Fix readOnly pad export

The export request hook wasn't testing if the pad's id was from a read-only
pad before validating with the pad manager.

This includes an extra step that makes the read-only id verification and also
avoids setting the original pad's id as the file's name.

src/node/db/ReadOnlyManager.js

@@ -22,6 +22,16 @@
 var db = require("./DB");
 var randomString = require("../utils/randomstring");
 
+
+/**
+ * checks if the id pattern matches a read-only pad id
+ * @param {String} the pad's id
+ */
+exports.isReadOnlyId = function(id)
+{
+  return id.indexOf("r.") === 0;
+}
+
 /**
  * returns a read only id for a pad
  * @param {String} padId the id of the pad

src/node/handler/ExportHandler.js

@@ -49,9 +49,10 @@ const tempDirectory = os.tmpdir();
 /**
  * do a requested export
  */
-async function doExport(req, res, padId, type)
+async function doExport(req, res, padId, readOnlyId, type)
 {
-  var fileName = padId;
+  // avoid naming the read-only file as the original pad's id
+  var fileName = readOnlyId ? readOnlyId : padId;
 
   // allow fileName to be overwritten by a hook, the type type is kept static for security reasons
   let hookFileName = await hooks.aCallFirst("exportFileName", padId);
@@ -130,9 +131,9 @@ async function doExport(req, res, padId, type)
   }
 }
 
-exports.doExport = function(req, res, padId, type)
+exports.doExport = function(req, res, padId, readOnlyId, type)
 {
-  doExport(req, res, padId, type).catch(err => {
+  doExport(req, res, padId, readOnlyId, type).catch(err => {
     if (err !== "stop") {
       throw err;
     }

src/node/hooks/express/importexport.js

@@ -4,6 +4,7 @@ var settings = require('../../utils/Settings');
 var exportHandler = require('../../handler/ExportHandler');
 var importHandler = require('../../handler/ImportHandler');
 var padManager = require("../../db/PadManager");
+var readOnlyManager = require("../../db/ReadOnlyManager");
 var authorManager = require("../../db/AuthorManager");
 const rateLimit = require("express-rate-limit");
 const securityManager = require("../../db/SecurityManager");
@@ -39,14 +40,22 @@ exports.expressCreateServer = function (hook_name, args, cb) {
     res.header("Access-Control-Allow-Origin", "*");
 
     if (await hasPadAccess(req, res)) {
-      let exists = await padManager.doesPadExists(req.params.pad);
+      let padId = req.params.pad;
+
+      let readOnlyId = null;
+      if (readOnlyManager.isReadOnlyId(padId)) {
+        readOnlyId = padId;
+        padId = await readOnlyManager.getPadId(readOnlyId);
+      }
+
+      let exists = await padManager.doesPadExists(padId);
       if (!exists) {
-        console.warn(`Someone tried to export a pad that doesn't exist (${req.params.pad})`);
+        console.warn(`Someone tried to export a pad that doesn't exist (${padId})`);
         return next();
       }
 
       console.log(`Exporting pad "${req.params.pad}" in ${req.params.type} format`);
-      exportHandler.doExport(req, res, req.params.pad, req.params.type);
+      exportHandler.doExport(req, res, padId, readOnlyId, req.params.type);
     }
   });