import: Replace the allowAnyoneToImport check with userCanModify

This reduces the number of hoops a user or tool must jump through to import.
2025-04-23 00:46:16 -04:00 · 2020-10-01 15:49:04 -04:00 · 2020-10-01 15:49:04 -04:00 · a8cf434d1d
commit a8cf434d1d
parent 831528e8bc
11 changed files with 143 additions and 109 deletions
--- a/src/node/handler/PadMessageHandler.js
+++ b/src/node/handler/PadMessageHandler.js
@ -942,16 +942,6 @@ async function handleClientReady(client, message, authorID)
    });
  }));

-  let thisUserHasEditedThisPad = false;
-  if (historicalAuthorData[authorID]) {
-    /*
-     * This flag is set to true when a user contributes to a specific pad for
-     * the first time. It is used for deciding if importing to that pad is
-     * allowed or not.
-     */
-    thisUserHasEditedThisPad = true;
-  }
-
  // glue the clientVars together, send them and tell the other clients that a new one is there

  // Check that the client is still here. It might have disconnected between callbacks.
@ -1135,8 +1125,6 @@ async function handleClientReady(client, message, authorID)
        "percentageToScrollWhenUserPressesArrowUp": settings.scrollWhenFocusLineIsOutOfViewport.percentageToScrollWhenUserPressesArrowUp,
      },
      "initialChangesets": [], // FIXME: REMOVE THIS SHIT
-      "thisUserHasEditedThisPad": thisUserHasEditedThisPad,
-      "allowAnyoneToImport": settings.allowAnyoneToImport
    }

    // Add a username to the clientVars if one avaiable
--- a/src/node/hooks/express/importexport.js
+++ b/src/node/hooks/express/importexport.js
@ -8,6 +8,7 @@ var readOnlyManager = require("../../db/ReadOnlyManager");
 var authorManager = require("../../db/AuthorManager");
 const rateLimit = require("express-rate-limit");
 const securityManager = require("../../db/SecurityManager");
+const webaccess = require("./webaccess");

 settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
  // when the rate limiter triggers, write a warning in the logs
@ -63,36 +64,11 @@ exports.expressCreateServer = function (hook_name, args, cb) {
  args.app.use('/p/:pad/import', limiter);
  args.app.post('/p/:pad/import', async function(req, res, next) {
    const {session: {user} = {}} = req;
-    const {accessStatus, authorID} = await securityManager.checkAccess(
+    const {accessStatus} = await securityManager.checkAccess(
        req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, user);
-    if (accessStatus !== 'grant') return res.status(403).send('Forbidden');
-    assert(authorID);
-
-    /*
-     * Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
-     * only if a user has his browser opened and connected to the pad (i.e. a
-     * Socket.IO session is estabilished for him) and he has already
-     * contributed to that specific pad.
-     *
-     * Note that this does not have anything to do with the "session", used
-     * for logging into "group pads". That kind of session is not needed here.
-     *
-     * This behaviour does not apply to API requests, only to /p/$PAD$/import
-     *
-     * See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
-     */
-    if (!settings.allowAnyoneToImport) {
-      const authorsPads = await authorManager.listPadsOfAuthor(authorID);
-      if (!authorsPads) {
-        console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to any pad`);
-        return next();
-      }
-      if (authorsPads.padIDs.indexOf(req.params.pad) === -1) {
-        console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to this pad`);
-        return next();
-      }
+    if (accessStatus !== 'grant' || !webaccess.userCanModify(req.params.pad, req)) {
+      return res.status(403).send('Forbidden');
    }
-
-    importHandler.doImport(req, res, req.params.pad);
+    await importHandler.doImport(req, res, req.params.pad);
  });
 }
--- a/src/node/utils/Settings.js
+++ b/src/node/utils/Settings.js
@ -385,20 +385,6 @@ exports.commitRateLimiting = {
 */
 exports.importMaxFileSize = 50 * 1024 * 1024;

-
-/*
- * From Etherpad 1.8.3 onwards import was restricted to authors who had
- * content within the pad.
- *
- * This setting will override that restriction and allow any user to import
- * without the requirement to add content to a pad.
- *
- * This setting is useful for when you use a plugin for authentication so you
- * can already trust each user.
- */
-exports.allowAnyoneToImport = false,
-
-
 // checks if abiword is avaiable
 exports.abiwordAvailable = function()
 {