mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-23 00:46:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

webaccess: Skip checks if next is called in preAuthenticate

Browse source
This commit is contained in:
Richard Hansen 2021-12-18 00:55:20 -05:00
parent fc498f0ae6
commit 472eddc821
2 changed files with 18 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

15
src/tests/backend/specs/webaccess.js
View file

@ -135,7 +135,7 @@ describe(__filename, function () {
assert(!this.called);
this.called = true;
callOrder.push(this.id);
return cb(this.innerHandle(context.req));
return cb(this.innerHandle(context));
}
};
const handlers = {};
@ -179,6 +179,13 @@ describe(__filename, function () {
await agent.get('/').expect(403);
assert.deepEqual(callOrder, ['preAuthorize_0']);
});
it('bypasses authenticate and authorize hooks when next is called', async function () {
settings.requireAuthentication = true;
settings.requireAuthorization = true;
handlers.preAuthorize[0].innerHandle = ({next}) => next();
await agent.get('/').expect(200);
assert.deepEqual(callOrder, ['preAuthorize_0']);
});
it('bypasses authenticate and authorize hooks for static content, defers', async function () {
settings.requireAuthentication = true;
settings.requireAuthorization = true;
@ -251,13 +258,13 @@ describe(__filename, function () {
'authenticate_1']);
});
it('does not defer if return [true], 200', async function () {
handlers.authenticate[0].innerHandle = (req) => { req.session.user = {}; return [true]; };
handlers.authenticate[0].innerHandle = ({req}) => { req.session.user = {}; return [true]; };
await agent.get('/').expect(200);
// Note: authenticate_1 was not called because authenticate_0 handled it.
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']);
});
it('does not defer if return [false], 401', async function () {
handlers.authenticate[0].innerHandle = (req) => [false];
handlers.authenticate[0].innerHandle = () => [false];
await agent.get('/').expect(401);
// Note: authenticate_1 was not called because authenticate_0 handled it.
assert.deepEqual(callOrder, ['preAuthorize_0', 'preAuthorize_1', 'authenticate_0']);
@ -355,7 +362,7 @@ describe(__filename, function () {
'authorize_0']);
});
it('does not defer if return [false], 403', async function () {
handlers.authorize[0].innerHandle = (req) => [false];
handlers.authorize[0].innerHandle = () => [false];
await agent.get('/').auth('user', 'user-password').expect(403);
// Note: authorize_1 was not called because authorize_0 handled it.
assert.deepEqual(callOrder, ['preAuthorize_0',