security: Enable authorize plugins to grant read-only access

2025-04-25 01:46:14 -04:00 · 2020-09-19 15:30:04 -04:00 · 2020-09-19 15:30:04 -04:00 · 180983736d
commit 180983736d
parent 505d67ed1c
5 changed files with 41 additions and 5 deletions
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -39,6 +39,7 @@ var remoteAddress = require("../utils/RemoteAddress").remoteAddress;
 const assert = require('assert').strict;
 const nodeify = require("nodeify");
 const { RateLimiterMemory } = require('rate-limiter-flexible');
+const webaccess = require('../hooks/express/webaccess');

 const rateLimiter = new RateLimiterMemory({
  points: settings.commitRateLimiting.points,
@ -224,7 +225,6 @@ exports.handleMessage = async function(client, message)
    padId = await readOnlyManager.getPadId(padId);
  }

-  // FIXME: Allow to override readwrite access with readonly
  const {session: {user} = {}} = client.client.request;
  const {accessStatus, authorID} =
      await securityManager.checkAccess(padId, auth.sessionID, auth.token, auth.password, user);
@ -973,7 +973,8 @@ async function handleClientReady(client, message, authorID)
  // Save in sessioninfos that this session belonges to this pad
  sessionInfo.padId = padIds.padId;
  sessionInfo.readOnlyPadId = padIds.readOnlyPadId;
-  sessionInfo.readonly = padIds.readonly;
+  sessionInfo.readonly =
+      padIds.readonly || !webaccess.userCanModify(message.padId, client.client.request);

  // Log creation/(re-)entering of a pad
  let ip = remoteAddress[client.id];
@ -1112,7 +1113,7 @@ async function handleClientReady(client, message, authorID)
      "chatHead": pad.chatHead,
      "numConnectedUsers": roomClients.length,
      "readOnlyId": padIds.readOnlyPadId,
-      "readonly": padIds.readonly,
+      "readonly": sessionInfo.readonly,
      "serverTimestamp": Date.now(),
      "userId": authorID,
      "abiwordAvailable": settings.abiwordAvailable(),
--- a/src/node/hooks/express/specialpages.js
+++ b/src/node/hooks/express/specialpages.js
@ -3,6 +3,7 @@ var eejs = require('ep_etherpad-lite/node/eejs');
 var toolbar = require("ep_etherpad-lite/node/utils/toolbar");
 var hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
 var settings = require('../../utils/Settings');
+const webaccess = require('./webaccess');

 exports.expressCreateServer = function (hook_name, args, cb) {
  // expose current stats
@ -42,7 +43,8 @@ exports.expressCreateServer = function (hook_name, args, cb) {
  args.app.get('/p/:pad', function(req, res, next)
  {
    // The below might break for pads being rewritten
-    var isReadOnly = req.url.indexOf("/p/r.") === 0;
+    const isReadOnly =
+        req.url.indexOf("/p/r.") === 0 || !webaccess.userCanModify(req.params.pad, req);

    hooks.callAll("padInitToolbar", {
      toolbar: toolbar,
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -1,3 +1,4 @@
+const assert = require('assert').strict;
 const express = require('express');
 const log4js = require('log4js');
 const httpLogger = log4js.getLogger('http');
@ -15,6 +16,7 @@ exports.normalizeAuthzLevel = (level) => {
  switch (level) {
    case true:
      return 'create';
+    case 'readOnly':
    case 'modify':
    case 'create':
      return level;
@ -24,6 +26,16 @@ exports.normalizeAuthzLevel = (level) => {
  return false;
 };

+exports.userCanModify = (padId, req) => {
+  if (!settings.requireAuthentication) return true;
+  const {session: {user} = {}} = req;
+  assert(user); // If authn required and user == null, the request should have already been denied.
+  assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
+  const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
+  assert(level); // If !level, the request should have already been denied.
+  return level !== 'readOnly';
+};
+
 // Exported so that tests can set this to 0 to avoid unnecessary test slowness.
 exports.authnFailureDelayMs = 1000;