db/SecurityManager.js: accessing without session a public group pad no longer causes a crash

Steps to reproduce (via HTTP API): 1. create a group via createGroup() 2. create a group pad inside that group via createGroupPad() 3. make that pad public calling setPublicStatus(true) 4. access the pad via a clean web browser (with no sessions) 5. UnhandledPromiseRejectionWarning: apierror: sessionID does not exist This was due to an overlook in 769933786c: "apierror: sessionID does not exist" may be a legal condition if we are also visiting a public pad. The function that could throw that error was sessionManager.getSessionInfo(), and thus it needed to be inside the try...catch block. Please note that calling getText() on the pad always return the pad contents, *even for non-public pads*, because the API bypasses the security checks and directly talks to the DB layer. Fixes #3600.
2019-12-26 00:30:43 +01:00 · 2019-12-26 00:30:43 +01:00 · 3b24c97d1e
commit 3b24c97d1e
parent 0b3cf7cc96
1 changed files with 13 additions and 13 deletions
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@ -99,13 +99,13 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
    let sessionIDs = sessionCookie.split(',');

    // was previously iterated in parallel using async.forEach
-    let sessionInfos = await Promise.all(sessionIDs.map(sessionID => {
-      return sessionManager.getSessionInfo(sessionID);
-    }));
+    try {
+      let sessionInfos = await Promise.all(sessionIDs.map(sessionID => {
+        return sessionManager.getSessionInfo(sessionID);
+      }));

-    // seperated out the iteration of sessioninfos from the (parallel) fetches from the DB
-    for (let sessionInfo of sessionInfos) {
-      try {
+      // seperated out the iteration of sessioninfos from the (parallel) fetches from the DB
+      for (let sessionInfo of sessionInfos) {
        // is it for this group?
        if (sessionInfo.groupID != groupID) {
          authLogger.debug("Auth failed: wrong group");
@ -123,13 +123,13 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
        validSession = true;
        sessionAuthor = sessionInfo.authorID;
        break;
-      } catch (err) {
-        // skip session if it doesn't exist
-        if (err.message == "sessionID does not exist") {
-          authLogger.debug("Auth failed: unknown session");
-        } else {
-          throw err;
-        }
+      }
+    } catch (err) {
+      // skip session if it doesn't exist
+      if (err.message == "sessionID does not exist") {
+        authLogger.debug("Auth failed: unknown session");
+      } else {
+        throw err;
      }
    }
  }