PadMessageHandler: Pass session info to handleMessageSecurity hook

2025-04-23 17:06:16 -04:00 · 2021-12-07 02:30:08 -05:00 · 2021-12-07 02:30:08 -05:00 · 31b025bd9d
commit 31b025bd9d
parent 1b52c9f0c4
4 changed files with 30 additions and 11 deletions
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -235,6 +235,11 @@ exports.handleMessage = async (socket, message) => {
      padID: message.padId,
      token: message.token,
    };
+    const padIds = await readOnlyManager.getIds(thisSession.auth.padID);
+    thisSession.padId = padIds.padId;
+    thisSession.readOnlyPadId = padIds.readOnlyPadId;
+    thisSession.readonly =
+        padIds.readonly || !webaccess.userCanModify(thisSession.auth.padID, socket.client.request);
  }

  const auth = thisSession.auth;
@ -273,6 +278,11 @@ exports.handleMessage = async (socket, message) => {
  // Allow plugins to bypass the readonly message blocker
  const context = {
    message,
+    sessionInfo: {
+      authorId: thisSession.author,
+      padId: thisSession.padId,
+      readOnly: thisSession.readonly,
+    },
    socket,
    get client() {
      padutils.warnDeprecated(
@ -793,12 +803,6 @@ const handleClientReady = async (socket, message) => {
  if (sessionInfo == null) return;
  assert(sessionInfo.author);

-  const padIds = await readOnlyManager.getIds(sessionInfo.auth.padID);
-  sessionInfo.padId = padIds.padId;
-  sessionInfo.readOnlyPadId = padIds.readOnlyPadId;
-  sessionInfo.readonly =
-      padIds.readonly || !webaccess.userCanModify(sessionInfo.auth.padID, socket.client.request);
-
  await hooks.aCallAll('clientReady', message); // Deprecated due to awkward context.

  let {colorId: authorColorId, name: authorName} = message.userInfo || {};
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -36,12 +36,10 @@ exports.userCanModify = (padId, req) => {
  if (readOnlyManager.isReadOnlyId(padId)) return false;
  if (!settings.requireAuthentication) return true;
  const {session: {user} = {}} = req;
-  assert(user); // If authn required and user == null, the request should have already been denied.
-  if (user.readOnly) return false;
+  if (!user || user.readOnly) return false;
  assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
  const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
-  assert(level); // If !level, the request should have already been denied.
-  return level !== 'readOnly';
+  return level && level !== 'readOnly';
 };

 // Exported so that tests can set this to 0 to avoid unnecessary test slowness.