From 2502118ab8ab2edccbeda6cdd9389ff31de7e2dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9my=20HUBSCHER?= Date: Wed, 5 Oct 2016 12:14:40 +0200 Subject: [PATCH] Do not give everyone the permission to read answers. Since Kinto 4.3 people can read the schema with the `record:create` permission. --- formbuilder/actions/server.js | 83 +++++++++++++++-------------------- 1 file changed, 35 insertions(+), 48 deletions(-) diff --git a/formbuilder/actions/server.js b/formbuilder/actions/server.js index 32e7e53..1950aaf 100644 --- a/formbuilder/actions/server.js +++ b/formbuilder/actions/server.js @@ -84,56 +84,43 @@ export function publishForm(callback) { dispatch({type: FORM_PUBLICATION_PENDING}); const adminToken = uuid.v4().replace(/-/g, ""); - const userToken = getUserToken(adminToken); + const formID = getUserToken(adminToken); - const userClient = new KintoClient( + // Create a client authenticated as the admin. + const bucket = new KintoClient( config.server.remote, - {headers: getAuthenticationHeaders(userToken)} - ); - userClient.fetchServerInfo().then((serverInfo) => { - return serverInfo.user.id; - }) - .catch(() => { - connectivityIssues(dispatch, "We are unable to connect to the server."); - dispatch({type: FORM_PUBLICATION_FAILED}); + {headers: getAuthenticationHeaders(adminToken)} + ).bucket(config.server.bucket); + + // The name of the collection is the user token so the user deals with + // less different concepts. + bucket.createCollection(formID, { + data: {schema, uiSchema}, + permissions: { + "record:create": ["system.Authenticated"] + } }) - .then((userId) => { - // Create a new client, authenticated as the admin. - const bucket = new KintoClient( - config.server.remote, - {headers: getAuthenticationHeaders(adminToken)} - ).bucket(config.server.bucket); - // The name of the collection is the user token so the user deals with - // less different concepts. - bucket.createCollection(userToken, { - data: {schema, uiSchema}, - permissions: { - "record:create": ["system.Authenticated"], - "read": [userId] - } - }) - .then(({data}) => { - dispatch({ - type: FORM_PUBLICATION_DONE, + .then(({data}) => { + dispatch({ + type: FORM_PUBLICATION_DONE, + collection: data.id, + }); + if (callback) { + callback({ collection: data.id, + adminToken, }); - if (callback) { - callback({ - collection: data.id, - adminToken, - }); - } - }) - .catch((error) => { - // If the bucket doesn't exist, try to create it. - if (error.response.status === 403 && retry === true) { - return initializeBucket().then(() => { - thunk(dispatch, getState, false); - }); - } - connectivityIssues(dispatch, "We were unable to publish your form."); - dispatch({type: FORM_PUBLICATION_FAILED}); - }); + } + }) + .catch((error) => { + // If the bucket doesn't exist, try to create it. + if (error.response.status === 403 && retry === true) { + return initializeBucket().then(() => { + thunk(dispatch, getState, false); + }); + } + connectivityIssues(dispatch, "We were unable to publish your form."); + dispatch({type: FORM_PUBLICATION_FAILED}); }); }; return thunk; @@ -193,17 +180,17 @@ export function loadSchema(collection, callback) { /** * Retrieve all the answers to a specific form. * - * The userToken is derived from the the adminToken. + * The formID is derived from the the adminToken. **/ export function getRecords(adminToken, callback) { return (dispatch, getState) => { - const collection = getUserToken(adminToken); + const formID = getUserToken(adminToken); dispatch({type: RECORDS_RETRIEVAL_PENDING}); new KintoClient(config.server.remote, { headers: getAuthenticationHeaders(adminToken) }) .bucket(config.server.bucket) - .collection(collection) + .collection(formID) .listRecords().then(({data}) => { dispatch({ type: RECORDS_RETRIEVAL_DONE,