mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 00:16:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

security: Enable authorize plugins to grant modify-only access

Browse source
This commit is contained in:
Richard Hansen 2020-09-11 19:46:47 -04:00 committed by John McLear
parent 6ed11b7605
commit 02757079c0
4 changed files with 66 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/node/db/SecurityManager.js
View file

@ -58,6 +58,8 @@ exports.checkAccess = async function(padID, sessionCookie, token, password, user
return DENY;
}
let canCreate = !settings.editOnly;
if (settings.requireAuthentication) {
// Make sure the user has authenticated if authentication is required. The caller should have
// already performed this check, but it is repeated here just in case.
@ -73,6 +75,7 @@ exports.checkAccess = async function(padID, sessionCookie, token, password, user
authLogger.debug('access denied: unauthorized');
return DENY;
}
if (level !== 'create') canCreate = false;
}
// allow plugins to deny access
@ -88,7 +91,7 @@ exports.checkAccess = async function(padID, sessionCookie, token, password, user
const p_padExists = padManager.doesPadExist(padID);
const padExists = await p_padExists;
if (!padExists && settings.editOnly) {
if (!padExists && !canCreate) {
authLogger.debug('access denied: user attempted to create a pad, which is prohibited');
return DENY;
}