Add editOnly option

node/db/SecurityManager.js

@@ -35,6 +35,8 @@ var settings = require("../utils/Settings")
  */ 
 exports.checkAccess = function (padID, sessionID, token, password, callback)
 { 
+  var statusObject;
+
   // a valid session is required (api-only mode)
   if(settings.requireSession)
   {
@@ -53,9 +55,27 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
     {
       //get author for this token
       authorManager.getAuthor4Token(token, function(err, author)
+      {
+        // assume user has access
+        statusObject = {accessStatus: "grant", authorID: author};
+        // user can't create pads
+        if(settings.editOnly)
+        {
+          // check if pad exists
+          padManager.doesPadExists(padID, function(err, exists)
+          {
+            // pad doesn't exist - user can't have access
+            if(!exists) statusObject.accessStatus = "deny";
+            // grant or deny access, with author of token
+            callback(err, statusObject);
+          });
+        }
+        // user may create new pads - no need to check anything
+        else
         {
           // grant access, with author of token
-        callback(err, {accessStatus: "grant", authorID: author});
+          callback(err, statusObject);
+        }
       })
       
       //don't continue
@@ -72,8 +92,6 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
   var isPasswordProtected;
   var passwordStatus = password == null ? "notGiven" : "wrong"; // notGiven, correct, wrong
 
-  var statusObject;
-
   async.series([
     //get basic informations from the database 
     function(callback)
@@ -195,6 +213,8 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
       {
         //--> grant access
         statusObject = {accessStatus: "grant", authorID: sessionAuthor};
+        //--> deny access if user isn't allowed to create the pad
+        if(settings.editOnly) statusObject.accessStatus = "deny";
       }
       // there is no valid session avaiable AND pad exists
       else if(!validSession && padExists)

node/utils/Settings.js

@@ -48,6 +48,11 @@ exports.defaultPadText = "Welcome to Etherpad Lite!\n\nThis pad text is synchron
  */
 exports.requireSession = false;
 
+/**
+ * A flag that prevents users from creating new pads
+ */
+exports.editOnly = false;
+
 /**
  * A flag that shows if minification is enabled or not
  */

settings.json.template

@@ -32,6 +32,9 @@
   /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */
   "requireSession" : false,
 
+  /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */
+  "editOnly" : true,
+  
   /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, 
      but makes it impossible to debug the javascript/css */
   "minify" : true,

settings.json.template_windows

@@ -31,6 +31,9 @@
   /* Users must have a session to access pads. This effectively allows only group pads to be accessed. */
   "requireSession" : false,
 
+  /* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */
+  "editOnly" : true,
+  
   /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, 
      but makes it impossible to debug the javascript/css */
   "minify" : false,