Fix admin authorization on recent Etherpad #47
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As of Etherpad 1.8.7 (and possibly earlier), the authorize hook did not seem to be called anymore. According to the documentation, it is not called for admin paths, and recent Etherpads allow admin access only to admin users anyway. Thus, this commit moves the admin check to be part of authentication. This has the disadvantage that admin sessions will stay valid even if a user is removed from an admin group, which is now documented in the README. Signed-off-by: pcworld <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As of Etherpad 1.8.7 (and possibly earlier), the authorize hook did not
seem to be called anymore. According to the documentation, it is not
called for admin paths, and recent Etherpads allow admin access only to
admin users anyway.
Thus, this commit moves the admin check to be part of authentication.
This has the disadvantage that admin sessions will stay valid even if a
user is removed from an admin group, which is now documented in the
README.
Tested on Etherpad 1.8.7.
I did not test the
anonymousReadonlyfeature. It's possible that some of this may need to be moved to a preAuthorize hook, but I did not test it. Though the documentation about the authorize hook writes:The code certainly is not pretty, but is mostly inherited from the old code.