From 9850ba43ee5a41a3383e6eebc8b9be756e80b9ad Mon Sep 17 00:00:00 2001 From: Jordan Date: Mon, 21 Nov 2011 01:45:37 -0500 Subject: [PATCH] Implement a 'requireSession' mode, which requires any user to have a valid session --- node/db/SecurityManager.js | 35 ++++++++++++++++++++++++---------- node/server.js | 18 +++++++++++------ node/utils/Settings.js | 6 ++++++ settings.json.template | 3 +++ settings.json.template_windows | 3 +++ 5 files changed, 49 insertions(+), 16 deletions(-) diff --git a/node/db/SecurityManager.js b/node/db/SecurityManager.js index 7ad8f8d2..762931da 100644 --- a/node/db/SecurityManager.js +++ b/node/db/SecurityManager.js @@ -23,6 +23,7 @@ var async = require("async"); var authorManager = require("./AuthorManager"); var padManager = require("./PadManager"); var sessionManager = require("./SessionManager"); +var settings = require("../utils/Settings") /** * This function controlls the access to a pad, it checks if the user can access a pad. @@ -34,18 +35,32 @@ var sessionManager = require("./SessionManager"); */ exports.checkAccess = function (padID, sessionID, token, password, callback) { - // it's not a group pad, means we can grant access - if(padID.indexOf("$") == -1) + // a valid session is required (api-only mode) + if(settings.requireSession) { - //get author for this token - authorManager.getAuthor4Token(token, function(err, author) + // no sessionID, access is denied + if(!sessionID) { - // grant access, with author of token - callback(err, {accessStatus: "grant", authorID: author}); - }) - - //don't continue - return; + callback(null, {accessStatus: "deny"}); + return; + } + } + // a session is not required, so we'll check if it's a public pad + else + { + // it's not a group pad, means we can grant access + if(padID.indexOf("$") == -1) + { + //get author for this token + authorManager.getAuthor4Token(token, function(err, author) + { + // grant access, with author of token + callback(err, {accessStatus: "grant", authorID: author}); + }) + + //don't continue + return; + } } var groupID = padID.split("$")[0]; diff --git a/node/server.js b/node/server.js index 1e0b6283..fe3c40da 100644 --- a/node/server.js +++ b/node/server.js @@ -210,9 +210,12 @@ async.waterfall([ return; } - res.header("Server", serverName); - var filePath = path.normalize(__dirname + "/../static/pad.html"); - res.sendfile(filePath, { maxAge: exports.maxAge }); + hasPadAccess(req, res, function() + { + res.header("Server", serverName); + var filePath = path.normalize(__dirname + "/../static/pad.html"); + res.sendfile(filePath, { maxAge: exports.maxAge }); + }); }); //serve timeslider.html under /p/$padname/timeslider @@ -225,9 +228,12 @@ async.waterfall([ return; } - res.header("Server", serverName); - var filePath = path.normalize(__dirname + "/../static/timeslider.html"); - res.sendfile(filePath, { maxAge: exports.maxAge }); + hasPadAccess(req, res, function() + { + res.header("Server", serverName); + var filePath = path.normalize(__dirname + "/../static/timeslider.html"); + res.sendfile(filePath, { maxAge: exports.maxAge }); + }); }); //serve timeslider.html under /p/$padname/timeslider diff --git a/node/utils/Settings.js b/node/utils/Settings.js index 1d855a53..9f23d114 100644 --- a/node/utils/Settings.js +++ b/node/utils/Settings.js @@ -42,6 +42,12 @@ exports.dbSettings = { "filename" : "../var/dirty.db" }; * The default Text of a new pad */ exports.defaultPadText = "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n"; + +/** + * A flag that requires any user to have a valid session (via the api) before accessing a pad + */ +exports.requireSession = false; + /** * A flag that shows if minification is enabled or not */ diff --git a/settings.json.template b/settings.json.template index 199ac6d0..f2d375c6 100644 --- a/settings.json.template +++ b/settings.json.template @@ -29,6 +29,9 @@ //the default text of a pad "defaultPadText" : "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n", + /* Users must have a session to access pads. This effectively locks etherpad down to using only the API. */ + "requireSession" : false, + /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, but makes it impossible to debug the javascript/css */ "minify" : true, diff --git a/settings.json.template_windows b/settings.json.template_windows index 235ec71a..560e62be 100644 --- a/settings.json.template_windows +++ b/settings.json.template_windows @@ -28,6 +28,9 @@ //the default text of a pad "defaultPadText" : "Welcome to Etherpad Lite!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nEtherpad Lite on Github: http:\/\/j.mp/ep-lite\n", + /* Users must have a session to access pads. This effectively locks etherpad down to using only the API. */ + "requireSession" : false, + /* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly, but makes it impossible to debug the javascript/css */ "minify" : false,