mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-24 17:36:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Fix read only pad access with authentication

Browse source 
Before this commit, webaccess.checkAccess saved the authorization in
user.padAuthorizations[padId] with padId being the read-only pad ID,
however later stages, e.g. in PadMessageHandler, use the real pad ID for
access checks. This led to authorization being denied.

This commit fixes it by only storing and comparing the real pad IDs and
not read-only pad IDs.

This fixes test case "authn user readonly pad -> 200, ok" in
src/tests/backend/specs/socketio.js.
This commit is contained in:
pcworld 2021-04-11 03:59:52 +02:00 committed by Richard Hansen
parent 0d33793908
commit 3c71e8983b
4 changed files with 28 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/node/db/SecurityManager.js
View file

@ -22,6 +22,7 @@
const authorManager = require('./AuthorManager');
const hooks = require('../../static/js/pluginfw/hooks.js');
const padManager = require('./PadManager');
const readOnlyManager = require('./ReadOnlyManager');
const sessionManager = require('./SessionManager');
const settings = require('../utils/Settings');
const webaccess = require('../hooks/express/webaccess');
@ -56,6 +57,15 @@ exports.checkAccess = async (padID, sessionCookie, token, userSettings) => {
let canCreate = !settings.editOnly;
if (readOnlyManager.isReadOnlyId(padID)) {
canCreate = false;
padID = await readOnlyManager.getPadId(padID);
if (padID == null) {
authLogger.debug('access denied: read-only pad ID for a pad that does not exist');
return DENY;
}
}
// Authentication and authorization checks.
if (settings.loadTest) {
console.warn(