Merge branch 'develop' of github.com:ether/etherpad-lite into develop

src/node/handler/PadMessageHandler.js

@@ -151,7 +151,6 @@ exports.handleMessage = function(client, message)
 
   var handleMessageHook = function(callback){
     var dropMessage = false;
-    
     // Call handleMessage hook. If a plugin returns null, the message will be dropped. Note that for all messages 
     // handleMessage will be called, even if the client is not authorized
     hooks.aCallAll("handleMessage", { client: client, message: message }, function ( err, messages ) {
@@ -204,17 +203,29 @@ exports.handleMessage = function(client, message)
       //check permissions
       function(callback)
       {
-        
+        // client tried to auth for the first time (first msg from the client)
-        // If the message has a padId we assume the client is already known to the server and needs no re-authorization
+        if(message.type == "CLIENT_READY") {
-        if(!message.padId)
+          // Remember this information since we won't
-          return callback();
+          // have the cookie in further socket.io messages.
+          // This information will be used to check if
+          // the sessionId of this connection is still valid
+          // since it could have been deleted by the API.
+          sessioninfos[client.id].auth =
+          {
+            sessionID: message.sessionID,
+            padID: message.padId,
+            token : message.token,
+            password: message.password
+          };
+        }
 
         // Note: message.sessionID is an entirely different kind of
-        // session from the sessions we use here! Beware! FIXME: Call
+        // session from the sessions we use here! Beware!
-        // our "sessions" "connections".
+        // FIXME: Call our "sessions" "connections".
         // FIXME: Use a hook instead
         // FIXME: Allow to override readwrite access with readonly
-        securityManager.checkAccess(message.padId, message.sessionID, message.token, message.password, function(err, statusObject)
+        var auth = sessioninfos[client.id].auth;
+        securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, function(err, statusObject)
         {
           if(ERR(err, callback)) return;
 
@@ -265,7 +276,7 @@ exports.handleCustomObjectMessage = function (msg, sessionID, cb) {
     if(sessionID){ // If a sessionID is targeted then send directly to this sessionID
       socketio.sockets.socket(sessionID).json.send(msg); // send a targeted message
     }else{
-      socketio.sockets.in(msg.data.padId).json.send(msg); // broadcast to all clients on this pad
+      socketio.sockets.in(msg.data.payload.padId).json.send(msg); // broadcast to all clients on this pad
     }
   }
   cb(null, {});

src/static/js/pad.js

@@ -252,14 +252,22 @@ function handshake()
   socket.on('message', function(obj)
   {
     //the access was not granted, give the user a message
-    if(!receivedClientVars && obj.accessStatus)
+    if(obj.accessStatus)
     {
-      $('.passForm').submit(require(module.id).savePassword);
+      if(!receivedClientVars)
+        $('.passForm').submit(require(module.id).savePassword);
 
       if(obj.accessStatus == "deny")
       {
         $('#loading').hide();
         $("#permissionDenied").show();
+
+        if(receivedClientVars)
+        {
+          // got kicked
+          $("#editorcontainer").hide();
+          $("#editorloadingbox").show();
+        }
       }
       else if(obj.accessStatus == "needPassword")
       {