Allow access for project and system admins

dasch-swiss · May 22, 2024 · 2205ad7 · 2205ad7
1 parent 5f840c0
commit 2205ad7
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/sipi/scripts/sipi.init.lua b/sipi/scripts/sipi.init.lua
@@ -103,8 +103,8 @@ function pre_flight(prefix, identifier, cookie)
     end
 
     local token, error = auth_get_jwt_decoded()
-    if error == nil and token ~= nil and token["sub"] == "http://www.knora.org/ontology/knora-admin#SystemUser" then
-        log("pre_flight - always allow access for system user", server.loglevel.LOG_DEBUG)
+    if error == nil and _is_system_or_project_admin(token, prefix) then
+        log("pre_flight - always allow access for system or project admin", server.loglevel.LOG_DEBUG)
         return 'allow', filepath
     end
 
@@ -151,6 +151,17 @@ function pre_flight(prefix, identifier, cookie)
     end
 end
 
+function _is_system_or_project_admin(token, shortcode)
+    if shortcode == nil or token == nil or token["scope"] == nil then
+        return false
+    else
+        local write_prj_scope = "write:project:" .. shortcode
+        local scopes = str_splitString(token["scope"], " ")
+        log("pre_flight - scopes: " .. tableToString(scopes), server.loglevel.LOG_DEBUG)
+        return scopes.contains("admin") or scopes.contains(write_prj_scope)
+    end
+end
+
 function _file_not_found_response()
     return "allow", "file_does_not_exist"
 end