db/SecurityManager.js: accessing without session a public group pad no longer causes a crash
Steps to reproduce (via HTTP API): 1. create a group via createGroup() 2. create a group pad inside that group via createGroupPad() 3. make that pad public calling setPublicStatus(true) 4. access the pad via a clean web browser (with no sessions) 5. UnhandledPromiseRejectionWarning: apierror: sessionID does not exist This was due to an overlook in 769933786cea: "apierror: sessionID does not exist" may be a legal condition if we are also visiting a public pad. The function that could throw that error was sessionManager.getSessionInfo(), and thus it needed to be inside the try...catch block. Please note that calling getText() on the pad always return the pad contents, *even for non-public pads*, because the API bypasses the security checks and directly talks to the DB layer. Fixes #3600.pull/3688/head
parent
0b3cf7cc96
commit
3b24c97d1e
|
@ -99,13 +99,13 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
|
|||
let sessionIDs = sessionCookie.split(',');
|
||||
|
||||
// was previously iterated in parallel using async.forEach
|
||||
let sessionInfos = await Promise.all(sessionIDs.map(sessionID => {
|
||||
return sessionManager.getSessionInfo(sessionID);
|
||||
}));
|
||||
try {
|
||||
let sessionInfos = await Promise.all(sessionIDs.map(sessionID => {
|
||||
return sessionManager.getSessionInfo(sessionID);
|
||||
}));
|
||||
|
||||
// seperated out the iteration of sessioninfos from the (parallel) fetches from the DB
|
||||
for (let sessionInfo of sessionInfos) {
|
||||
try {
|
||||
// seperated out the iteration of sessioninfos from the (parallel) fetches from the DB
|
||||
for (let sessionInfo of sessionInfos) {
|
||||
// is it for this group?
|
||||
if (sessionInfo.groupID != groupID) {
|
||||
authLogger.debug("Auth failed: wrong group");
|
||||
|
@ -123,13 +123,13 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
|
|||
validSession = true;
|
||||
sessionAuthor = sessionInfo.authorID;
|
||||
break;
|
||||
} catch (err) {
|
||||
// skip session if it doesn't exist
|
||||
if (err.message == "sessionID does not exist") {
|
||||
authLogger.debug("Auth failed: unknown session");
|
||||
} else {
|
||||
throw err;
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
// skip session if it doesn't exist
|
||||
if (err.message == "sessionID does not exist") {
|
||||
authLogger.debug("Auth failed: unknown session");
|
||||
} else {
|
||||
throw err;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue