From 02b4ecec8cf3107a8aa13f09571b37d8bfff4eef Mon Sep 17 00:00:00 2001
From: Kay0u <pierre.moltess@gmail.com>
Date: Mon, 20 Jan 2020 22:59:25 +0700
Subject: [PATCH] Fix legacy/new permissions

---
 helpers.lua | 93 +++++++++++++++--------------------------------------
 1 file changed, 26 insertions(+), 67 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index fd45715..ca6459a 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -267,96 +267,55 @@ end
 function has_access(user)
     user = user or authUser
 
-    if not conf["users"][user] then
-        conf = config.get_config()
-    end
+    -- Get the longest url permission
+    longest_permission_match = longest_url_path(permission_matches()) or ""
 
-    -- If there are no `users` directive, or if the user has no ACL set, he can
-    -- access the URL by default
-    if not conf["users"] or not conf["users"][user] then
-        logger.debug("No access rules defined for user "..user..", assuming it can access..")
+    logger.debug("Longest permission match : "..longest_permission_match)
+
+    -- If no permission matches, it means that there is no
+    -- permission defined for this url, a logged-in user can access it.
+    if longest_permission_match == "" then
+        logger.debug("No access rules defined for user "..user..", assuming it can access.")
         return true
     end
 
-    -- Loop through user's ACLs and return if the URL is authorized.
-    allowed_url_matches = {}
-    for url, app in pairs(conf["users"][user]) do
+    -- All user in this permission
+    allowed_users = conf["permissions"][longest_permission_match]
 
-        -- Replace the original domain by a local one if you are connected from
-        -- a non-global domain name.
-        if ngx.var.host == conf["local_portal_domain"] then
-            url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
-        end
-
-        if string.ends(url, "/") then
-            url = string.sub(url, 1, -1)
-        end
-
-        if string.starts(ngx.var.host..ngx.var.uri, url) then
-            logger.debug("User is allowed to access this match : "..url)
-            table.insert(allowed_url_matches,url)
+    -- The user has permission to access the content if he is in the list of this one
+    if allowed_users then
+        for _, u in pairs(allowed_users) do
+            if u == user then
+                logger.debug("User "..user.." can access "..ngx.var.uri)
+                log_access(user, longest_permission_match)
+                return true
+            end
         end
     end
 
-    -- Keep only the longest match and compare it to the longest protected
-    -- match e.g. we don't want to allow the user to access /foo/admin if
-    -- /foo/admin is protected, but this user is only allowed to access /foo
-    local longest_allowed_match = longest_url_path(allowed_url_matches) or ""
-    local longest_protected_match = longest_url_path(protected_matches()) or ""
-
-    logger.debug("Longest allowed match : "..longest_allowed_match)
-    logger.debug("Longest protected match : "..longest_protected_match)
-
-    -- For the user to be able to access the content, at least one rule should
-    -- exist and it should be the longest match
-    if longest_allowed_match ~= ""
-    and string.len(longest_allowed_match) >= string.len(longest_protected_match) then
-        logger.debug("Logged-in user can access "..ngx.var.uri)
-        log_access(user, longest_allowed_match)
-        return true
-    else
-        logger.debug("Logged-in user cannot access "..ngx.var.uri)
-        return false
-    end
+    logger.debug("User "..user.." cannot access "..ngx.var.uri)
+    return false
 end
 
-
-function protected_matches()
-    if not conf["protected_urls"] then
-        conf["protected_urls"] = {}
-    end
-    if not conf["protected_regex"] then
-        conf["protected_regex"] = {}
+function permission_matches()
+    if not conf["permissions"] then
+        conf["permissions"] = {}
     end
 
     local url_matches = {}
 
-    for _, url in ipairs(conf["protected_urls"]) do
+    for url, permission in pairs(conf["permissions"]) do
         if string.starts(ngx.var.host..ngx.var.uri..uri_args_string(), url)
         or string.starts(ngx.var.uri..uri_args_string(), url) then
-            logger.debug("protected_url match current uri : "..url)
+            logger.debug("Url permission match current uri : "..url)
+
             table.insert(url_matches, url)
-        else
-            logger.debug("no match from "..url.." to "..ngx.var.uri)
-        end
-    end
-    for _, regex in ipairs(conf["protected_regex"]) do
-        local m1 = match(ngx.var.host..ngx.var.uri..uri_args_string(), regex)
-        local m2 = match(ngx.var.uri..uri_args_string(), regex)
-        if m1 then
-            logger.debug("protected_regex match current uri : "..regex.." with "..m1)
-            table.insert(url_matches, m1)
-        end
-        if m2 then
-            logger.debug("protected_regex match current uri : "..regex.." with "..m2)
-            table.insert(url_matches, m2)
         end
     end
 
     return url_matches
 end
 
-
 function longest_url_path(urls)
     local longest = nil
     for _, url in ipairs(urls) do