diff --git a/access.lua b/access.lua index 825e678..9688b25 100644 --- a/access.lua +++ b/access.lua @@ -265,12 +265,46 @@ if conf["redirected_regex"] then end -- +-- 4. IDENTIFY THE RELEVANT PERMISSION +-- +-- In particular, the conf is filled with permissions such as: +-- +-- "foobar": { +-- "auth_header": false, +-- "label": "Foobar permission", +-- "public": false, +-- "show_tile": true, +-- "uris": [ +-- "yolo.test/foobar", +-- "re:^[^/]*/%.well%-known/foobar/.*$", +-- ], +-- "users": ["alice", "bob"] +-- } -- -- +-- And we find the best matching permission by trying to match the request uri +-- against all the uris rules/regexes from the conf and keep the longest matching one. -- +permission = nil +longest_url_match = "" +for permission_name, permission_infos in pairs(conf["permissions"]) do + if next(permission_infos['uris']) ~= nil then + for _, url in pairs(permission_infos['uris']) do + if string.starts(url, "re:") then + url = string.sub(url, 4, string.len(url)) + end + local m = hlp.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), url) + if m ~= nil and string.len(m) > string.len(longest_url_match) then + longest_url_match = m + permission = permission_infos + permission["id"] = permission_name + end + end + end +end -- -- @@ -278,7 +312,6 @@ end -- -local permission = hlp.get_best_permission() if permission then if is_logged_in then diff --git a/config.lua b/config.lua index 9d2395d..029ffe7 100644 --- a/config.lua +++ b/config.lua @@ -60,7 +60,8 @@ function get_config() allow_mail_authentication = true, default_language = "en", theme = "default", - logging = "fatal" -- Only log fatal messages by default (so apriori nothing) + logging = "fatal", -- Only log fatal messages by default (so apriori nothing) + permissions = {} } diff --git a/helpers.lua b/helpers.lua index 6aca31d..74e06d6 100644 --- a/helpers.lua +++ b/helpers.lua @@ -296,34 +296,6 @@ function log_access(user, uri) end end -function get_best_permission() - if not conf["permissions"] then - conf["permissions"] = {} - end - - local permission_match = nil - local longest_url_match = "" - - for permission_name, permission in pairs(conf["permissions"]) do - if next(permission['uris']) ~= nil then - for _, url in pairs(permission['uris']) do - if string.starts(url, "re:") then - url = string.sub(url, 4, string.len(url)) - end - - local m = match(ngx.var.host..ngx.var.uri..uri_args_string(), url) - if m ~= nil and string.len(m) > string.len(longest_url_match) then - longest_url_match = m - permission_match = permission - logger.debug("Match "..m) - end - end - end - end - - return permission_match -end - -- Check whether a user is allowed to access a URL using the `permissions` directive -- of the configuration file function has_access(permission, user)