Merge pull request #1940 from piratenfraktion-nrw/fix_readonly_if_require_session

pass correct padID to checkAccess if pad is requested via readOnly link

src/node/handler/PadMessageHandler.js

@@ -240,7 +240,7 @@ exports.handleMessage = function(client, message)
           callback();
         }else{
           var auth = sessioninfos[client.id].auth;
-          securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, function(err, statusObject)
+          var checkAccessCallback = function(err, statusObject)
           {
             if(ERR(err, callback)) return;
  
@@ -254,7 +254,17 @@ exports.handleMessage = function(client, message)
             {
               client.json.send({accessStatus: statusObject.accessStatus})
             }
+          };
+          //check if pad is requested via readOnly
+          if (auth.padID.indexOf("r.") === 0) {
+            //Pad is readOnly, first get the real Pad ID
+            readOnlyManager.getPadId(auth.padID, function(err, value) {
+              ERR(err);
+              securityManager.checkAccess(value, auth.sessionID, auth.token, auth.password, checkAccessCallback);
             });
+          } else {
+            securityManager.checkAccess(auth.padID, auth.sessionID, auth.token, auth.password, checkAccessCallback);
+          }
         }
       },
       finalHandler

src/node/handler/SocketIORouter.js

@@ -23,6 +23,7 @@ var ERR = require("async-stacktrace");
 var log4js = require('log4js');
 var messageLogger = log4js.getLogger("message");
 var securityManager = require("../db/SecurityManager");
+var readOnlyManager = require("../db/ReadOnlyManager");
 var settings = require('../utils/Settings');
 
 /**
@@ -87,9 +88,7 @@ exports.setSocketIO = function(_socket) {
         handleMessage(client, message);
       } else { //try to authorize the client
         if(message.padId !== undefined && message.sessionID !== undefined && message.token !== undefined && message.password !== undefined) {
-          //this message has everything to try an authorization
-          securityManager.checkAccess (message.padId, message.sessionID, message.token, message.password,
-            function(err, statusObject) {
+          var checkAccessCallback = function(err, statusObject) {
             ERR(err);
 
             //access was granted, mark the client as authorized and handle the message
@@ -102,8 +101,16 @@ exports.setSocketIO = function(_socket) {
               messageLogger.warn("Authentication try failed:" + stringifyWithoutPassword(message));
               client.json.send({accessStatus: statusObject.accessStatus});
             }
+          };
+          if (message.padId.indexOf("r.") === 0) {
+            readOnlyManager.getPadId(message.padId, function(err, value) {
+              ERR(err);
+              securityManager.checkAccess (value, message.sessionID, message.token, message.password, checkAccessCallback);
+            });
+          } else {
+            //this message has everything to try an authorization
+            securityManager.checkAccess (message.padId, message.sessionID, message.token, message.password, checkAccessCallback);
           }
-          );
         } else { //drop message
           messageLogger.warn("Dropped message cause of bad permissions:" + stringifyWithoutPassword(message));
         }