mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 08:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

webaccess: Skip checks if next is called in preAuthenticate

Browse source
This commit is contained in:
Richard Hansen 2021-12-18 00:55:20 -05:00
parent fc498f0ae6
commit 472eddc821
2 changed files with 18 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/node/hooks/express/webaccess.js
View file

@ -106,18 +106,22 @@ const checkAccess = async (req, res, next) => {
// ///////////////////////////////////////////////////////////////////////////////////////////////
let results;
let skip = false;
const preAuthorizeNext = (...args) => { skip = true; next(...args); };
try {
results = await aCallFirst('preAuthorize', {req, res, next},
results = await aCallFirst('preAuthorize', {req, res, next: preAuthorizeNext},
// This predicate will cause aCallFirst to call the hook functions one at a time until one
// of them returns a non-empty list, with an exception: If the request is for an /admin
// page, truthy entries are filtered out before checking to see whether the list is empty.
// This prevents plugin authors from accidentally granting admin privileges to the general
// public.
(r) => (r != null && r.filter((x) => (!requireAdmin || !x)).length > 0));
(r) => (skip || (r != null && r.filter((x) => (!requireAdmin || !x)).length > 0)));
} catch (err) {
httpLogger.error(`Error in preAuthorize hook: ${err.stack || err.toString()}`);
return res.status(500).send('Internal Server Error');
if (!skip) res.status(500).send('Internal Server Error');
return;
}
if (skip) return;
if (staticPathsRE.test(req.path)) results.push(true);
if (requireAdmin) {
// Filter out all 'true' entries to prevent plugin authors from accidentally granting admin