mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-23 00:46:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
etherpad-lite/src/node
History
Richard Hansen 1bb44098df PadMessageHandler: Move handleMessage hooks after access check 
Move the handleMessageSecurity and handleMessage hooks after the call
to securityManager.checkAccess.

Benefits:

  * A handleMessage plugin can safely assume the message will be
    handled unless the plugin itself drops the message, so it doesn't
    need to repeat the access checks done by the `handleMessage`
    function.
  * This paves the way for a future enhancement: pass the author ID to
    the hooks.

Note: The handleMessageSecurity hook is broken in several ways:

  * The hook result is ignored for `CLIENT_READY` and `SWITCH_TO_PAD`
    messages because the `handleClientReady` function overwrites the
    hook result. This causes the client to receive client vars with
    `readonly` set to true, which causes the client to display an
    immutable pad even though the pad is technically writable.
  * The formatting toolbar buttons are removed for read-only pads
    before the handleMessageSecurity hook even runs.
  * It is awkwardly named: Without reading the documentation, how is
    one supposed to know that "handle message security" actually means
    "grant one-time write access to a read-only pad"?
  * It is called for every message even though calls after a
    `CLIENT_READY` or `SWITCH_TO_PAD` are mostly pointless.
  * Why would anyone want to grant write access when the user visits a
    read-only pad URL? The user should just visit the writable pad URL
    instead.
  * Why would anyone want to grant write access that only lasts for a
    single socket.io connection?
  * There are better ways to temporarily grant write access (e.g., the
    authorize hook).
  * This hook is inviting bugs because it breaks a core assumption
    about `/p/r.*` URLs.

I think the hook should be deprecated and eventually removed.
2020-09-23 08:26:47 +01:00
..
db async-ify more functions, and await completion 2020-09-22 14:10:44 +01:00
eejs pluginfw/performance: Dont cache if max age is 0 (#4098) 2020-06-08 17:21:55 +01:00
handler PadMessageHandler: Move handleMessage hooks after access check 2020-09-23 08:26:47 +01:00
hooks Refactor startup/shutdown for tests 2020-09-22 11:07:21 +01:00
utils async-ify more functions, and await completion 2020-09-22 14:10:44 +01:00
easysync_tests.js Revert "51c14d9947 changed the return value of" 2015-02-16 06:22:49 +01:00
padaccess.js security: Check authentication in SecurityManager checkAccess 2020-09-15 10:43:23 +01:00
README.md minor typo fix 2019-08-08 21:58:30 +02:00
server.js Refactor startup/shutdown for tests 2020-09-22 11:07:21 +01:00
stats.js Refactor startup/shutdown for tests 2020-09-22 11:07:21 +01:00

README.md

About the folder structure

  • db - all modules that are accessing the data structure and are communicating directly to the database
  • handler - all modules that respond directly to requests/messages of the browser
  • utils - helper modules

Module name conventions

Module file names start with a capital letter and uses camelCase

Where does it start?

server.js is started directly