import: check if author is actually on pad before importing

ether · Apr 4, 2020 · 9847bf6 · 9847bf6
1 parent d2687f1
commit 9847bf6
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 0 deletions.
diff --git a/settings.json.docker b/settings.json.docker
@@ -404,6 +404,12 @@
  "indentationOnNewLine": false,
  */
 
+ /*
+ * If true, importing to a pad is allowed only if an author has a session
+ * estabilished and has already contributed to that specific pad.
+ */
+ "requireAuthorSessionToImport": true,
+
  /*
  * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
  * file is always bounded.

diff --git a/settings.json.template b/settings.json.template
@@ -409,6 +409,12 @@
  "indentationOnNewLine": false,
  */
 
+ /*
+ * If true, importing to a pad is allowed only if an author has a session
+ * estabilished and has already contributed to that specific pad.
+ */
+ "requireAuthorSessionToImport": true,
+
  /*
  * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
  * file is always bounded.

diff --git a/src/node/hooks/express/importexport.js b/src/node/hooks/express/importexport.js
@@ -3,6 +3,7 @@ var settings = require('../../utils/Settings');
 var exportHandler = require('../../handler/ExportHandler');
 var importHandler = require('../../handler/ImportHandler');
 var padManager = require("../../db/PadManager");
+var authorManager = require("../../db/AuthorManager");
 
 exports.expressCreateServer = function (hook_name, args, cb) {
 
@@ -47,6 +48,37 @@ exports.expressCreateServer = function (hook_name, args, cb) {
  return next();
  }
 
+ if (settings.requireAuthorSessionToImport) {
+ console.debug("Requiring an author session to import");
+ if (!req.cookies) {
+ console.warn("Unable to import file because no cookies included in request");
+ next();
+ }
+
+ if(!req.cookies.token) {
+ next();
+ }
+
+ let authorExists = await authorManager.getAuthor4Token(req.cookies.token);
+ if (!authorExists) {
+ console.warn("Unable to import file because Author does not exist");
+
+ return next();
+ }
+
+ let authorsPads = await authorManager.listPadsOfAuthor(authorExists);
+ if (!authorsPads) {
+ console.warn("Unable to import because author does exist but they are not on this pad");
+ return next();
+ }
+
+ let authorsPadIDs = authorsPads.padIDs;
+ if (authorsPadIDs.indexOf(req.params.pad) === -1) {
+ console.warn("Unable to import file because author exists but is not present on pad");
+ return next();
+ }
+ }
+
  importHandler.doImport(req, res, req.params.pad);
  }
  });

diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js
@@ -298,6 +298,12 @@ exports.scrollWhenFocusLineIsOutOfViewport = {
  */
 exports.exposeVersion = false;
 
+/*
+ * If true, importing to a pad is allowed only if an author has a session
+ * estabilished and has already contributed to that specific pad.
+ */
+exports.requireAuthorSessionToImport = true;
+
 /*
  * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported
  * file is always bounded.