From 0c5fa597e8c8325ec77a1061fae65497cea57f7b Mon Sep 17 00:00:00 2001
From: mntmn <lukas@mntmn.com>
Date: Tue, 2 Jun 2020 20:47:58 +0200
Subject: [PATCH] Allow embedding of folders and access to folders to anonymous
 editors with edit_hash/spaceAuth links (#63)

* add subspaces to be listed with edit_hash/spaceAuth authorization

* remove dead code from api_helpers.js

* add edit_hash authorization for requested space thumbnails

* handle /s/:hash links in frontend router

* set space_auth via a function, allow passing it to load_space

* rename variable in /s/:hash router in backend

* hide search, profile, breadcrumb in folders if not logged in, construct links to subspaces differently for anonymous editors
---
 middlewares/api_helpers.js               | 24 --------
 public/javascripts/backend.js            |  8 +--
 public/javascripts/spacedeck_routes.js   | 15 +++++
 public/javascripts/spacedeck_sections.js |  7 ++-
 public/javascripts/spacedeck_spaces.js   | 10 +++-
 routes/api/spaces.js                     | 76 ++++++++++++++----------
 routes/root.js                           | 12 ++--
 views/partials/folders.html              | 30 +++++-----
 8 files changed, 99 insertions(+), 83 deletions(-)

diff --git a/middlewares/api_helpers.js b/middlewares/api_helpers.js
index 893f35f..551c7c8 100644
--- a/middlewares/api_helpers.js
+++ b/middlewares/api_helpers.js
@@ -4,27 +4,6 @@ require('../models/db');
 var config = require('config');
 const redis = require('../helpers/redis');
 
-// FIXME TODO object.toJSON()
-
-var saveAction = (actionKey, object) => {
-  if (object.constructor.modelName == "Space")
-    return;
-
-  let attr = {
-    action: actionKey,
-    space: object.space_id || object.space,
-    user: object.user_id || object.user,
-    editor_name: object.editor_name,
-    object: object
-  };
-
-  /*let action = new Action(attr);
-  action.save(function(err) {
-    if (err)
-      console.error("saved create action err:", err);
-  });*/
-};
-
 module.exports = (req, res, next) => {
   res.header("Cache-Control", "no-cache");
 
@@ -36,21 +15,18 @@ module.exports = (req, res, next) => {
     if (!object) return;
     redis.sendMessage("create", model, object, req.channelId);
     this.status(201).json(object);
-    saveAction("create", object);
   };
 
   res['distributeUpdate'] = function(model, object) {
     if (!object) return;
     redis.sendMessage("update", model, object, req.channelId);
     this.status(200).json(object);
-    saveAction("update", object);
   };
 
   res['distributeDelete'] = function(model, object) {
     if (!object) return;
     redis.sendMessage("delete", model, object, req.channelId);
     this.sendStatus(204);
-    saveAction("delete", object);
   };
 
   next();
diff --git a/public/javascripts/backend.js b/public/javascripts/backend.js
index b57acae..552f3e6 100644
--- a/public/javascripts/backend.js
+++ b/public/javascripts/backend.js
@@ -6,6 +6,10 @@ var websocket = null;
 var channel_id = null;
 var space_auth = null;
 
+function set_space_auth(hash) {
+  space_auth = hash;
+}
+
 function load_resource(method, path, data, on_success, on_error, on_progress) {
   var req = new XMLHttpRequest();
   req.onload = function(evt,b,c) {
@@ -44,18 +48,14 @@ function load_resource(method, path, data, on_success, on_error, on_progress) {
   }
 
   req.withCredentials = true;
-
   req.open(method, api_endpoint+"/api"+path, true);
 
   if (api_token) {
     req.setRequestHeader("X-Spacedeck-Auth", api_token);
   }
-
   if (space_auth) {
-    console.log("set space auth", space_auth);
     req.setRequestHeader("X-Spacedeck-Space-Auth", space_auth);
   }
-
   if (channel_id) {
     req.setRequestHeader("X-Spacedeck-Channel", channel_id);
   }
diff --git a/public/javascripts/spacedeck_routes.js b/public/javascripts/spacedeck_routes.js
index 9d9b382..8e4fd4a 100644
--- a/public/javascripts/spacedeck_routes.js
+++ b/public/javascripts/spacedeck_routes.js
@@ -17,6 +17,21 @@ var SpacedeckRoutes = {
           }.bind(this)
         }
       ]);
+      
+      this.router.add([
+        {
+          path: "/s/:hash",
+          handler: function(params, on_success) {
+            var parts = params.hash.split("-");
+            if (path.length > 0) {
+              this.load_space(parts.slice(1).join("-"), on_success, null, parts[0]);
+            } else {
+              // FIXME error handling
+              on_success();
+            }
+          }.bind(this)
+        }
+      ]);
 
       this.router.add([
         {
diff --git a/public/javascripts/spacedeck_sections.js b/public/javascripts/spacedeck_sections.js
index 7a9fb70..df5daa8 100644
--- a/public/javascripts/spacedeck_sections.js
+++ b/public/javascripts/spacedeck_sections.js
@@ -405,7 +405,12 @@ var SpacedeckSections = {
       }
       if (space.space_type == "folder") return "";
 
