From 24ee37a38ff8c5c4d25416b2f127ceab687293df Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sat, 4 Apr 2020 21:43:33 +0000
Subject: [PATCH] import: do not allow importing into a pad from the web UI if
 the user is not on that pad

Importing to a pad is allowed only if an author has a session estabilished and
has already contributed to that specific pad. This means that as long as the
user is on the pad (via the browser) then import is possible.

Note that an author session is NOT the same as a group session, which is not
required.

This setting does not apply to API requests, only to /p/$PAD$/import

This change of behaviour is introduced in Etherpad 1.8.3, and cannot be
disabled.
---
 src/node/hooks/express/importexport.js | 44 ++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/src/node/hooks/express/importexport.js b/src/node/hooks/express/importexport.js
index aeb6e3664..5e27e940e 100644
--- a/src/node/hooks/express/importexport.js
+++ b/src/node/hooks/express/importexport.js
@@ -3,6 +3,7 @@ var settings = require('../../utils/Settings');
 var exportHandler = require('../../handler/ExportHandler');
 var importHandler = require('../../handler/ImportHandler');
 var padManager = require("../../db/PadManager");
+var authorManager = require("../../db/AuthorManager");
 
 exports.expressCreateServer = function (hook_name, args, cb) {
 
@@ -47,6 +48,49 @@ exports.expressCreateServer = function (hook_name, args, cb) {
         return next();
       }
 
+      /*
+       * Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
+       * only if a user has his browser opened and connected to the pad (i.e. a
+       * Socket.IO session is estabilished for him) and he has already
+       * contributed to that specific pad.
+       *
+       * Note that this does not have anything to do with the "session", used
+       * for logging into "group pads". That kind of session is not needed here.
+       *
+       * This behaviour does not apply to API requests, only to /p/$PAD$/import
+       *
+       * See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
+       */
+      if (!req.cookies) {
+        console.warn(`Unable to import file into "${req.params.pad}". No cookies included in request`);
+        return next();
+      }
+
+      if (!req.cookies.token) {
+        console.warn(`Unable to import file into "${req.params.pad}". No token in the cookies`);
+        return next();
+      }
+
+      let author = await authorManager.getAuthor4Token(req.cookies.token);
+      // author is of the form: "a.g2droBYw1prY7HW9"
+      if (!author) {
+        console.warn(`Unable to import file into "${req.params.pad}". No Author found for token ${req.cookies.token}`);
+
+        return next();
+      }
+
+      let authorsPads = await authorManager.listPadsOfAuthor(author);
+      if (!authorsPads) {
+        console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to any pad`);
+        return next();
+      }
+
+      let authorsPadIDs = authorsPads.padIDs;
+      if (authorsPadIDs.indexOf(req.params.pad) === -1) {
+        console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to this pad`);
+        return next();
+      }
+
       importHandler.doImport(req, res, req.params.pad);
     }
   });