mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 00:16:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

security: Enable authorize plugins to grant read-only access

Browse source
This commit is contained in:
Richard Hansen 2020-09-19 15:30:04 -04:00 committed by John McLear
parent 505d67ed1c
commit 180983736d
5 changed files with 41 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/node/hooks/express/webaccess.js
View file

@ -1,3 +1,4 @@
const assert = require('assert').strict;
const express = require('express');
const log4js = require('log4js');
const httpLogger = log4js.getLogger('http');
@ -15,6 +16,7 @@ exports.normalizeAuthzLevel = (level) => {
switch (level) {
case true:
return 'create';
case 'readOnly':
case 'modify':
case 'create':
return level;
@ -24,6 +26,16 @@ exports.normalizeAuthzLevel = (level) => {
return false;
};
exports.userCanModify = (padId, req) => {
if (!settings.requireAuthentication) return true;
const {session: {user} = {}} = req;
assert(user); // If authn required and user == null, the request should have already been denied.
assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
assert(level); // If !level, the request should have already been denied.
return level !== 'readOnly';
};
// Exported so that tests can set this to 0 to avoid unnecessary test slowness.
exports.authnFailureDelayMs = 1000;