ep_ldapauth icon indicating copy to clipboard operation
ep_ldapauth copied to clipboard

Published 20 hours ago verified publisher icon tykeal

Fix admin authorization on recent Etherpad

Open pcworld opened this issue 3 years ago • 0 comments

As of Etherpad 1.8.7 (and possibly earlier), the authorize hook did not seem to be called anymore. According to the documentation, it is not called for admin paths, and recent Etherpads allow admin access only to admin users anyway. Thus, this commit moves the admin check to be part of authentication. This has the disadvantage that admin sessions will stay valid even if a user is removed from an admin group, which is now documented in the README.

Tested on Etherpad 1.8.7. I did not test the anonymousReadonly feature. It's possible that some of this may need to be moved to a preAuthorize hook, but I did not test it. Though the documentation about the authorize hook writes:

(Requests for static content and API endpoints are always authorized, even if unauthenticated.)

The code certainly is not pretty, but is mostly inherited from the old code.

pcworld avatar Mar 14 '21 21:03 pcworld