From 5e7c5d5dd3048054e94021f10c284e71896dcb44 Mon Sep 17 00:00:00 2001 From: Jordan Date: Mon, 21 Nov 2011 12:44:33 -0500 Subject: [PATCH] Add editOnly option --- node/db/SecurityManager.js | 28 ++++++++++++++++++++++++---- node/utils/Settings.js | 5 +++++ settings.json.template | 3 +++ settings.json.template_windows | 3 +++ 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/node/db/SecurityManager.js b/node/db/SecurityManager.js index 762931da0..0f35d8735 100644 --- a/node/db/SecurityManager.js +++ b/node/db/SecurityManager.js @@ -35,6 +35,8 @@ var settings = require("../utils/Settings") */ exports.checkAccess = function (padID, sessionID, token, password, callback) { + var statusObject; + // a valid session is required (api-only mode) if(settings.requireSession) { @@ -54,8 +56,26 @@ exports.checkAccess = function (padID, sessionID, token, password, callback) //get author for this token authorManager.getAuthor4Token(token, function(err, author) { - // grant access, with author of token - callback(err, {accessStatus: "grant", authorID: author}); + // assume user has access + statusObject = {accessStatus: "grant", authorID: author}; + // user can't create pads + if(settings.editOnly) + { + // check if pad exists + padManager.doesPadExists(padID, function(err, exists) + { + // pad doesn't exist - user can't have access + if(!exists) statusObject.accessStatus = "deny"; + // grant or deny access, with author of token + callback(err, statusObject); + }); + } + // user may create new pads - no need to check anything + else + { + // grant access, with author of token + callback(err, statusObject); + } }) //don't continue @@ -72,8 +92,6 @@ exports.checkAccess = function (padID, sessionID, token, password, callback) var isPasswordProtected; var passwordStatus = password == null ? "notGiven" : "wrong"; // notGiven, correct, wrong - var statusObject; - async.series([ //get basic informations from the database function(callback) @@ -195,6 +213,8 @@ exports.checkAccess = function (padID, sessionID, token, password, callback) { //--> grant access statusObject = {accessStatus: "grant", authorID: sessionAuthor}; + //--> deny access if user isn't allowed to create the pad + if(settings.editOnly) statusObject.accessStatus = "deny"; } // there is no valid session avaiable AND pad exists else if(!validSession && padExists) diff --git a/node/utils/Settings.js b/node/utils/Settings.js index 9f23d114c..2aef834d6 100644 --- a/node/utils/Settings.js +++ b/node/utils/Settings.js @@ -48,6 +48,11 @@ exports.defaultPadText = "Welcome to Etherpad Lite!\n\nThis pad text is synchron */ exports.requireSession = false; +/** + * A flag that prevents users from creating new pads + */ +exports.editOnly = false; + /** * A flag that shows if minification is enabled or not */ diff --git a/settings.json.template b/settings.json.template index 5c0dffdaa..a453258fa 100644 --- a/settings.json.template +++ b/settings.json.template @@ -31,6 +31,9 @@ /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */ "requireSession" : false, + + /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */ + "editOnly" : true, /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, but makes it impossible to debug the javascript/css */ diff --git a/settings.json.template_windows b/settings.json.template_windows index d6f9ef14f..c3d6be2a8 100644 --- a/settings.json.template_windows +++ b/settings.json.template_windows @@ -30,6 +30,9 @@ /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */ "requireSession" : false, + + /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */ + "editOnly" : true, /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, but makes it impossible to debug the javascript/css */