mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 08:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

Fix read only pad access with authentication

Browse source 
Before this commit, webaccess.checkAccess saved the authorization in
user.padAuthorizations[padId] with padId being the read-only pad ID,
however later stages, e.g. in PadMessageHandler, use the real pad ID for
access checks. This led to authorization being denied.

This commit fixes it by only storing and comparing the real pad IDs and
not read-only pad IDs.

This fixes test case "authn user readonly pad -> 200, ok" in
src/tests/backend/specs/socketio.js.
This commit is contained in:
pcworld 2021-04-11 03:59:52 +02:00 committed by Richard Hansen
parent 0d33793908
commit 3c71e8983b
4 changed files with 28 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

6
doc/api/hooks_server-side.md
View file

@ -156,11 +156,13 @@ Called from: src/node/db/SecurityManager.js
Things in context:
1. padID - the pad the user wants to access
1. padID - the real ID (never the read-only ID) of the pad the user wants to
access
2. token - the token of the author
3. sessionCookie - the session the use has
This hook gets called when the access to the concrete pad is being checked. Return `false` to deny access.
This hook gets called when the access to the concrete pad is being checked.
Return `false` to deny access.
## padCreate
Called from: src/node/db/Pad.js