mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-04-24 17:36:14 -04:00
6c2a361935
There are two different ways an author ID becomes associated with a
user: either bound to a token or bound to a session ID. (The token and
session ID come from the `token` and `sessionID` cookies, or, in the
case of socket.io messages, from the `token` and `sessionID` message
properties.) When `settings.requireSession` is true or the user is
accessing a group pad, the session ID should be used. Otherwise the
token should be used.
Before this change, the `/p/:pad/import` handler was always using the
token, even when `settings.requireSession` was true. This caused the
following error because a different author ID was bound to the token
versus the session ID:
> Unable to import file into ${pad}. Author ${authorID} exists but he
> never contributed to this pad
This bug was reported in issue #4006. PR #4012 worked around the
problem by binding the same author ID to the token as well as the
session ID.
This change does the following:
* Modifies the import handler to use the session ID to obtain the
author ID (when appropriate).
* Expands the documentation for the SecurityManager checkAccess
function.
* Removes the workaround from PR #4012.
* Cleans up the `bin/createUserSession.js` test script.
|
||
|---|---|---|
| .. | ||
| admin.js | ||
| adminplugins.js | ||
| adminsettings.js | ||
| apicalls.js | ||
| errorhandling.js | ||
| importexport.js | ||
| isValidJSONPName.js | ||
| openapi.js | ||
| padreadonly.js | ||
| padurlsanitize.js | ||
| socketio.js | ||
| specialpages.js | ||
| static.js | ||
| tests.js | ||
| webaccess.js | ||