From dad83d9b77356a8829d23fb6fe1ae15bf7631c14 Mon Sep 17 00:00:00 2001 From: Marcel Klehr Date: Sun, 2 Sep 2012 19:51:40 +0200 Subject: [PATCH] Document multi-session cookie feature --- src/node/db/SecurityManager.js | 50 ++++++++++++++++------------------ 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js index a092453ad..c0efcf5bf 100644 --- a/src/node/db/SecurityManager.js +++ b/src/node/db/SecurityManager.js @@ -36,15 +36,15 @@ var randomString = require('ep_etherpad-lite/static/js/pad_utils').randomString; * @param password the password the user has given to access this pad, can be null * @param callback will be called with (err, {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx}) */ -exports.checkAccess = function (padID, sessionID, token, password, callback) +exports.checkAccess = function (padID, sessionCookie, token, password, callback) { var statusObject; // a valid session is required (api-only mode) if(settings.requireSession) { - // no sessionID, access is denied - if(!sessionID) + // without sessionCookie, access is denied + if(!sessionCookie) { callback(null, {accessStatus: "deny"}); return; @@ -114,32 +114,30 @@ exports.checkAccess = function (padID, sessionID, token, password, callback) callback(); }); }, - //get informations about this session + //get information about all sessions contained in this cookie function(callback) { - sessionManager.getSessionInfo(sessionID, function(err, sessionInfo) - { - //skip session validation if the session doesn't exists - if(err && err.message == "sessionID does not exist") - { - callback(); - return; - } - - if(ERR(err, callback)) return; - - var now = Math.floor(new Date().getTime()/1000); - - //is it for this group? and is validUntil still ok? --> validSession - if(sessionInfo.groupID == groupID && sessionInfo.validUntil > now) - { + var sessionIDs = sessionCookie.split(','); + async.foreach(sessionIDs, function(sessionID) { + sessionManager.getSessionInfo(sessionID, function(err, sessionInfo) { + //skip session if it doesn't exist + if(err && err.message == "sessionID does not exist") return; + + if(ERR(err, callback)) return; + + var now = Math.floor(new Date().getTime()/1000); + + //is it for this group? + if(sessionInfo.groupID != groupID) return; + + //is validUntil still ok? + if(sessionInfo.validUntil <= now) return; + + // There is a valid session validSession = true; - } - - sessionAuthor = sessionInfo.authorID; - - callback(); - }); + sessionAuthor = sessionInfo.authorID; + }); + }, callback) }, //get author for token function(callback)