From 9e523191ea40137899c0082ffff66056ec289e52 Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 2 Apr 2013 23:15:16 +0100 Subject: [PATCH 1/4] whoops padid should be in payload.. --- src/node/handler/PadMessageHandler.js | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js index 954c116d2..b6e58764b 100644 --- a/src/node/handler/PadMessageHandler.js +++ b/src/node/handler/PadMessageHandler.js @@ -151,19 +151,25 @@ exports.handleMessage = function(client, message) var handleMessageHook = function(callback){ var dropMessage = false; - + console.warn("messsssage", message); // Call handleMessage hook. If a plugin returns null, the message will be dropped. Note that for all messages // handleMessage will be called, even if the client is not authorized hooks.aCallAll("handleMessage", { client: client, message: message }, function ( err, messages ) { +console.warn("Wut", message); if(ERR(err, callback)) return; _.each(messages, function(newMessage){ +console.warn("OH NOES!", message); +console.warn("newMessage", newMessage); if ( newMessage === null ) { +console.warn("FUCK NO!"); dropMessage = true; } }); // If no plugins explicitly told us to drop the message, its ok to proceed - if(!dropMessage){ callback() }; + if(!dropMessage){ +console.warn("proceeding"); + callback() }; }); } @@ -265,7 +271,7 @@ exports.handleCustomObjectMessage = function (msg, sessionID, cb) { if(sessionID){ // If a sessionID is targeted then send directly to this sessionID socketio.sockets.socket(sessionID).json.send(msg); // send a targeted message }else{ - socketio.sockets.in(msg.data.padId).json.send(msg); // broadcast to all clients on this pad + socketio.sockets.in(msg.data.payload.padId).json.send(msg); // broadcast to all clients on this pad } } cb(null, {}); From 57a9ccbb881a487caa92d41431403f274efe1ed8 Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 2 Apr 2013 23:16:28 +0100 Subject: [PATCH 2/4] whoops, comments hurt --- src/node/handler/PadMessageHandler.js | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js index b6e58764b..0b0ea3697 100644 --- a/src/node/handler/PadMessageHandler.js +++ b/src/node/handler/PadMessageHandler.js @@ -151,24 +151,18 @@ exports.handleMessage = function(client, message) var handleMessageHook = function(callback){ var dropMessage = false; - console.warn("messsssage", message); // Call handleMessage hook. If a plugin returns null, the message will be dropped. Note that for all messages // handleMessage will be called, even if the client is not authorized hooks.aCallAll("handleMessage", { client: client, message: message }, function ( err, messages ) { -console.warn("Wut", message); if(ERR(err, callback)) return; _.each(messages, function(newMessage){ -console.warn("OH NOES!", message); -console.warn("newMessage", newMessage); if ( newMessage === null ) { -console.warn("FUCK NO!"); dropMessage = true; } }); // If no plugins explicitly told us to drop the message, its ok to proceed if(!dropMessage){ -console.warn("proceeding"); callback() }; }); } From 5855e3d5bfffa9aed9747cc54fa5922a32737be9 Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 2 Apr 2013 23:17:25 +0100 Subject: [PATCH 3/4] weird styling --- src/node/handler/PadMessageHandler.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js index 0b0ea3697..9d0fd780f 100644 --- a/src/node/handler/PadMessageHandler.js +++ b/src/node/handler/PadMessageHandler.js @@ -162,8 +162,7 @@ exports.handleMessage = function(client, message) }); // If no plugins explicitly told us to drop the message, its ok to proceed - if(!dropMessage){ - callback() }; + if(!dropMessage){ callback() }; }); } From c5b4e4934dab4a90fd673bb4087575a885e02c94 Mon Sep 17 00:00:00 2001 From: mluto Date: Wed, 3 Apr 2013 11:19:26 +0200 Subject: [PATCH 4/4] Kick the user if has already successfully authenticated but his session became invalid later --- src/node/handler/PadMessageHandler.js | 26 +++++++++++++++++++------- src/static/js/pad.js | 12 ++++++++++-- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/src/node/handler/PadMessageHandler.js b/src/node/handler/PadMessageHandler.js index 9d0fd780f..85efb0083 100644 --- a/src/node/handler/PadMessageHandler.js +++ b/src/node/handler/PadMessageHandler.js @@ -203,17 +203,29 @@ exports.handleMessage = function(client, message) //check permissions function(callback) { - - // If the message has a padId we assume the client is already known to the server and needs no re-authorization - if(!message.padId) - return callback(); + // client tried to auth for the first time (first msg from the client) + if(message.type == "CLIENT_READY") { + // Remember this information since we won't + // have the cookie in further socket.io messages. + // This information will be used to check if + // the sessionId of this connection is still valid + // since it could have been deleted by the API. + sessioninfos[client.id].auth = + { + sessionID: message.sessionID, + padID: message.padId, + token : message.token, + password: message.password + }; + } // Note: message.sessionID is an entirely different kind of - // session from the sessions we use here! Beware! FIXME: Call - // our "sessions" "connections". + // session from the sessions we use here! Beware! + // FIXME: Call our "sessions" "connections". // FIXME: Use a hook instead // FIXME: Allow to override readwrite access with readonly - securityManager.checkAccess(message.padId, message.sessionID, message.token, message.password, function(err, statusObject) + var auth = sessioninfos[client.id].auth; + securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, function(err, statusObject) { if(ERR(err, callback)) return; diff --git a/src/static/js/pad.js b/src/static/js/pad.js index 01f1bbcb2..504bc21e4 100644 --- a/src/static/js/pad.js +++ b/src/static/js/pad.js @@ -252,14 +252,22 @@ function handshake() socket.on('message', function(obj) { //the access was not granted, give the user a message - if(!receivedClientVars && obj.accessStatus) + if(obj.accessStatus) { - $('.passForm').submit(require(module.id).savePassword); + if(!receivedClientVars) + $('.passForm').submit(require(module.id).savePassword); if(obj.accessStatus == "deny") { $('#loading').hide(); $("#permissionDenied").show(); + + if(receivedClientVars) + { + // got kicked + $("#editorcontainer").hide(); + $("#editorloadingbox").show(); + } } else if(obj.accessStatus == "needPassword") {