libretic/etherpad-lite
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
etherpad-lite/src/static/js
History
Richard Hansen 304318b618 webaccess: Move pre-authn authz check to a separate hook 
Before this change, the authorize hook was invoked twice: once before
authentication and again after (if settings.requireAuthorization is
true). Now pre-authentication authorization is instead handled by a
new preAuthorize hook, and the authorize hook is only invoked after
the user has authenticated.

Rationale: Without this change it is too easy to write an
authorization plugin that is too permissive. Specifically:

  * If the plugin does not check the path for /admin then a non-admin
    user might be able to access /admin pages.
  * If the plugin assumes that the user has already been authenticated
    by the time the authorize function is called then unauthenticated
    users might be able to gain access to restricted resources.

This change also avoids calling the plugin's authorize function twice
per access, which makes it easier for plugin authors to write an
authorization plugin that is easy to understand.

This change may break existing authorization plugins: After this
change, the authorize hook will no longer be able to authorize
non-admin access to /admin pages. This is intentional. Access to admin
pages should instead be controlled via the `is_admin` user setting,
which can be set in the config file or by an authentication plugin.

Also:
  * Add tests for the authenticate and authorize hooks.
  * Disable the authentication failure delay when testing.
2020-09-27 21:19:58 +01:00
..
admin Remove trailing whitespaces 2019-04-16 00:34:29 +02:00
pluginfw webaccess: Move pre-authn authz check to a separate hook 2020-09-27 21:19:58 +01:00
vendors css: style select with nice-select library 2020-04-19 03:03:44 +02:00
ace.js plugins: Move plugin definitions to avoid monkey patching 2020-09-08 00:50:24 +01:00
ace2_common.js Moved old jquery recognition to seperate file 2013-02-10 20:34:27 +00:00
ace2_inner.js editor/performance: Fix performance for large pads (#4267) 2020-09-08 14:52:26 +01:00
AttributeManager.js [fix] Ignore default line attribs when detecting edges of changeset (#3420) 2018-07-09 17:44:38 -03:00
AttributePool.js Remove trailing whitespaces 2019-04-16 00:34:29 +02:00
broadcast.js tests / bugfix: Timeslider Chrome 55 Further scroll fix (#4186) 2020-07-20 14:14:02 +01:00
broadcast_revisions.js Remove trailing whitespaces 2019-04-16 00:34:29 +02:00
broadcast_slider.js Various UI improvement (#4017) 2020-06-02 10:25:43 +01:00
browser.js Update the bowser.js to the new version 2015-12-01 11:53:49 -03:00
caretPosition.js Add settings to scroll on edition out of viewport (#3282) 2018-01-03 19:57:28 -02:00
Changeset.js changeset.js: do not lose sync in the timeslider if another user deletes text 2020-04-27 02:12:17 +02:00
changesettracker.js Remove trailing whitespaces 2019-04-16 00:34:29 +02:00
ChangesetUtils.js added AttributeManager, ChangesetUtils 2012-04-05 00:50:04 +02:00
chat.js Tests: ShowChat fix (#4049) 2020-05-28 15:18:13 +01:00
collab_client.js fixes jQuery.Deferred exception as reported in #4132 (#4158) 2020-07-10 15:28:32 +01:00
colorutils.js colibris: fix coloring text when authorship background color is activated #3641 2020-04-19 03:03:44 +02:00
contentcollector.js tests/editor/ul/li/ol/import/export: Introduce contentcollector.js tests & various OL/UL/LI related bugfixes 2020-06-05 20:54:16 +01:00
cssmanager.js allow cssmanager to manage outer_ace 2013-06-15 01:38:46 +08:00
domline.js referer: change referrer policy. Stop sending referers as much as possible 2019-11-25 00:05:40 +01:00
excanvas.js The Big Renaming - etherpad is now an NPM module 2012-02-26 13:07:51 +01:00
farbtastic.js css: minor improvements 2020-04-19 03:03:44 +02:00
gritter.js css: improve gritters 2020-04-19 03:03:44 +02:00
html10n.js html10n: do a lax match between the Accept-Language header and available locales 2020-04-26 03:07:01 +02:00
jquery.js stalecode: jQuery 3 (#3903) 2020-06-07 12:01:14 +01:00
l10n.js Remove trailing whitespaces 2019-04-16 00:34:29 +02:00
linestylefilter.js tests/editor/ul/li/ol/import/export: Introduce contentcollector.js tests & various OL/UL/LI related bugfixes 2020-06-05 20:54:16 +01:00
pad.js pad: Revert back to sending CLIENT_READY on reconnect 2020-09-26 18:32:04 +01:00
pad_automatic_reconnect.js [feature] Only automatically reconnect if can establish connection to server 2017-04-05 15:07:37 -03:00
pad_connectionstatus.js Add a new 'rejected' disconnect reason 2020-09-22 14:09:07 +01:00
pad_cookie.js Same site cookie fix - Ready for testing / merge (#3990) 2020-07-10 08:43:20 +01:00
pad_editbar.js css: Improve toolbar responsiveness for small screen (#4322) 2020-09-19 19:09:30 +01:00
pad_editor.js ui: change a bit the architecture of sidediv line number 2020-05-03 22:36:14 +02:00
pad_impexp.js Dont use jquery in import handler (#4153) 2020-07-08 14:50:48 +01:00
pad_modals.js css: fix toolbar overlay so it cover only toolbar and not the whole screen 2020-04-19 03:03:44 +02:00
pad_savedrevs.js css: improve gritters 2020-04-19 03:03:44 +02:00
pad_userlist.js tests: Embed test fix (#4020) 2020-05-27 16:54:20 +01:00
pad_utils.js Same site cookie fix - Ready for testing / merge (#3990) 2020-07-10 08:43:20 +01:00
rjquery.js jQuery: update vendored version (1.9.1 -> 1.12.4) 2019-09-16 22:55:53 +02:00
scroll.js scroll: replace absolute import with relative one 2020-04-09 21:09:40 +02:00
security.js Use packaged edition of security module. 2012-09-09 18:18:59 -07:00
skin_variants.js skin builder: add coma at the end of the generated code 2020-04-22 22:02:25 +02:00
skiplist.js Remove trailing whitespaces 2019-04-16 00:34:29 +02:00
timeslider.js remove json2, all supported browsers have JSON now (#4198) 2020-07-28 00:52:25 +01:00
underscore.js Use packaged edition of underscore. 2012-09-09 18:18:59 -07:00
undomodule.js undomodule: disallow undoing "clear authorship colors" 2020-04-08 15:20:37 +02:00