04:00
parent 2029b49a12
commit fc57be9d93
1 changed files with 34 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
hourglass/server/main.js
View File

@ -124,38 +124,42 @@ Security.permit(['insert', 'update', 'remove']).collections([schools, classes, w
var errors = [ var errors = [
["unauthorized", "Sorry, you are not authorized to complete this action."], ["unauthorized", "Sorry, you are not authorized to complete this action."], // 0
["unauthorized", "You have too many unverified classes right now. Try again later."], ["unauthorized", "You have too many unverified classes right now. Try again later."],
["matching", "The school you have requested does not exist."], ["matching", "The school you have requested does not exist."],
["matching", "This teacher is already teaching a class elsewhere!"], ["matching", "This teacher is already teaching a class elsewhere!"],
["unauthorized", "You are not an administrator of this class."], ["unauthorized", "You are not an administrator of this class."],
["matching", "This class does not exist."], ["matching", "This class does not exist."], // 5
["matching", "This user does not exist"], ["matching", "This user does not exist"],
["matching", "This user is banned from this class"], ["matching", "This user is banned from this class"],
["matching", "This user is not enrolled in the class"], ["matching", "This user is not enrolled in the class"],
["trivial", "The past is in the past! Let it go!"], ["trivial", "The past is in the past! Let it go!"],
["trivial", "This name is too long"], ["trivial", "This name is too long"], // 10
["trivial", "This description is too long"], ["trivial", "This description is too long"],
["unauthorized", "You are not the creator of this work."], ["unauthorized", "You are not the creator of this work."],
["trivial", "This comment is too long."], ["trivial", "This comment is too long."],
["unauthorized", "Incorrect code, try again."], ["unauthorized", "Incorrect code, try again."],
["trivial", "You are already enrolled in this class."], ["trivial", "You are already enrolled in this class."], // 15
["trivial", "This request is too long."], ["trivial", "This request is too long."],
["trivial", "Not a valid work type"],
["other", "Error could not be processed"] ["other", "Error could not be processed"]
]; ];
function securityCheck(checklist, input) { function securityCheck(checklist, input) {
var error = -1; var error;
var results = []; var results = [];
for(var checkpoint = 0; checkpoint < checklist.length - 1; checklist++) { for(var i = 0; i < checklist.length - 1; i++) {
var checkpoint = checklist[i];
error = 0;
if (Array.isArray(checkpoint)) { if (Array.isArray(checkpoint)) {
results.push(securityCheck(checkpoint, input)); var arrayresult = securityCheck(checkpoint, input);
results.push(arrayresult);
continue; continue;
} }
switch (checkpoint) { switch (checkpoint) {
// Superadmin // Superadmin
case 0: case -1:
if (!Roles.userIsInRole(Meteor.userId(), ['superadmin'])) error = 0; if (!Roles.userIsInRole(Meteor.userId(), ['superadmin'])) error = 0;
break; break;
// Any admin // Any admin
@ -179,14 +183,6 @@ function securityCheck(checklist, input) {
case 5: case 5:
if (input.admin !== Meteor.userId) error = 4; if (input.admin !== Meteor.userId) error = 4;
break; break;
// Class existence
case 6:
if (!input) error = 5;
break;
// User existence
case 7:
if (!input) error = 6;
break;
// Not banned // Not banned
case 8: case 8:
if (_.contains(input.banned, input.userId)) error = 7; if (_.contains(input.banned, input.userId)) error = 7;
@ -200,42 +196,55 @@ function securityCheck(checklist, input) {
var ref = new Date(); var ref = new Date();
ref.setHours(0, 0, 0, 0); ref.setHours(0, 0, 0, 0);
ref = ref.getTime(); ref = ref.getTime();
if (ref > input.dueDate.getTime()) error = 9; if (!(input.dueDate instanceof Date) || ref > input.dueDate.getTime()) error = 9;
break; break;
// Name too long
case 11: case 11:
if (input.name > 50) error = 10; if (input.name > 50) error = 10;
break; break;
// Description too long
case 12: case 12:
if (input.description > 150) error = 11; if (input.description > 150) error = 11;
break; break;
// Moderator or admin
case 13: case 13:
if (!_.contains(input.moderators.concat(input.admin)), Meteor.userId()) error = 4; if (!_.contains(input.moderators.concat(input.admin)), Meteor.userId()) error = 4;
break; break;
// Creator of work
case 14: case 14:
if (Meteor.userId() !== input.creator) error = 12; if (Meteor.userId() !== input.creator) error = 12;
break; break;
// Comment too long
case 15: case 15:
if (input.comment > 200) error = 13; if (input.comment > 200) error = 13;
break; break;
// Private class
case 16: case 16:
if (input.class !== Meteor.userId()) error = errors.length - 1; if (input.class !== Meteor.userId()) error = errors.length - 1;
break; break;
// Code is wrong
case 17: case 17:
if (input.code !== pass && input.privacy) error = 14; if (input.code !== pass && input.privacy) error = 14;
break; break;
// Check if user is already enrolled
case 18: case 18:
if (_.contains(input.classes, input.classId)) error = 15; if (_.contains(input.classes, input.classId)) error = 15;
break; break;
// Request too long
case 19: case 19:
if (input.content.length > 500) error = 16; if (input.content.length > 500) error = 16;
break; break;
// Is valid work type
case 20:
if (!_.contains(worktype, input.type)) error = 17;
break;
} }
results.push(error); results.push(error);
} }
error = results.find(function(result){return result >= 0;}); error = results.find(function(result){return result !== 0;});
if (checklist[checklist.length - 1] && error !== undefined) return error; if (checklist[checklist.length - 1] && error !== undefined) return error;
else if (results.find(function(result){return result === -1;}) === undefined) return results[0]; else if (results.find(function(result){return result === 0;}) === undefined) return results[0];
else return -1; else return 0;
} }
Meteor.methods({ Meteor.methods({
@ -439,23 +448,15 @@ Meteor.methods({
// Work Functions // Work Functions
'createWork': function(input) { 'createWork': function(input) {
var ref = new Date();
ref.setHours(0, 0, 0, 0);
ref = ref.getTime();
input.creator = Meteor.userId(); input.creator = Meteor.userId();
work.schema.validate(input); work.schema.validate(input);
var found = classes.findOne({ var found = classes.findOne({
_id: input.class _id: input.class
}); });
var security = securityCheck([[[8, 9, true], 16, false], 10, 20, 11, 12, true],
if (Meteor.user() && Object.assign(found || {}, input, {userId: Meteor.userId()}));
((found && _.contains(Meteor.user().profile.classes, input.class) && console.log(security);
!_.contains(found.banned, Meteor.userId())) || if (!security) {
(Meteor.userId() === input.class)) &&
input.dueDate instanceof Date && input.dueDate.getTime() >= ref &&
_.contains(worktype, input.type) &&
input.name.length <= 50 && input.description.length <= 150) {
input.confirmations = [Meteor.userId()]; input.confirmations = [Meteor.userId()];
input.reports = []; input.reports = [];
input.done = []; input.done = [];
@ -463,7 +464,7 @@ Meteor.methods({
input.comments = []; input.comments = [];
work.insert(input); work.insert(input);
} else { } else {
throw new Meteor.Error("unauthorized", "You are not authorized to complete this action."); throw new Meteor.Error(errors[security]);
} }
}, },