import: do not allow importing into a pad from the web UI if the user is not on that pad

Importing to a pad is allowed only if an author has a session estabilished and has already contributed to that specific pad. This means that as long as the user is on the pad (via the browser) then import is possible. Note that an author session is NOT the same as a group session, which is not required. This setting does not apply to API requests, only to /p/$PAD$/import This change of behaviour is introduced in Etherpad 1.8.3, and cannot be disabled.
2020-04-04 21:43:33 +00:00 · 2020-04-04 21:43:33 +00:00 · 24ee37a38f
parent f5d9b94ca1
commit 24ee37a38f
1 changed files with 44 additions and 0 deletions
--- a/src/node/hooks/express/importexport.js
+++ b/src/node/hooks/express/importexport.js
@ -3,6 +3,7 @@ var settings = require('../../utils/Settings');
 var exportHandler = require('../../handler/ExportHandler');
 var importHandler = require('../../handler/ImportHandler');
 var padManager = require("../../db/PadManager");
+var authorManager = require("../../db/AuthorManager");

 exports.expressCreateServer = function (hook_name, args, cb) {

@ -47,6 +48,49 @@ exports.expressCreateServer = function (hook_name, args, cb) {
        return next();
      }

+      /*
+       * Starting from Etherpad 1.8.3 onwards, importing into a pad is allowed
+       * only if a user has his browser opened and connected to the pad (i.e. a
+       * Socket.IO session is estabilished for him) and he has already
+       * contributed to that specific pad.
+       *
+       * Note that this does not have anything to do with the "session", used
+       * for logging into "group pads". That kind of session is not needed here.
+       *
+       * This behaviour does not apply to API requests, only to /p/$PAD$/import
+       *
+       * See: https://github.com/ether/etherpad-lite/pull/3833#discussion_r407490205
+       */
+      if (!req.cookies) {
+        console.warn(`Unable to import file into "${req.params.pad}". No cookies included in request`);
+        return next();
+      }
+
+      if (!req.cookies.token) {
+        console.warn(`Unable to import file into "${req.params.pad}". No token in the cookies`);
+        return next();
+      }
+
+      let author = await authorManager.getAuthor4Token(req.cookies.token);
+      // author is of the form: "a.g2droBYw1prY7HW9"
+      if (!author) {
+        console.warn(`Unable to import file into "${req.params.pad}". No Author found for token ${req.cookies.token}`);
+
+        return next();
+      }
+
+      let authorsPads = await authorManager.listPadsOfAuthor(author);
+      if (!authorsPads) {
+        console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to any pad`);
+        return next();
+      }
+
+      let authorsPadIDs = authorsPads.padIDs;
+      if (authorsPadIDs.indexOf(req.params.pad) === -1) {
+        console.warn(`Unable to import file into "${req.params.pad}". Author "${author}" exists but he never contributed to this pad`);
+        return next();
+      }
+
      importHandler.doImport(req, res, req.params.pad);
    }
  });