mirror of
https://github.com/ether/etherpad-lite.git
synced 2025-02-01 03:12:42 +01:00
f9087fabd6
In addition to providing defense in depth, this change makes it easier to implement future enhancements such as support for read-only users.
22 lines
625 B
JavaScript
22 lines
625 B
JavaScript
var securityManager = require('./db/SecurityManager');
|
|
|
|
// checks for padAccess
|
|
module.exports = async function (req, res) {
|
|
try {
|
|
const {session: {user} = {}} = req;
|
|
const accessObj = await securityManager.checkAccess(
|
|
req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, user);
|
|
|
|
if (accessObj.accessStatus === "grant") {
|
|
// there is access, continue
|
|
return true;
|
|
} else {
|
|
// no access
|
|
res.status(403).send("403 - Can't touch this");
|
|
return false;
|
|
}
|
|
} catch (err) {
|
|
// @TODO - send internal server error here?
|
|
throw err;
|
|
}
|
|
}
|