pad.libre-service.eu-etherpad/src/node/padaccess.js

'use strict';
const securityManager = require('./db/SecurityManager');

// checks for padAccess
module.exports = async function (req, res) {
  try {
    const {session: {user} = {}} = req;
    const accessObj = await securityManager.checkAccess(
        req.params.pad, req.cookies.sessionID, req.cookies.token, user);

    if (accessObj.accessStatus === 'grant') {
      // there is access, continue
      return true;
    } else {
      // no access
      res.status(403).send("403 - Can't touch this");
      return false;
    }
  } catch (err) {
    // @TODO - send internal server error here?
    throw err;
  }
};