mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-04-20 15:36:16 -04:00
webaccess: Check for read-only pad ID in userCanModify
This currently isn't absolutely necessary because all current callers
of `userCanModify` already check for a read-only pad ID themselves.
However:
* This adds defense in depth.
* This makes it possible to simply replace the import handler's
`allowAnyoneToImport` check with a call to `userCanModify`.
This commit is contained in:
Richard Hansen
John McLear
parent
9a6f286441
commit
f4eae40c6b
1 changed files with 2 additions and 0 deletions
|
|
@ -3,6 +3,7 @@ const log4js = require('log4js');
|
||||||
const httpLogger = log4js.getLogger('http');
|
const httpLogger = log4js.getLogger('http');
|
||||||
const settings = require('../../utils/Settings');
|
const settings = require('../../utils/Settings');
|
||||||
const hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
|
const hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
|
||||||
|
const readOnlyManager = require('../../db/ReadOnlyManager');
|
||||||
|
|
||||||
hooks.deprecationNotices.authFailure = 'use the authnFailure and authzFailure hooks instead';
|
hooks.deprecationNotices.authFailure = 'use the authnFailure and authzFailure hooks instead';
|
||||||
|
|
||||||
|
|
@ -31,6 +32,7 @@ exports.normalizeAuthzLevel = (level) => {
|
||||||
};
|
};
|
||||||
|
|
||||||
exports.userCanModify = (padId, req) => {
|
exports.userCanModify = (padId, req) => {
|
||||||
|
if (readOnlyManager.isReadOnlyId(padId)) return false;
|
||||||
if (!settings.requireAuthentication) return true;
|
if (!settings.requireAuthentication) return true;
|
||||||
const {session: {user} = {}} = req;
|
const {session: {user} = {}} = req;
|
||||||
assert(user); // If authn required and user == null, the request should have already been denied.
|
assert(user); // If authn required and user == null, the request should have already been denied.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue