There are no guarantees about the order of execution of hook
functions, which means that a plugin's `expressConfigure` hook
function could theoretically register a handler/middleware before the
access check middleware is registered. If that happens, the plugin's
handler would run before the access check, which would be bad. Avoid
the problem by explicitly installing the `webaccess.checkAccess`
middleware before running the `expressConfigure` hook.
This makes core and plugin tests consistent with each other, makes it
possible to `require()` relative paths in spec files, simplifies the
code somewhat, and should make it easier to move away from
require-kernel.
Also:
* Wrap plugin tests inside a `describe()` that contains the plugin
name to make it easier to grep for a plugin's tests and for
consistency with core tests.
* Add "<core>" to the core test descriptions to make it easier to
distinguish them from plugin tests.
Before this commit, webaccess.checkAccess saved the authorization in
user.padAuthorizations[padId] with padId being the read-only pad ID,
however later stages, e.g. in PadMessageHandler, use the real pad ID for
access checks. This led to authorization being denied.
This commit fixes it by only storing and comparing the real pad IDs and
not read-only pad IDs.
This fixes test case "authn user readonly pad -> 200, ok" in
src/tests/backend/specs/socketio.js.
* add more endpoints that do not need a session
* Update src/node/hooks/express/webaccess.js
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
* Update src/node/hooks/express/webaccess.js
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
Co-authored-by: John McLear <john@mclear.co.uk>
Co-authored-by: Richard Hansen <rhansen@rhansen.org>
There are two main benefits:
* HTML is no longer printed in the startup debug logs.
* `require()` is no longer called on client-side files. This
eliminates "Failed to load <file> for <plugin>: ReferenceError:
window is not defined" errors when users visit
`/admin/plugins/info`.
