From dc77aee413e58ce856cfd5a91de9507b5db6f453 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Kleinb=C3=B6lting?=
 <christian.kleinboelting@dasch.swiss>
Date: Wed, 22 May 2024 08:02:36 +0200
Subject: [PATCH] Allow access for project and system admins

---
 sipi/scripts/sipi.init.lua | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/sipi/scripts/sipi.init.lua b/sipi/scripts/sipi.init.lua
index 8be1df91d64..bd5089a9a88 100644
--- a/sipi/scripts/sipi.init.lua
+++ b/sipi/scripts/sipi.init.lua
@@ -4,7 +4,7 @@
 require "file_specific_folder_util"
 require "authentication"
 require "log_util"
-require "util"
+local util = require "util"
 
 -------------------------------------------------------------------------------
 -- This function returns the segments from the identifier
@@ -103,8 +103,8 @@ function pre_flight(prefix, identifier, cookie)
     end
 
     local token, error = auth_get_jwt_decoded()
-    if error == nil and token ~= nil and token["sub"] == "http://www.knora.org/ontology/knora-admin#SystemUser" then
-        log("pre_flight - always allow access for system user", server.loglevel.LOG_DEBUG)
+    if error == nil and _is_system_or_project_admin(token, prefix) then
+        log("pre_flight - always allow access for system or project admin", server.loglevel.LOG_DEBUG)
         return 'allow', filepath
     end
 
@@ -151,6 +151,30 @@ function pre_flight(prefix, identifier, cookie)
     end
 end
 
+--- Checks if the user is a system or project admin.
+--- @param token table The decoded JWT token.
+--- @param shortcode string The shortcode of the project.
+--- @return boolean True if the user is a system or project admin, false otherwise.
+function _is_system_or_project_admin(token, shortcode)
+    if shortcode == nil or token == nil or token["scope"] == nil then
+        return false
+    else
+        local write_prj_scope = "write:project:" .. shortcode
+        local scopes = str_splitString(token["scope"], " ")
+        log("pre_flight - scopes: " .. tableToString(scopes), server.loglevel.LOG_DEBUG)
+        return _table_contains(scopes, "admin") or _table_contains(scopes, write_prj_scope)
+    end
+end
+
+function _table_contains(table, what)
+    for _, value in pairs(table) do
+        if value == what then
+            return true
+        end
+    end
+    return false
+end
+
 function _file_not_found_response()
     return "allow", "file_does_not_exist"
 end