mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-21 16:06:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

import: Replace the allowAnyoneToImport check with userCanModify

Browse source 
This reduces the number of hoops a user or tool must jump through to
import.
This commit is contained in:
Richard Hansen 2020-10-01 15:49:04 -04:00 committed by John McLear
parent 831528e8bc
commit a8cf434d1d
11 changed files with 143 additions and 109 deletions
Download patch file Download diff file Expand all files Collapse all files

34
src/node/hooks/express/importexport.js
View file

@ -8,6 +8,7 @@ var readOnlyManager = require("../../db/ReadOnlyManager");
var authorManager = require("../../db/AuthorManager");
const rateLimit = require("express-rate-limit");
const securityManager = require("../../db/SecurityManager");
const webaccess = require("./webaccess");
settings.importExportRateLimiting.onLimitReached = function(req, res, options) {
// when the rate limiter triggers, write a warning in the logs
@ -63,36 +64,11 @@ exports.expressCreateServer = function (hook_name, args, cb) {
args.app.use('/p/:pad/import', limiter);
args.app.post('/p/:pad/import', async function(req, res, next) {
const {session: {user} = {}} = req;
const {accessStatus, authorID} = await securityManager.checkAccess(
const {accessStatus} = await securityManager.checkAccess(
req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, user);
if (accessStatus !== 'grant') return res.status(403).send('Forbidden');
assert(authorID);
/*
* Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
* only if a user has his browser opened and connected to the pad (i.e. a
* Socket.IO session is estabilished for him) and he has already
* contributed to that specific pad.
*
* Note that this does not have anything to do with the "session", used
* for logging into "group pads". That kind of session is not needed here.
*
* This behaviour does not apply to API requests, only to /p/$PAD$/import
*
* See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
*/
if (!settings.allowAnyoneToImport) {
const authorsPads = await authorManager.listPadsOfAuthor(authorID);
if (!authorsPads) {
console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to any pad`);
return next();
}
if (authorsPads.padIDs.indexOf(req.params.pad) === -1) {
console.warn(`Unable to import file into "${req.params.pad}". Author "${authorID}" exists but he never contributed to this pad`);
return next();
}
if (accessStatus !== 'grant' || !webaccess.userCanModify(req.params.pad, req)) {
return res.status(403).send('Forbidden');
}
importHandler.doImport(req, res, req.params.pad);
await importHandler.doImport(req, res, req.params.pad);
});
}