security: Enable authorize plugins to grant read-only access

src/node/hooks/express/specialpages.js

@@ -3,6 +3,7 @@ var eejs = require('ep_etherpad-lite/node/eejs');
 var toolbar = require("ep_etherpad-lite/node/utils/toolbar");
 var hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
 var settings = require('../../utils/Settings');
+const webaccess = require('./webaccess');
 
 exports.expressCreateServer = function (hook_name, args, cb) {
   // expose current stats
@@ -42,7 +43,8 @@ exports.expressCreateServer = function (hook_name, args, cb) {
   args.app.get('/p/:pad', function(req, res, next)
   {
     // The below might break for pads being rewritten
-    var isReadOnly = req.url.indexOf("/p/r.") === 0;
+    const isReadOnly =
+        req.url.indexOf("/p/r.") === 0 || !webaccess.userCanModify(req.params.pad, req);
 
     hooks.callAll("padInitToolbar", {
       toolbar: toolbar,

src/node/hooks/express/webaccess.js

@@ -1,3 +1,4 @@
+const assert = require('assert').strict;
 const express = require('express');
 const log4js = require('log4js');
 const httpLogger = log4js.getLogger('http');
@@ -15,6 +16,7 @@ exports.normalizeAuthzLevel = (level) => {
   switch (level) {
     case true:
       return 'create';
+    case 'readOnly':
     case 'modify':
     case 'create':
       return level;
@@ -24,6 +26,16 @@ exports.normalizeAuthzLevel = (level) => {
   return false;
 };
 
+exports.userCanModify = (padId, req) => {
+  if (!settings.requireAuthentication) return true;
+  const {session: {user} = {}} = req;
+  assert(user); // If authn required and user == null, the request should have already been denied.
+  assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
+  const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
+  assert(level); // If !level, the request should have already been denied.
+  return level !== 'readOnly';
+};
+
 // Exported so that tests can set this to 0 to avoid unnecessary test slowness.
 exports.authnFailureDelayMs = 1000;