Commit ce8c3501 authored by Nelson GONCALVES's avatar Nelson GONCALVES
Browse files

Working authorize hook

parent 8c0e0a68
......@@ -5,12 +5,11 @@
const request = require('request');
const cheerio = require("cheerio");
const authorManager = require('ep_etherpad-lite/node/db/AuthorManager');
// const readOnlyManager = require('ep_etherpad-lite/node/db/ReadOnlyManager');
const log4js = require('log4js');
const fs = require("fs");
const jsonminify = require("jsonminify");
let ssoURL = '';
let internalURL = '';
let baseURL = '';
let appKey = '';
let appId = '';
......@@ -26,10 +25,10 @@ try {
else
throw "baseURL not found";
if(config.ssoURL)
ssoURL = config.ssoURL;
if(config.internalURL)
internalURL = config.internalURL;
else
throw "ssoURL not found";
throw "internalURL not found";
if(config.appKey)
appKey = config.appKey;
......@@ -49,20 +48,21 @@ laclasseLogger = log4js.getLogger("ep_laclasse");
exports.authorize = async function (hook_name, context, cb) {
// NOTE: statics in /^\/(static|javascripts|pluginfw|api)/ are always authorized. See webaccess.js
laclasseLogger.info('authorize: for', context.resource);
// allow healthcheck without authentication
if (context.resource.match(/^\/(healthcheck)/)) return cb([true]);
const user = context.req.session.user;
// everything else at least needs a login session
if (!context.req.session.user) return cb([false]);
if (!user) return cb([false]);
// protect the admin routes
if (context.resource.indexOf('/admin') === 0 && !context.req.session.user.is_admin) return cb([false]);
if (context.resource.indexOf('/admin') === 0 && !user.is_admin) return cb([false]);
// check if user has access to pad
const padID = (req.path.match(/^\/p\/(.*)$/) || [])[1];
const matches = context.resource.match(/^\/p\/(\d+)(\/.*)*$/);
const padID = matches ? matches[1] : null;
if (padID == null) return cb([false]);
const rights = await padRightsForUser(padID, user.uid).then(body => {
const rights = JSON.parse(body);
......@@ -79,17 +79,11 @@ exports.authorize = async function (hook_name, context, cb) {
laclasseLogger.info('authorize: authorized');
// if(rights.Write) {
// const padURL = new URL(`/pads${context.req.path}`,baseURL);
// context.res.redirect(padURL.toString());
// } else {
// const readonlyId = await readOnlyManager.getReadOnlyId();
// const padURL = new URL(`/pads/p/${readonlyId}`,baseURL);
// laclasseLogger.info('authenticate: redirect to readonly URL', padURL.toString());
// context.res.redirect(padURL.toString());
// }
return cb([true]);
if(rights.Write) {
return cb(['modify']);
} else {
return cb(['readOnly']);
}
};
function getServiceURL(request) {
......@@ -100,7 +94,7 @@ function getServiceURL(request) {
function serviceValidate(ticket,service) {
return new Promise(function(resolve, reject) {
const validateURL = new URL('/sso/serviceValidate',ssoURL);
const validateURL = new URL('/sso/serviceValidate',internalURL);
const urlParams = new URLSearchParams({
ticket: ticket, service: service
});
......@@ -195,7 +189,8 @@ exports.authenticate = async function (hook_name, context, cb) {
context.req.session.user = {
username: user.uid,
display_name: `${user.firstname} ${user.lastname}`,
is_admin: false
is_admin: false,
canCreate: false,
};
laclasseLogger.info('authenticate: successful authentication', context.req.session.user);
......
{
// The URL used to contact the SSO
"ssoURL": "${SSO_URL}",
// The URL used to contact service internally
"internalURL": "${SSO_URL}",
// The public URL to be redirected to
// The public URL of service
"baseURL": "${BASE_URL}",
// The public URL to be redirected to
// The key of the app to have access to laclasse API
"appKey": "${APP_KEY}",
// The public URL to be redirected to
// The id of the app to have access to laclasse API
"appId": "${APP_ID}"
}
......@@ -65,9 +65,6 @@
/* Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads. */
"editOnly" : true,
/* Users, who have a valid session, automatically get granted access to password protected pads */
"sessionNoPassword" : false,
/* if true, all css & js will be minified before sending to the client. This will improve the loading performance massivly,
but makes it impossible to debug the javascript/css */
"minify" : true,
......@@ -96,7 +93,7 @@
"requireAuthentication" : true,
/* Require authorization by a module, or a user with is_admin set, see below. */
"requireAuthorization" : false,
"requireAuthorization" : true,
/*when you use NginX or another proxy/ load-balancer set this to true*/
"trustProxy" : false,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment