// HandleShowPath serves requests to a custom page url
func HandleShowPath(context router.Context) error {
// Setup context for template
path := context.Path()
// If no pages or users exist, redirect to set up page
if missingUsersAndPages() {
return router.Redirect(context, "/fragmenta/setup")
}
q := pages.Query().Where("url=?", path).Limit(1)
pages, err := pages.FindAll(q)
if err != nil || len(pages) == 0 {
return router.NotFoundError(err)
}
// Get the first of pages to render
page := pages[0]
// For show path of pages, we authorise showing the page FOR ALL users if it is published
if !page.IsPublished() {
// Authorise
err = authorise.Resource(context, page)
if err != nil {
return router.NotAuthorizedError(err)
}
}
return renderPage(context, page)
}
// authoriseReader returns error if the path/resource is not authorised
func authoriseReader(c router.Context, r ResourceModel) error {
user := c.Get("current_user").(*users.User)
if c.Path() == "/stories/create" && user.CanSubmit() {
return nil
}
if c.Path() == "/comments/create" && user.CanComment() {
return nil
}
// Allow upvotes and downvotes
if strings.HasSuffix(c.Path(), "/upvote") && user.CanUpvote() {
return nil
}
if strings.HasSuffix(c.Path(), "/downvote") && user.CanDownvote() {
return nil
}
if r != nil {
if r.OwnedBy(user.Id) {
return nil
}
}
return fmt.Errorf("Path and Resource not authorized:%s %v", c.Path(), r)
}
// HandleShowPath serves requests to a custom page url
func HandleShowPath(context router.Context) error {
// Setup context for template
path := context.Path()
q := pages.Query().Where("url=?", path).Limit(1)
pages, err := pages.FindAll(q)
if err != nil || len(pages) == 0 {
return router.NotFoundError(err)
}
// Get the first of pages to render
page := pages[0]
// If not published, check authorisation
if !page.IsPublished() {
// Authorise
err = authorise.Resource(context, page)
if err != nil {
return router.NotAuthorizedError(err)
}
}
return render(context, page)
}
// HandleShow displays a single story
func HandleShow(context router.Context) error {
// Find the story
story, err := stories.Find(context.ParamInt("id"))
if err != nil {
return router.InternalError(err)
}
// Redirect requests to the canonical url
if context.Path() != story.URLShow() {
return router.Redirect(context, story.URLShow())
}
// Find the comments for this story
// Fetch the comments
q := comments.Where("story_id=?", story.Id).Order(comments.RankOrder)
rootComments, err := comments.FindAll(q)
if err != nil {
return router.InternalError(err)
}
// Render the template
view := view.New(context)
view.AddKey("story", story)
view.AddKey("meta_title", story.Name)
view.AddKey("meta_desc", story.Summary)
view.AddKey("meta_keywords", story.Name)
view.AddKey("comments", rootComments)
return view.Render()
}
// Handle serving assets in dev (if we can) - return true on success
func serveAsset(context router.Context) error {
p := path.Clean(context.Path())
// It must be under /assets, or we don't serve
if !strings.HasPrefix(p, "/assets/") {
return router.NotFoundError(nil)
}
// Try to find an asset in our list
f := appAssets.File(path.Base(p))
if f == nil {
return router.NotFoundError(nil)
}
localPath := "./" + f.LocalPath()
http.ServeFile(context, context.Request(), localPath)
return nil
}
// Default file handler, used in development - in production serve with nginx
func serveFile(context router.Context) error {
// Assuming we're running from the root of the website
localPath := "./public" + path.Clean(context.Path())
if _, err := os.Stat(localPath); err != nil {
// If file not found return error
if os.IsNotExist(err) {
return router.NotFoundError(err)
}
// For other errors return not authorised
return router.NotAuthorizedError(err)
}
// If the file exists and we can access it, serve it
http.ServeFile(context, context.Request(), localPath)
return nil
}
func renderPage(context router.Context, page *pages.Page) error {
view := view.New(context)
// Setup context for template
if page.Template != "" {
view.Template(page.Template)
} else {
view.Template("pages/views/show.html.got")
}
view.AddKey("page", page)
view.AddKey("meta_title", page.Name)
view.AddKey("meta_desc", page.Summary)
view.AddKey("meta_keywords", page.Keywords)
// Serve template
context.Logf("#info Rendering page for path %s", context.Path())
return view.Render()
}
// Resource authorises the path and resource for the current user
// if model is nil it is ignored and permission granted
func Resource(c router.Context, r ResourceModel) error {
// Short circuit evaluation if this is a public path
if publicPath(c.Path()) {
return nil
}
user := c.Get("current_user").(*users.User)
switch user.Role {
case users.RoleAdmin:
return nil
case users.RoleEditor:
if r.OwnedBy(user.Id) {
return nil
}
}
return fmt.Errorf("Path and Resource not authorized:%s %v", c.Path(), r)
}
// Resource authorises the path and resource for the current user
// if model is nil it is ignored and permission granted
func Resource(c router.Context, r ResourceModel) error {
// Short circuit evaluation if this is a public path
if publicPath(c.Path()) {
return nil
}
user := c.Get("current_user").(*users.User)
switch user.Role {
case users.RoleAdmin:
return nil
case users.RoleCustomer:
// RoleCustomer should have access to /files
if c.Path() == "/files" {
return nil
}
// RoleCustomer should have access to /files/x/delete if file is owned by them
if strings.HasPrefix(c.Path(), "/files") {
if r != nil && r.OwnedBy(user.Id) {
return nil
}
}
// RoleCustomer should have access to /users/x/update if they are that user
if strings.HasPrefix(c.Path(), "/users") {
if r != nil && r.OwnedBy(user.Id) {
return nil
}
}
}
return fmt.Errorf("Path and Resource not authorized:%s %v", c.Path(), r)
}
