feature: New user-specific readOnly and canCreate settings (#4370)

Also: * Group the tests for readability. * Factor out some common test setup.
2025-04-22 08:26:16 -04:00 · 2020-09-28 06:22:06 -04:00 · 2020-09-28 06:22:06 -04:00 · bf9d613e95
commit bf9d613e95
parent 7bd5435f50
6 changed files with 260 additions and 155 deletions
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@ -67,8 +67,12 @@ exports.checkAccess = async function(padID, sessionCookie, token, password, user
      authLogger.debug('access denied: authentication is required');
      return DENY;
    }
-    // Check whether the user is authorized. Note that userSettings.padAuthorizations will still be
-    // populated even if settings.requireAuthorization is false.
+
+    // Check whether the user is authorized to create the pad if it doesn't exist.
+    if (userSettings.canCreate != null && !userSettings.canCreate) canCreate = false;
+    if (userSettings.readOnly) canCreate = false;
+    // Note: userSettings.padAuthorizations should still be populated even if
+    // settings.requireAuthorization is false.
    const padAuthzs = userSettings.padAuthorizations || {};
    const level = webaccess.normalizeAuthzLevel(padAuthzs[padID]);
    if (!level) {
--- a/src/node/hooks/express/webaccess.js
+++ b/src/node/hooks/express/webaccess.js
@ -30,6 +30,7 @@ exports.userCanModify = (padId, req) => {
  if (!settings.requireAuthentication) return true;
  const {session: {user} = {}} = req;
  assert(user); // If authn required and user == null, the request should have already been denied.
+  if (user.readOnly) return false;
  assert(user.padAuthorizations); // This is populated even if !settings.requireAuthorization.
  const level = exports.normalizeAuthzLevel(user.padAuthorizations[padId]);
  assert(level); // If !level, the request should have already been denied.