mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 16:06:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

PadMessageHandler: Pass session info to handleMessageSecurity hook

Browse source
This commit is contained in:
Richard Hansen 2021-12-07 02:30:08 -05:00
parent 1b52c9f0c4
commit 31b025bd9d
4 changed files with 30 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/node/hooks/express/webaccess.js
View file

@ -36,12 +36,10 @@ exports.userCanModify = (padId, req) => {
if (readOnlyManager.isReadOnlyId(padId)) return false;
if (!settings.requireAuthentication) return true;
const {session: {user} = {}} = req;
assert(user); // If authn required and user == null, the request should have already been denied.
if (user.readOnly) return false;
if (!user || user.readOnly) return false;
assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
assert(level); // If !level, the request should have already been denied.
return level !== 'readOnly';
return level && level !== 'readOnly';
};
// Exported so that tests can set this to 0 to avoid unnecessary test slowness.