-      return "background-image:url('/api/spaces/"+space._id+"/png')";
+      var query_string = "";
+      if (space_auth) {
+        query_string+="?spaceAuth="+space.edit_hash;
+      }
+
+      return "background-image:url('/api/spaces/"+space._id+"/png"+query_string+"')";
     },
 
     reset_artifact_filters: function() {
diff --git a/public/javascripts/spacedeck_spaces.js b/public/javascripts/spacedeck_spaces.js
index aee3217..f802efa 100644
--- a/public/javascripts/spacedeck_spaces.js
+++ b/public/javascripts/spacedeck_spaces.js
@@ -99,12 +99,16 @@ var SpacedeckSpaces = {
       }.bind(this), {value: dft || "Guest "+parseInt(10000*Math.random()), ok: __("ok"), cancel: __("cancel")});
     },
     
-    load_space: function(space_id, on_success, on_error) {
+    load_space: function(space_id, on_success, on_error, space_auth) {
       this.folder_spaces_filter="";
       this.folder_spaces_search="";
 
-      space_auth = get_query_param("spaceAuth");
-
+      if (space_auth) {
+        set_space_auth(space_auth);
+      } else {
+        set_space_auth(get_query_param("spaceAuth"));
+      }
+      
       this.embedded = !!(get_query_param("embedded"));
 
       var userReady = function() {
diff --git a/routes/api/spaces.js b/routes/api/spaces.js
index a74c22d..a8b3a38 100644
--- a/routes/api/spaces.js
+++ b/routes/api/spaces.js
@@ -42,7 +42,52 @@ var spaceMapping = {
   thumbnail_url: 1
 };
 
+function listSpacesInFolder(req, res, parent_space_id) {
+  db.Space
+    .findOne({where: {
+      _id: parent_space_id
+    }})
+    .then(function(space) {
+      if (space) {
+        function spacesForRole(role) {
+          if (role == "none") {
+            if (space.access_mode == "public") {
+              role = "viewer";
+            }
+          }
+          if (role != "none") {
+            db.Space
+              .findAll({where:{
+                parent_space_id: parent_space_id
+              }, include:[db.CreatorSafeInclude(db)]})
+              .then(function(spaces) {
+                res.status(200).json(spaces);
+              });
+          } else {
+            res.status(403).json({"error": "not authorized"});
+          }
+        }
+
+        if (req["spaceAuth"] && space.edit_hash) {
+          // TODO could be editor, too
+          spacesForRole("none");
+        } else {
+          db.getUserRoleInSpace(space, req.user, spacesForRole);
+        }
+      } else {
+        res.status(404).json({"error": "space not found"});
+      }
+    });
+}
+
 router.get('/', function(req, res, next) {
+  
+  if (req.query.parent_space_id && req["spaceAuth"]) {
+    // list subspaces of a space authorized anonymously
+    listSpacesInFolder(req, res, req.query.parent_space_id);
+    return;
+  }
+  
   if (!req.user) {
     res.status(403).json({
       error: "auth required"
@@ -83,36 +128,7 @@ router.get('/', function(req, res, next) {
     } else if (req.query.parent_space_id && req.query.parent_space_id != req.user.home_folder_id) {
       // list spaces in a folder
       
-      db.Space
-        .findOne({where: {
-          _id: req.query.parent_space_id
-        }})
-        .then(function(space) {
-          if (space) {
-            db.getUserRoleInSpace(space, req.user, function(role) {
-              if (role == "none") {
-                if (space.access_mode == "public") {
-                  role = "viewer";
-                }
-              }
-
-              if (role != "none") {
-                db.Space
-                  .findAll({where:{
-                    parent_space_id: req.query.parent_space_id
-                  }, include:[db.CreatorSafeInclude(db)]})
-                  .then(function(spaces) {
-                    res.status(200).json(spaces);
-                  });
-              } else {
-                res.status(403).json({"error": "no authorized"});
-              }
-            });
-          } else {
-            res.status(404).json({"error": "space not found"});
-          }
-        });
-
+      listSpacesInFolder(req, res, req.query.parent_space_id);
     } else {
       // list home folder and spaces/folders that the user is a member of
       
diff --git a/routes/root.js b/routes/root.js
index 4c6deb4..1f736c2 100644
--- a/routes/root.js
+++ b/routes/root.js
@@ -115,16 +115,16 @@ router.get('/t/:id', (req, res) => {
   res.redirect(path);
 });
 
-router.get('/s/:token', (req, res) => {
-  var token = req.params.token; 
-  if (token.split("-").length > 0) {
-    token = token.split("-")[0];
+router.get('/s/:hash', (req, res) => {
+  var hash = req.params.hash;
+  if (hash.split("-").length > 0) {
+    hash = hash.split("-")[0];
   }
 
