From 3b24c97d1eb49a3bbd429d3491e8bc61c85be0ce Mon Sep 17 00:00:00 2001
From: muxator <a.mux@inwind.it>
Date: Thu, 26 Dec 2019 00:30:43 +0100
Subject: [PATCH] db/SecurityManager.js: accessing without session a public
 group pad no longer causes a crash

Steps to reproduce (via HTTP API):
1. create a group via createGroup()
2. create a group pad inside that group via createGroupPad()
3. make that pad public calling setPublicStatus(true)
4. access the pad via a clean web browser (with no sessions)
5. UnhandledPromiseRejectionWarning: apierror: sessionID does not exist

This was due to an overlook in 769933786cea: "apierror: sessionID does not
exist" may be a legal condition if we are also visiting a public pad. The
function that could throw that error was sessionManager.getSessionInfo(), and
thus it needed to be inside the try...catch block.

Please note that calling getText() on the pad always return the pad contents,
*even for non-public pads*, because the API bypasses the security checks and
directly talks to the DB layer.

Fixes #3600.
---
 src/node/db/SecurityManager.js | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index 23af82836..45d45a722 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -99,13 +99,13 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
     let sessionIDs = sessionCookie.split(',');
 
     // was previously iterated in parallel using async.forEach
-    let sessionInfos = await Promise.all(sessionIDs.map(sessionID => {
-      return sessionManager.getSessionInfo(sessionID);
-    }));
+    try {
+      let sessionInfos = await Promise.all(sessionIDs.map(sessionID => {
+        return sessionManager.getSessionInfo(sessionID);
+      }));
 
-    // seperated out the iteration of sessioninfos from the (parallel) fetches from the DB
-    for (let sessionInfo of sessionInfos) {
-      try {
+      // seperated out the iteration of sessioninfos from the (parallel) fetches from the DB
+      for (let sessionInfo of sessionInfos) {
         // is it for this group?
         if (sessionInfo.groupID != groupID) {
           authLogger.debug("Auth failed: wrong group");
@@ -123,13 +123,13 @@ exports.checkAccess = async function(padID, sessionCookie, token, password)
         validSession = true;
         sessionAuthor = sessionInfo.authorID;
         break;
-      } catch (err) {
-        // skip session if it doesn't exist
-        if (err.message == "sessionID does not exist") {
-          authLogger.debug("Auth failed: unknown session");
-        } else {
-          throw err;
-        }
+      }
+    } catch (err) {
+      // skip session if it doesn't exist
+      if (err.message == "sessionID does not exist") {
+        authLogger.debug("Auth failed: unknown session");
+      } else {
+        throw err;
       }
     }
   }