mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 08:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

security: Enable authorize plugins to grant modify-only access

Browse source
This commit is contained in:
Richard Hansen 2020-09-11 19:46:47 -04:00 committed by John McLear
parent 6ed11b7605
commit 02757079c0
4 changed files with 66 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

54
tests/backend/specs/socketio.js
View file

@ -125,6 +125,7 @@ describe('socket.io access checks', function() {
beforeEach(async function() {
Object.assign(settingsBackup, settings);
assert(socket == null);
settings.editOnly = false;
settings.requireAuthentication = false;
settings.requireAuthorization = false;
settings.users = {
@ -224,4 +225,57 @@ describe('socket.io access checks', function() {
const message = await handshake(socket, 'other-pad');
assert.equal(message.accessStatus, 'deny');
});
// Authorization levels via authorize hook
it("level='create' -> can create", async () => {
authorize = () => 'create';
settings.requireAuthentication = true;
settings.requireAuthorization = true;
const res = await agent.get('/p/pad').auth('user', 'user-password').expect(200);
socket = await connect(res);
const clientVars = await handshake(socket, 'pad');
assert.equal(clientVars.type, 'CLIENT_VARS');
assert.equal(clientVars.data.readonly, false);
});
it('level=true -> can create', async () => {
authorize = () => true;
settings.requireAuthentication = true;
settings.requireAuthorization = true;
const res = await agent.get('/p/pad').auth('user', 'user-password').expect(200);
socket = await connect(res);
const clientVars = await handshake(socket, 'pad');
assert.equal(clientVars.type, 'CLIENT_VARS');
assert.equal(clientVars.data.readonly, false);
});
it("level='modify' -> can modify", async () => {
const pad = await padManager.getPad('pad'); // Create the pad.
authorize = () => 'modify';
settings.requireAuthentication = true;
settings.requireAuthorization = true;
const res = await agent.get('/p/pad').auth('user', 'user-password').expect(200);
socket = await connect(res);
const clientVars = await handshake(socket, 'pad');
assert.equal(clientVars.type, 'CLIENT_VARS');
assert.equal(clientVars.data.readonly, false);
});
it("level='create' settings.editOnly=true -> unable to create", async () => {
authorize = () => 'create';
settings.requireAuthentication = true;
settings.requireAuthorization = true;
settings.editOnly = true;
const res = await agent.get('/p/pad').auth('user', 'user-password').expect(200);
socket = await connect(res);
const message = await handshake(socket, 'pad');
assert.equal(message.accessStatus, 'deny');
});
it("level='modify' settings.editOnly=false -> unable to create", async () => {
authorize = () => 'modify';
settings.requireAuthentication = true;
settings.requireAuthorization = true;
settings.editOnly = false;
const res = await agent.get('/p/pad').auth('user', 'user-password').expect(200);
socket = await connect(res);
const message = await handshake(socket, 'pad');
assert.equal(message.accessStatus, 'deny');
});
});