public-offering
/
pad.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1940 from piratenfraktion-nrw/fix_readonly_if_require_session 

pass correct padID to checkAccess if pad is requested via readOnly link
pull/1943/merge
John McLear 2013-10-13 13:41:41 -07:00
parent ef4e0d0eb0 77c2313025
commit be78488635
2 changed files with 34 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/node/handler/PadMessageHandler.js
View File

@ -240,7 +240,7 @@ exports.handleMessage = function(client, message)
callback(); callback();
}else{ }else{
var auth = sessioninfos[client.id].auth; var auth = sessioninfos[client.id].auth;
securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, function(err, statusObject) var checkAccessCallback = function(err, statusObject)
{ {
if(ERR(err, callback)) return; if(ERR(err, callback)) return;
@ -254,7 +254,17 @@ exports.handleMessage = function(client, message)
{ {
client.json.send({accessStatus: statusObject.accessStatus}) client.json.send({accessStatus: statusObject.accessStatus})
} }
}); };
//check if pad is requested via readOnly
if (auth.padID.indexOf("r.") === 0) {
//Pad is readOnly, first get the real Pad ID
readOnlyManager.getPadId(auth.padID, function(err, value) {
ERR(err);
securityManager.checkAccess(value, auth.sessionID, auth.token, auth.password, checkAccessCallback);
});
} else {
securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, checkAccessCallback);
}
} }
}, },
finalHandler finalHandler

37
src/node/handler/SocketIORouter.js
View File

@ -23,6 +23,7 @@ var ERR = require("async-stacktrace");
var log4js = require('log4js'); var log4js = require('log4js');
var messageLogger = log4js.getLogger("message"); var messageLogger = log4js.getLogger("message");
var securityManager = require("../db/SecurityManager"); var securityManager = require("../db/SecurityManager");
var readOnlyManager = require("../db/ReadOnlyManager");
var settings = require('../utils/Settings'); var settings = require('../utils/Settings');
/** /**
@ -87,23 +88,29 @@ exports.setSocketIO = function(_socket) {
handleMessage(client, message); handleMessage(client, message);
} else { //try to authorize the client } else { //try to authorize the client
if(message.padId !== undefined && message.sessionID !== undefined && message.token !== undefined && message.password !== undefined) { if(message.padId !== undefined && message.sessionID !== undefined && message.token !== undefined && message.password !== undefined) {
//this message has everything to try an authorization var checkAccessCallback = function(err, statusObject) {
securityManager.checkAccess (message.padId, message.sessionID, message.token, message.password, ERR(err);
function(err, statusObject) {
ERR(err);
//access was granted, mark the client as authorized and handle the message //access was granted, mark the client as authorized and handle the message
if(statusObject.accessStatus == "grant") { if(statusObject.accessStatus == "grant") {
clientAuthorized = true; clientAuthorized = true;
handleMessage(client, message); handleMessage(client, message);
}
//no access, send the client a message that tell him why
else {
messageLogger.warn("Authentication try failed:" + stringifyWithoutPassword(message));
client.json.send({accessStatus: statusObject.accessStatus});
}
} }
); //no access, send the client a message that tell him why
else {
messageLogger.warn("Authentication try failed:" + stringifyWithoutPassword(message));
client.json.send({accessStatus: statusObject.accessStatus});
}
};
if (message.padId.indexOf("r.") === 0) {
readOnlyManager.getPadId(message.padId, function(err, value) {
ERR(err);
securityManager.checkAccess (value, message.sessionID, message.token, message.password, checkAccessCallback);
});
} else {
//this message has everything to try an authorization
securityManager.checkAccess (message.padId, message.sessionID, message.token, message.password, checkAccessCallback);
}
} else { //drop message } else { //drop message
messageLogger.warn("Dropped message cause of bad permissions:" + stringifyWithoutPassword(message)); messageLogger.warn("Dropped message cause of bad permissions:" + stringifyWithoutPassword(message));
} }