From 9847bf67ff0ff24e87131833004a8e2e050c020d Mon Sep 17 00:00:00 2001 From: John McLear Date: Sat, 4 Apr 2020 21:43:33 +0000 Subject: [PATCH] import: check if author is actually on pad before importing --- settings.json.docker | 6 +++++ settings.json.template | 6 +++++ src/node/hooks/express/importexport.js | 32 ++++++++++++++++++++++++++ src/node/utils/Settings.js | 6 +++++ 4 files changed, 50 insertions(+) diff --git a/settings.json.docker b/settings.json.docker index 98a1f0fd842e..e15f0bf95844 100644 --- a/settings.json.docker +++ b/settings.json.docker @@ -404,6 +404,12 @@ "indentationOnNewLine": false, */ + /* + * If true, importing to a pad is allowed only if an author has a session + * estabilished and has already contributed to that specific pad. + */ + "requireAuthorSessionToImport": true, + /* * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported * file is always bounded. diff --git a/settings.json.template b/settings.json.template index 141dbe55669e..9bd8c26e3272 100644 --- a/settings.json.template +++ b/settings.json.template @@ -409,6 +409,12 @@ "indentationOnNewLine": false, */ + /* + * If true, importing to a pad is allowed only if an author has a session + * estabilished and has already contributed to that specific pad. + */ + "requireAuthorSessionToImport": true, + /* * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported * file is always bounded. diff --git a/src/node/hooks/express/importexport.js b/src/node/hooks/express/importexport.js index aeb6e3664bca..59ad682d2be5 100644 --- a/src/node/hooks/express/importexport.js +++ b/src/node/hooks/express/importexport.js @@ -3,6 +3,7 @@ var settings = require('../../utils/Settings'); var exportHandler = require('../../handler/ExportHandler'); var importHandler = require('../../handler/ImportHandler'); var padManager = require("../../db/PadManager"); +var authorManager = require("../../db/AuthorManager"); exports.expressCreateServer = function (hook_name, args, cb) { @@ -47,6 +48,37 @@ exports.expressCreateServer = function (hook_name, args, cb) { return next(); } + if (settings.requireAuthorSessionToImport) { + console.debug("Requiring an author session to import"); + if (!req.cookies) { + console.warn("Unable to import file because no cookies included in request"); + next(); + } + + if(!req.cookies.token) { + next(); + } + + let authorExists = await authorManager.getAuthor4Token(req.cookies.token); + if (!authorExists) { + console.warn("Unable to import file because Author does not exist"); + + return next(); + } + + let authorsPads = await authorManager.listPadsOfAuthor(authorExists); + if (!authorsPads) { + console.warn("Unable to import because author does exist but they are not on this pad"); + return next(); + } + + let authorsPadIDs = authorsPads.padIDs; + if (authorsPadIDs.indexOf(req.params.pad) === -1) { + console.warn("Unable to import file because author exists but is not present on pad"); + return next(); + } + } + importHandler.doImport(req, res, req.params.pad); } }); diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js index fc195f1a14e7..bffdf8d0e99c 100644 --- a/src/node/utils/Settings.js +++ b/src/node/utils/Settings.js @@ -298,6 +298,12 @@ exports.scrollWhenFocusLineIsOutOfViewport = { */ exports.exposeVersion = false; +/* + * If true, importing to a pad is allowed only if an author has a session + * estabilished and has already contributed to that specific pad. + */ +exports.requireAuthorSessionToImport = true; + /* * From Etherpad 1.8.3 onwards, the maximum allowed size for a single imported * file is always bounded.