pad.libre-service.eu-etherpad/src/node/padaccess.js

'use strict';
const securityManager = require('./db/SecurityManager');

// checks for padAccess
module.exports = async function (req, res) {
  try {
    const {session: {user} = {}} = req;
    const accessObj = await securityManager.checkAccess(
        req.params.pad, req.cookies.sessionID, req.cookies.token, user);

    if (accessObj.accessStatus === 'grant') {
      // there is access, continue
      return true;
    } else {
      // no access
      res.status(403).send("403 - Can't touch this");
      return false;
    }
  } catch (err) {
    // @TODO - send internal server error here?
    throw err;
  }
};
lint: src/node/padaccess.js 2021-01-21 22:06:52 +01:00			`'use strict';`
lint: Run `eslint --fix` on `src/` 2020-11-23 19:24:19 +01:00			`const securityManager = require('./db/SecurityManager');`
Moved padreadonly 2012-02-25 00:15:57 +01:00
prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// checks for padAccess`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`module.exports = async function (req, res) {`
			`try {`
security: Check authentication in SecurityManager checkAccess In addition to providing defense in depth, this change makes it easier to implement future enhancements such as support for read-only users. 2020-09-11 23:12:29 +02:00			`const {session: {user} = {}} = req;`
			`const accessObj = await securityManager.checkAccess(`
Security: FEATURE REMOVAL: Remove all plain text password logic and ui (#4178) This will be a breaking change for some people. We removed all internal password control logic. If this affects you, you have two options: 1. Use a plugin for authentication and use session based pad access (recommended). 1. Use a plugin for password setting. The reasoning for removing this feature is to reduce the overall security footprint of Etherpad. It is unnecessary and cumbersome to keep this feature and with the thousands of available authentication methods available in the world our focus should be on supporting those and allowing more granual access based on their implementations (instead of half assed baking our own). 2020-10-07 14:43:54 +02:00			`req.params.pad, req.cookies.sessionID, req.cookies.token, user);`
Moved padreadonly 2012-02-25 00:15:57 +01:00
lint: Run `eslint --fix` on `src/` 2020-11-23 19:24:19 +01:00			`if (accessObj.accessStatus === 'grant') {`
prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// there is access, continue`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`return true;`
Moved padreadonly 2012-02-25 00:15:57 +01:00			`} else {`
prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// no access`
fix the rest of the deprecation warnings 2015-04-10 21:10:55 +02:00			`res.status(403).send("403 - Can't touch this");`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`return false;`
Moved padreadonly 2012-02-25 00:15:57 +01:00			`}`
access controls: promisification `getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to `true` or `false` as appropriate, and throwing an exception if there's an error. The two call sites (padreadonly.js and importexport.js) updated to match. 2019-01-23 17:29:36 +01:00			`} catch (err) {`
			`// @TODO - send internal server error here?`
			`throw err;`
			`}`
lint: Run `eslint --fix` on `src/` 2020-11-23 19:24:19 +01:00			`};`