From 020b636b1f6ffecfd6cf5563e0867ce4c401aebe Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 18 Nov 2014 14:08:44 +0000 Subject: [PATCH 1/6] template of a semi-fix --- src/node/hooks/express/adminplugins.js | 6 +++--- src/static/js/admin/plugins.js | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/node/hooks/express/adminplugins.js b/src/node/hooks/express/adminplugins.js index d8f19bba..b348c023 100644 --- a/src/node/hooks/express/adminplugins.js +++ b/src/node/hooks/express/adminplugins.js @@ -14,7 +14,6 @@ exports.expressCreateServer = function (hook_name, args, cb) { search_results: {}, errors: [], }; - res.send( eejs.require("ep_etherpad-lite/templates/admin/plugins.html", render_args) ); }); args.app.get('/admin/plugins/info', function(req, res) { @@ -25,7 +24,8 @@ exports.expressCreateServer = function (hook_name, args, cb) { exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/pluginfw/installer"); io.on('connection', function (socket) { - if (!socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + console.warn("THIS IS BROKEN", socket.handshake); + if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; socket.on("getInstalled", function (query) { // send currently installed plugins @@ -107,4 +107,4 @@ function sortPluginList(plugins, property, /*ASC?*/dir) { // a must be equal to b return 0; }) -} \ No newline at end of file +} diff --git a/src/static/js/admin/plugins.js b/src/static/js/admin/plugins.js index e6c7a122..8a4c732e 100644 --- a/src/static/js/admin/plugins.js +++ b/src/static/js/admin/plugins.js @@ -10,7 +10,8 @@ $(document).ready(function () { resource = baseURL.substring(1) + "socket.io"; //connect - socket = io.connect(url, {resource : resource}).of("/pluginfw/installer"); + var room = url + "pluginfw/installer"; + socket = io.connect(room, {resource : resource}); function search(searchTerm, limit) { if(search.searchTerm != searchTerm) { From d10013c1590594303397476f125354aa945ac483 Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 18 Nov 2014 14:10:38 +0000 Subject: [PATCH 2/6] client side code now fixed --- src/static/js/admin/settings.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/static/js/admin/settings.js b/src/static/js/admin/settings.js index fb3f2e97..8a4473d6 100644 --- a/src/static/js/admin/settings.js +++ b/src/static/js/admin/settings.js @@ -9,7 +9,8 @@ $(document).ready(function () { resource = baseURL.substring(1) + "socket.io"; //connect - socket = io.connect(url, {resource : resource}).of("/settings"); + var room = url + "settings"; + socket = io.connect(room, {resource : resource}); socket.on('settings', function (settings) { From ff603d7b586f4a8d675e30d8ff659f5c189afd5a Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 18 Nov 2014 14:12:02 +0000 Subject: [PATCH 3/6] stability restored now to handle the auth issues --- src/node/hooks/express/adminsettings.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/node/hooks/express/adminsettings.js b/src/node/hooks/express/adminsettings.js index 2a48d289..ba3009cd 100644 --- a/src/node/hooks/express/adminsettings.js +++ b/src/node/hooks/express/adminsettings.js @@ -22,7 +22,9 @@ exports.expressCreateServer = function (hook_name, args, cb) { exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/settings"); io.on('connection', function (socket) { - if (!socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + console.warn ("THIS IS BROKEN"); + + if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; socket.on("load", function (query) { fs.readFile('settings.json', 'utf8', function (err,data) { From 3e8f3cd938995a75e5146a149bf339dd5603416f Mon Sep 17 00:00:00 2001 From: John McLear Date: Tue, 18 Nov 2014 14:56:40 +0000 Subject: [PATCH 4/6] hrm I dont trust this security --- src/node/hooks/express/adminplugins.js | 5 +++-- src/node/hooks/express/adminsettings.js | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/node/hooks/express/adminplugins.js b/src/node/hooks/express/adminplugins.js index b348c023..ccc100dc 100644 --- a/src/node/hooks/express/adminplugins.js +++ b/src/node/hooks/express/adminplugins.js @@ -24,8 +24,9 @@ exports.expressCreateServer = function (hook_name, args, cb) { exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/pluginfw/installer"); io.on('connection', function (socket) { - console.warn("THIS IS BROKEN", socket.handshake); - if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + + console.warn ("The middleware now handles auth but I'm not convinced SocketIO is being responsible enough here so this needs reviewing before hitting master"); + // if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; socket.on("getInstalled", function (query) { // send currently installed plugins diff --git a/src/node/hooks/express/adminsettings.js b/src/node/hooks/express/adminsettings.js index ba3009cd..3529e205 100644 --- a/src/node/hooks/express/adminsettings.js +++ b/src/node/hooks/express/adminsettings.js @@ -22,9 +22,9 @@ exports.expressCreateServer = function (hook_name, args, cb) { exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/settings"); io.on('connection', function (socket) { - console.warn ("THIS IS BROKEN"); - if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + console.warn ("The middleware now handles auth but I'm not convinced SocketIO is being responsible enough here so this needs reviewing before hitting master"); + // if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; socket.on("load", function (query) { fs.readFile('settings.json', 'utf8', function (err,data) { From ae7da122d7d35e1da38280f12defd65a899859a1 Mon Sep 17 00:00:00 2001 From: John McLear Date: Sun, 23 Nov 2014 14:14:01 +0000 Subject: [PATCH 5/6] fix session management --- src/node/hooks/express/adminsettings.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/node/hooks/express/adminsettings.js b/src/node/hooks/express/adminsettings.js index 3529e205..42a07c73 100644 --- a/src/node/hooks/express/adminsettings.js +++ b/src/node/hooks/express/adminsettings.js @@ -23,8 +23,7 @@ exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/settings"); io.on('connection', function (socket) { - console.warn ("The middleware now handles auth but I'm not convinced SocketIO is being responsible enough here so this needs reviewing before hitting master"); - // if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + if (!socket.conn.request.session || !socket.conn.request.session.user || !socket.conn.request.session.user.is_admin) return; socket.on("load", function (query) { fs.readFile('settings.json', 'utf8', function (err,data) { From 73bcbbcb8985568d8b76af8d49443eec7d52f12e Mon Sep 17 00:00:00 2001 From: John McLear Date: Sun, 23 Nov 2014 14:15:03 +0000 Subject: [PATCH 6/6] final commit --- src/node/hooks/express/adminplugins.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/node/hooks/express/adminplugins.js b/src/node/hooks/express/adminplugins.js index ccc100dc..ded1f660 100644 --- a/src/node/hooks/express/adminplugins.js +++ b/src/node/hooks/express/adminplugins.js @@ -25,8 +25,7 @@ exports.socketio = function (hook_name, args, cb) { var io = args.io.of("/pluginfw/installer"); io.on('connection', function (socket) { - console.warn ("The middleware now handles auth but I'm not convinced SocketIO is being responsible enough here so this needs reviewing before hitting master"); - // if (!socket.handshake.session || !socket.handshake.session.user || !socket.handshake.session.user.is_admin) return; + if (!socket.conn.request.session || !socket.conn.request.session.user || !socket.conn.request.session.user.is_admin) return; socket.on("getInstalled", function (query) { // send currently installed plugins