Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix admin authorization on recent Etherpad #47

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

pcworld
Copy link

@pcworld pcworld commented Mar 14, 2021

As of Etherpad 1.8.7 (and possibly earlier), the authorize hook did not
seem to be called anymore. According to the documentation, it is not
called for admin paths, and recent Etherpads allow admin access only to
admin users anyway.
Thus, this commit moves the admin check to be part of authentication.
This has the disadvantage that admin sessions will stay valid even if a
user is removed from an admin group, which is now documented in the
README.


Tested on Etherpad 1.8.7.
I did not test the anonymousReadonly feature. It's possible that some of this may need to be moved to a preAuthorize hook, but I did not test it. Though the documentation about the authorize hook writes:

(Requests for static content and API endpoints are always authorized, even if unauthenticated.)

The code certainly is not pretty, but is mostly inherited from the old code.

As of Etherpad 1.8.7 (and possibly earlier), the authorize hook did not
seem to be called anymore. According to the documentation, it is not
called for admin paths, and recent Etherpads allow admin access only to
admin users anyway.
Thus, this commit moves the admin check to be part of authentication.
This has the disadvantage that admin sessions will stay valid even if a
user is removed from an admin group, which is now documented in the
README.

Signed-off-by: pcworld <0188801@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant