mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 15:36:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fix read only pad access with authentication

Browse source 
Before this commit, webaccess.checkAccess saved the authorization in
user.padAuthorizations[padId] with padId being the read-only pad ID,
however later stages, e.g. in PadMessageHandler, use the real pad ID for
access checks. This led to authorization being denied.

This commit fixes it by only storing and comparing the real pad IDs and
not read-only pad IDs.

This fixes test case "authn user readonly pad -> 200, ok" in
src/tests/backend/specs/socketio.js.
This commit is contained in:
pcworld 2021-04-11 03:59:52 +02:00 committed by Richard Hansen
parent 0d33793908
commit 3c71e8983b
4 changed files with 28 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/node/handler/PadMessageHandler.js
View file

@ -218,17 +218,9 @@ exports.handleMessage = async (socket, message) => {
return;
}
// check if pad is requested via readOnly
let padId = auth.padID;
if (padId.indexOf('r.') === 0) {
// Pad is readOnly, first get the real Pad ID
padId = await readOnlyManager.getPadId(padId);
}
const {session: {user} = {}} = socket.client.request;
const {accessStatus, authorID} =
await securityManager.checkAccess(padId, auth.sessionID, auth.token, user);
await securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, user);
if (accessStatus !== 'grant') {
// Access denied. Send the reason to the user.
socket.json.send({accessStatus});