mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-23 00:46:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

security: Check authentication in SecurityManager checkAccess

Browse source 
In addition to providing defense in depth, this change makes it easier
to implement future enhancements such as support for read-only users.
This commit is contained in:
Richard Hansen 2020-09-11 17:12:29 -04:00 committed by John McLear
parent 259b8d891d
commit f9087fabd6
5 changed files with 22 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/node/hooks/express/importexport.js
View file

@ -58,8 +58,9 @@ exports.expressCreateServer = function (hook_name, args, cb) {
return next();
}
const {session: {user} = {}} = req;
const {accessStatus, authorID} = await securityManager.checkAccess(
req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password);
req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, user);
if (accessStatus !== 'grant') return res.status(403).send('Forbidden');
assert(authorID);