libretic/etherpad-lite
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

webaccess: Check for read-only pad ID in userCanModify

Browse source 
This currently isn't absolutely necessary because all current callers
of `userCanModify` already check for a read-only pad ID themselves.
However:

  * This adds defense in depth.
  * This makes it possible to simply replace the import handler's
    `allowAnyoneToImport` check with a call to `userCanModify`.
This commit is contained in:
Richard Hansen 2020-10-01 15:44:24 -04:00 committed by John McLear
parent 9a6f286441
commit f4eae40c6b
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/node/hooks/express/webaccess.js
View file

@ -3,6 +3,7 @@ const log4js = require('log4js');
const httpLogger = log4js.getLogger('http');
const settings = require('../../utils/Settings');
const hooks = require('ep_etherpad-lite/static/js/pluginfw/hooks');
const readOnlyManager = require('../../db/ReadOnlyManager');
hooks.deprecationNotices.authFailure = 'use the authnFailure and authzFailure hooks instead';
@ -31,6 +32,7 @@ exports.normalizeAuthzLevel = (level) => {
};
exports.userCanModify = (padId, req) => {
if (readOnlyManager.isReadOnlyId(padId)) return false;
if (!settings.requireAuthentication) return true;
const {session: {user} = {}} = req;
assert(user); // If authn required and user == null, the request should have already been denied.