diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js index 4289e39ca..06e58bc4b 100644 --- a/src/node/db/SecurityManager.js +++ b/src/node/db/SecurityManager.js @@ -27,6 +27,8 @@ var padManager = require("./PadManager"); var sessionManager = require("./SessionManager"); var settings = require("../utils/Settings"); var randomString = require('ep_etherpad-lite/static/js/pad_utils').randomString; +var log4js = require('log4js'); +var authLogger = log4js.getLogger("auth"); /** * This function controlls the access to a pad, it checks if the user can access a pad. @@ -117,29 +119,41 @@ exports.checkAccess = function (padID, sessionCookie, token, password, callback) //get information about all sessions contained in this cookie function(callback) { - if (!sessionCookie) { + if (!sessionCookie) + { callback(); return; } var sessionIDs = sessionCookie.split(','); - async.forEach(sessionIDs, function(sessionID, callback) { - sessionManager.getSessionInfo(sessionID, function(err, sessionInfo) { + async.forEach(sessionIDs, function(sessionID, callback) + { + sessionManager.getSessionInfo(sessionID, function(err, sessionInfo) + { //skip session if it doesn't exist - if(err && err.message == "sessionID does not exist") return; + if(err && err.message == "sessionID does not exist") + { + authLogger.debug("Auth failed: unknown session"); + callback(); + return; + } if(ERR(err, callback)) return; var now = Math.floor(new Date().getTime()/1000); //is it for this group? - if(sessionInfo.groupID != groupID) { + if(sessionInfo.groupID != groupID) + { + authLogger.debug("Auth failed: wrong group"); callback(); return; } //is validUntil still ok? - if(sessionInfo.validUntil <= now){ + if(sessionInfo.validUntil <= now) + { + authLogger.debug("Auth failed: validUntil"); callback(); return; } @@ -234,7 +248,11 @@ exports.checkAccess = function (padID, sessionCookie, token, password, callback) //--> grant access statusObject = {accessStatus: "grant", authorID: sessionAuthor}; //--> deny access if user isn't allowed to create the pad - if(settings.editOnly) statusObject.accessStatus = "deny"; + if(settings.editOnly) + { + authLogger.debug("Auth failed: valid session & pad does not exist"); + statusObject.accessStatus = "deny"; + } } // there is no valid session avaiable AND pad exists else if(!validSession && padExists) @@ -266,6 +284,7 @@ exports.checkAccess = function (padID, sessionCookie, token, password, callback) //- its not public else if(!isPublic) { + authLogger.debug("Auth failed: invalid session & pad is not public"); //--> deny access statusObject = {accessStatus: "deny"}; } @@ -277,6 +296,7 @@ exports.checkAccess = function (padID, sessionCookie, token, password, callback) // there is no valid session avaiable AND pad doesn't exists else { + authLogger.debug("Auth failed: invalid session & pad does not exist"); //--> deny access statusObject = {accessStatus: "deny"}; } diff --git a/src/static/js/pad.js b/src/static/js/pad.js index e5e6e95f3..5cc02d87e 100644 --- a/src/static/js/pad.js +++ b/src/static/js/pad.js @@ -191,7 +191,7 @@ function handshake() createCookie("token", token, 60); } - var sessionID = readCookie("sessionID"); + var sessionID = decodeURIComponent(readCookie("sessionID")); var password = readCookie("password"); var msg = { diff --git a/src/static/js/timeslider.js b/src/static/js/timeslider.js index eb3703d9f..cd98deadd 100644 --- a/src/static/js/timeslider.js +++ b/src/static/js/timeslider.js @@ -116,7 +116,7 @@ function init() { //sends a message over the socket function sendSocketMsg(type, data) { - var sessionID = readCookie("sessionID"); + var sessionID = decodeURIComponent(readCookie("sessionID")); var password = readCookie("password"); var msg = { "component" : "pad", // FIXME: Remove this stupidity!