diff --git a/sipi/scripts/sipi.init.lua b/sipi/scripts/sipi.init.lua index 8be1df91d64..d6c470addb3 100644 --- a/sipi/scripts/sipi.init.lua +++ b/sipi/scripts/sipi.init.lua @@ -103,8 +103,8 @@ function pre_flight(prefix, identifier, cookie) end local token, error = auth_get_jwt_decoded() - if error == nil and token ~= nil and token["sub"] == "http://www.knora.org/ontology/knora-admin#SystemUser" then - log("pre_flight - always allow access for system user", server.loglevel.LOG_DEBUG) + if error == nil and _is_system_or_project_admin(token, prefix) then + log("pre_flight - always allow access for system or project admin", server.loglevel.LOG_DEBUG) return 'allow', filepath end @@ -151,6 +151,17 @@ function pre_flight(prefix, identifier, cookie) end end +function _is_system_or_project_admin(token, shortcode) + if shortcode == nil or token == nil or token["scope"] == nil then + return false + else + local write_prj_scope = "write:project:" .. shortcode + local scopes = str_splitString(token["scope"], " ") + log("pre_flight - scopes: " .. tableToString(scopes), server.loglevel.LOG_DEBUG) + return scopes.contains("admin") or scopes.contains(write_prj_scope) + end +end + function _file_not_found_response() return "allow", "file_does_not_exist" end