libretic/etherpad-lite
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

PadMessageHandler: Always save the author ID in the session info

Browse source 
Before, the author ID was only saved in the session info during the
initial CLIENT_READY, not when the client sent a CLIENT_READY due to a
reconnect. This caused the handling of subsequent messages to use an
undefined author ID.
This commit is contained in:
Richard Hansen 2020-09-12 23:35:41 -04:00 committed by John McLear
parent 6cde6f5a98
commit 0bb8d73ba2
1 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
src/node/handler/PadMessageHandler.js
View file

@ -53,7 +53,7 @@ const rateLimiter = new RateLimiterMemory({
* readonlyPadId = The readonly pad id of the pad
* readonly = Wether the client has only read access (true) or read/write access (false)
* rev = That last revision that was send to this client
* author = the author name of this session
* author = the author ID used for this session
*/
var sessioninfos = {};
exports.sessioninfos = sessioninfos;
@ -219,7 +219,7 @@ exports.handleMessage = async function(client, message)
}
const {session: {user} = {}} = client.client.request;
const {accessStatus} =
const {accessStatus, authorID} =
await securityManager.checkAccess(padId, auth.sessionID, auth.token, auth.password, user);
if (accessStatus !== "grant") {
@ -227,6 +227,19 @@ exports.handleMessage = async function(client, message)
client.json.send({ accessStatus });
return;
}
if (thisSession.author != null && thisSession.author !== authorID) {
messageLogger.warn(
'Rejecting message from client because the author ID changed mid-session.' +
' Bad or missing token or sessionID?' +
` socket:${client.id}` +
` IP:${settings.disableIPlogging ? ANONYMOUS : remoteAddress[client.id]}` +
` originalAuthorID:${thisSession.author}` +
` newAuthorID:${authorID}` +
` message:${message}`);
client.json.send({disconnect: 'rejected'});
return;
}
thisSession.author = authorID;
// Allow plugins to bypass the readonly message blocker
if ((await hooks.aCallAll('handleMessageSecurity', {client, message})).some((w) => w === true)) {
@ -1124,8 +1137,6 @@ async function handleClientReady(client, message)
// Save the current revision in sessioninfos, should be the same as in clientVars
sessionInfo.rev = pad.getHeadRevisionNumber();
sessionInfo.author = authorID;
// prepare the notification for the other users on the pad, that this user joined
let messageToTheOtherUsers = {
"type": "COLLABROOM",