-  db.Space.findOne({where: {"edit_hash": token}}).then(function (space) {
+  db.Space.findOne({where: {"edit_hash": hash}}).then(function (space) {
     if (space) {
       if (req.accepts('text/html')){
-	      res.redirect("/spaces/"+space._id + "?spaceAuth=" + token);
+	      res.redirect("/spaces/"+space._id + "?spaceAuth=" + hash);
       } else {
 	      res.status(200).json(space);
       }
diff --git a/views/partials/folders.html b/views/partials/folders.html
index 329a91a..e911aff 100644
--- a/views/partials/folders.html
+++ b/views/partials/folders.html
@@ -8,7 +8,7 @@
       <span>[[  __('create_folder') ]]</span>
     </button>
 
-    <label class="relative compact-hidden">
+    <label class="relative compact-hidden" v-if="logged_in">
       <span class="icon icon-sm icon-zoom no-events absolute-top-left" style="margin: 5px;"></span>
       <input id="folder-search"
              type="search" name="search"
@@ -18,7 +18,7 @@
              v-model="folder_spaces_search" v-on:change="search_spaces">
     </label>
     
-    <div class="dropdown top light m-r-20 compact-hidden" v-bind:class="{open : active_dropdown=='folder_sorting'}">
+    <div class="dropdown top light m-r-20 compact-hidden" v-bind:class="{open : active_dropdown=='folder_sorting'}" v-if="logged_in">
       <button class="btn btn-sm btn-nude" v-on:click="activate_dropdown('folder_sorting')">
         <span>[[  __('sort_by') ]]</span>:
         <b v-if="folder_sorting=='updated_at'">[[  __('last_modified') ]]</b>
@@ -49,7 +49,8 @@
   <div class="header-right pull-right">
     <div class="dropdown top right light" v-bind:class="{open: active_dropdown=='account'}">
       <button
-         class="profile-avatar btn btn-md btn-icon btn-dark btn-round"
+        class="profile-avatar btn btn-md btn-icon btn-dark btn-round"
+         v-if="logged_in"
          v-bind:style="background_image_style([user.avatar_thumb_uri])"
          v-bind:class="{'has-avatar-image':!!user.avatar_thumb_uri}" v-on:click="show_account();">
         <span class="icon icon-user" v-if="logged_in && !user.avatar_thumb_uri"></span></button>
@@ -80,14 +81,6 @@
       </div>
 
     </div>
-
-    <!--div class="btn-group dark round" id="meta-toggle" style="margin-right:10px">
-      <button class="btn btn-md btn-transparent btn-icon btn-icon" v-on:click="toggle_meta()">
-        <span class="jewel" style="color: white; background-color: red" v-if="meta_unseen>0">{{meta_unseen}}</span>
-        <span class="icon icon-menu"></span>
-      </button>
-    </div-->
-
   </div>
 </header>
 
@@ -98,14 +91,14 @@
 
     <div id="folder-breadcrumb">
 
-      <span v-for="item in active_space_path" class="btn btn-sm btn-transparent" v-sd-droppable="handle_folder_drop;item">
+      <span v-if="logged_in" v-for="item in active_space_path" class="btn btn-sm btn-transparent" v-sd-droppable="handle_folder_drop;item">
         <a href="/{{item.space_type}}s/{{item._id}}">{{item.name}}</a>&nbsp; ▶</span>
 
       <a v-if="(active_space_role != 'admin')" type="button" class="btn btn-sm btn-transparent">
         <span>{{active_folder.name}}</span>
       </a>
 
-      <div class="dropdown top light" v-bind:class="{open:active_dropdown=='breadcrumb'}" v-if="(active_folder._id != user.home_folder_id) && ((active_space_role == 'admin') || (active_space_role == 'editor'))">
+      <div class="dropdown top light" v-bind:class="{open:active_dropdown=='breadcrumb'}" v-if="(active_folder._id != user.home_folder_id) && ((active_space_role == 'admin'))">
         <button type="button" class="btn btn-sm btn-transparent btn-dropdown" data-toggle="dropdown" v-on:click=" activate_dropdown('breadcrumb')">
           <span>{{active_folder.name}}</span>
         </button>
@@ -142,8 +135,15 @@
          v-sd-droppable="handle_folder_drop;item"
          draggable="true"
          class="item" v-bind:class="item.space_type"
-         v-bind:style="{'z-index': (active_profile_spaces.length - $index)}">
-        <a href="/{{item.space_type}}s/{{item._id}}">
+        v-bind:style="{'z-index': (active_profile_spaces.length - $index)}">
+
+        <!-- anonymous editors can go edit spaces in a folder -->
+        <a href="/s/{{item.edit_hash}}-{{item.edit_slug}}" v-if="active_space_role=='editor' && !logged_in">
+          <span class="item-thumbnail thumbnail-loading" v-if="item.space_type=='space'"></span>
+          <span class="item-thumbnail" v-bind:style="space_thumbnail_style(item)"></span>
+        </a>
+        
+        <a v-if="active_space_role=='viewer' || logged_in" href="/{{item.space_type}}s/{{item._id}}">
           <span class="item-thumbnail thumbnail-loading" v-if="item.space_type=='space'"></span>
           <span class="item-thumbnail" v-bind:style="space_thumbnail_style(item)"></span>
         </a>