From 35702a0589fd23f29fe6ceca3e70b1f533edea23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20Biel?= <biel.mikolaj@openmailbox.org>
Date: Mon, 10 Jul 2017 20:54:32 +0200
Subject: [PATCH] [feat] New server-side hook: onAccessCheck

---
 doc/api/hooks_server-side.md   | 12 ++++++++++++
 src/node/db/SecurityManager.js |  9 +++++++++
 2 files changed, 21 insertions(+)

diff --git a/doc/api/hooks_server-side.md b/doc/api/hooks_server-side.md
index d4e836404..bb1b53890 100644
--- a/doc/api/hooks_server-side.md
+++ b/doc/api/hooks_server-side.md
@@ -108,6 +108,18 @@ Usage examples:
 
 * https://github.com/tiblu/ep_authorship_toggle
 
+## onAccessCheck
+Called from: src/node/db/SecurityManager.js
+
+Things in context:
+
+1. padID - the pad the user wants to access
+2. password - the password the user has given to access the pad
+3. token - the token of the author
+3. sessionCookie - the session the use has
+
+This hook gets called when the access to the concrete pad is being checked. Return `false` to deny access.
+
 ## padCreate
 Called from: src/node/db/Pad.js
 
diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index 6fae57ffb..9430e75dd 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -22,6 +22,7 @@
 var ERR = require("async-stacktrace");
 var async = require("async");
 var authorManager = require("./AuthorManager");
+var hooks = require("ep_etherpad-lite/static/js/pluginfw/hooks.js");
 var padManager = require("./PadManager");
 var sessionManager = require("./SessionManager");
 var settings = require("../utils/Settings");
@@ -45,6 +46,14 @@ exports.checkAccess = function (padID, sessionCookie, token, password, callback)
     return;
   }
 
+  // allow plugins to deny access
+  var deniedByHook = hooks.callAll("onAccessCheck", {'padID': padID, 'password': password, 'token': token, 'sessionCookie': sessionCookie}).indexOf(false) > -1;
+  if(deniedByHook)
+  {
+    callback(null, {accessStatus: "deny"});
+    return;
+  }
+
   // a valid session is required (api-only mode)
   if(settings.requireSession)
   {