mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 15:36:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

security: Check authentication in SecurityManager checkAccess

Browse source 
In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.
This commit is contained in:
Richard Hansen 2020-09-11 17:12:29 -04:00 committed by John McLear
parent 259b8d891d
commit f9087fabd6
5 changed files with 22 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/node/handler/PadMessageHandler.js
View file

@ -289,7 +289,9 @@ exports.handleMessage = async function(client, message)
padId = await readOnlyManager.getPadId(padId);
}
let { accessStatus } = await securityManager.checkAccess(padId, auth.sessionID, auth.token, auth.password);
const {session: {user} = {}} = client.client.request;
const {accessStatus} =
await securityManager.checkAccess(padId, auth.sessionID, auth.token, auth.password, user);
if (accessStatus !== "grant") {
// no access, send the client a message that tells him why
@ -896,8 +898,9 @@ async function handleClientReady(client, message)
let padIds = await readOnlyManager.getIds(message.padId);
// FIXME: Allow to override readwrite access with readonly
const {session: {user} = {}} = client.client.request;
const {accessStatus, authorID} = await securityManager.checkAccess(
padIds.padId, message.sessionID, message.token, message.password);
padIds.padId, message.sessionID, message.token, message.password, user);
// no access, send the client a message that tells him why
if (accessStatus !== "grant") {