Expose the user's permissions through a header.

Closes #246.

Author: RubenVerborgh

lib/header.js

@@ -2,6 +2,7 @@ module.exports.addLink = addLink
 module.exports.addLinks = addLinks
 module.exports.parseMetadataFromHeader = parseMetadataFromHeader
 module.exports.linksHandler = linksHandler
+module.exports.addPermissions = addPermissions
 
 var li = require('li')
 var path = require('path')
@@ -11,6 +12,8 @@ var debug = require('./debug.js')
 var utils = require('./utils.js')
 var error = require('./http-error')
 
+const PERMISSIONS = ['Read', 'Write', 'Append', 'Control']
+
 function addLink (res, value, rel) {
   var oldLink = res.get('Link')
   if (oldLink === undefined) {
@@ -95,3 +98,28 @@ function parseMetadataFromHeader (linkHeader) {
   }
   return fileMetadata
 }
+
+// Adds a header that describes the user's permissions
+function addPermissions (req, res, next) {
+  const { acl, session, originalUrl } = req
+  if (!acl) return next()
+
+  // Turn permissions for the public and the user into a header
+  const resource = utils.uriAbs(req) + path
+  Promise.all([
+    getPermissionsFor(acl, null, resource),
+    getPermissionsFor(acl, session.userId, resource)
+  ])
+  .then(([publicPerms, userPerms]) => {
+    res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)
+  })
+  .then(next, next)
+}
+
+// Gets the permissions string for the given user and resource
+function getPermissionsFor (acl, userId, resource) {
+  return Promise.all(PERMISSIONS.map(perm =>
+    new Promise(resolve => acl.can(userId, perm, resource, e => resolve(!e)))
+  ))
+  .then(perms => PERMISSIONS.filter((p, i) => perms[i]).join(';').toLowerCase())
+}

lib/ldp-middleware.js

@@ -22,7 +22,7 @@ function LdpMiddleware (corsSettings) {
   }
 
   router.copy('/*', allow('Write'), copy)
-  router.get('/*', index, allow('Read'), get)
+  router.get('/*', index, allow('Read'), header.addPermissions, get)
   router.post('/*', allow('Append'), post)
   router.patch('/*', allow('Write'), patch)
   router.put('/*', allow('Write'), put)

test/integration/header-test.js

@@ -0,0 +1,53 @@
+const { expect } = require('chai')
+const path = require('path')
+const ldnode = require('../../index')
+const supertest = require('supertest')
+
+const serverOptions = {
+  root: path.join(__dirname, '../resources/headers'),
+  idp: false,
+  webid: true,
+  sslKey: path.join(__dirname, '../keys/key.pem'),
+  sslCert: path.join(__dirname, '../keys/cert.pem'),
+  forceUser: 'https://ruben.verborgh.org/profile/#me'
+}
+
+describe('Header handler', () => {
+  let request
+
+  before(() => {
+    const server = ldnode.createServer(serverOptions)
+    request = supertest(server)
+  })
+
+  describe('WAC-Allow', () => {
+    describeHeaderTest('read/append for the public', {
+      resource: '/public-ra',
+      headers: { 'WAC-Allow': 'user="read;append",public="read;append"' }
+    })
+
+    describeHeaderTest('read/write for the user, read for the public', {
+      resource: '/user-rw-public-r',
+      headers: { 'WAC-Allow': 'user="read;write;append",public="read"' }
+    })
+
+    describeHeaderTest('read/write/append/control for the user, nothing for the public', {
+      resource: '/user-rwac-public-0',
+      headers: { 'WAC-Allow': 'user="read;write;append;control",public=""' }
+    })
+  })
+
+  function describeHeaderTest (label, { resource, headers }) {
+    describe(`a resource that is ${label}`, () => {
+      let response
+      before(() => request.get(resource).then(res => { response = res }))
+
+      for (const header in headers) {
+        const value = headers[header]
+        it(`has a ${header} header of ${value}`, () => {
+          expect(response.headers).to.have.property(header.toLowerCase(), value)
+        })
+      }
+    })
+  }
+})

test/resources/headers/index.html

@@ -0,0 +1,7 @@
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public> a acl:Authorization;
+  acl:accessTo <./public-ra>;
+  acl:agentClass foaf:Agent;
+  acl:mode acl:Read, acl:Append.

test/resources/headers/public-ra

@@ -0,0 +1,12 @@
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#owner> a acl:Authorization;
+  acl:accessTo <./user-rw-public-r>;
+  acl:agent <https://ruben.verborgh.org/profile/#me>;
+  acl:mode acl:Read, acl:Write.
+
+<#public> a acl:Authorization;
+  acl:accessTo <./user-rw-public-r>;
+  acl:agentClass foaf:Agent;
+  acl:mode acl:Read.

test/resources/headers/public-ra.acl

@@ -0,0 +1,7 @@
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#owner> a acl:Authorization;
+  acl:accessTo <./user-rwac-public-0>;
+  acl:agent <https://ruben.verborgh.org/profile/#me>;
+  acl:mode acl:Read, acl:Write, acl:Append, acl:Delete, acl:Control.