security: Check authentication in SecurityManager checkAccess

In addition to providing defense in depth, this change makes it easier to implement future enhancements such as support for read-only users.
2025-04-20 15:36:16 -04:00 · 2020-09-11 17:12:29 -04:00 · 2020-09-11 17:12:29 -04:00 · f9087fabd6
commit f9087fabd6
parent 259b8d891d
5 changed files with 22 additions and 6 deletions
--- a/src/node/handler/SocketIORouter.js
+++ b/src/node/handler/SocketIORouter.js
@ -97,7 +97,9 @@ exports.setSocketIO = function(_socket) {
            padId = await readOnlyManager.getPadId(message.padId);
          }

-          let { accessStatus } = await securityManager.checkAccess(padId, message.sessionID, message.token, message.password);
+          const {session: {user} = {}} = client.client.request;
+          const {accessStatus} = await securityManager.checkAccess(
+              padId, message.sessionID, message.token, message.password, user);

          if (accessStatus === "grant") {
            // access was granted, mark the client as authorized and handle the message