Git Product home page Git Product logo

ep_sciencemesh's People

Contributors

glpatcern avatar waridrox avatar

Watchers

avatar

Forkers

glpatcern

ep_sciencemesh's Issues

Block access to pad when wopi webhook responds with HTTP 400 or 500

Reposting here as this contains implementation details:

  • Etherpad doesn't allow to change access state values in between concurrent editing unlike google docs. Pad access states like readonly have to be declared upfront in the settings.json file. / A readonly URL can be loaded using the already existing padID with the help of getReadOnlyID(padID) function.
  • If however, user is already aware of the original padID where the edits can be made, then they would have access to those pads if they went back to that url.

A possible solution would be to set a sessionID for the editing author once we receive the metadata contents from the setefssmetadata endpoint, then subsequently remove this sessionID on occurrence of the errors.

Maybe something like -

--- a/index.js
+++ b/index.js

+let globalSessionID = null;

 const setNotificationData = (padID, message) => {
   let padId = padID
@@ -38,10 +30,28 @@ const setNotificationData = (padID, message) => {
   padMessageHandler.handleCustomObjectMessage(msg, false)
 }

+const setSessionId = (param) => {
+  globalSessionID = param;
+}
+
 const getMetadata = async (context) => {
   const getMetadata = await db.get(`efssmetadata:${context.pad.id}:${context.author}`).catch((err) => { console.error(JSON.stringify(err.message)) });
 
   if (getMetadata) {
+    let groupId = await db.get(`mapper2group:1`);
+    const sessionID = await api.createSession(groupId, context.author, Math.floor((Date.now()/1000)+5*60)).catch((err) => { if (err.name === 'apierror') return null; });
+    
+    setSessionId(sessionID.sessionID);
+
     const queryParams = getMetadata.split(':');
     const wopiSrc = decodeURIComponent(queryParams[0]);
     const wopiHost = new URL(wopiSrc).origin;
@@ -82,6 +92,9 @@ const wopiCall = async (wopiHost, wopiSrc, accessToken, padID, close=false) => {
   })
   .catch((error) => {
     if (error.status === 400 || error.status === 500) { 
       let errorStatusText = error.statusText;
 
       if (error.data.message) {
@@ -90,8 +103,19 @@ 
+
+      // delete the session
+      await api.deleteSession(globalSessionID);

     }
  • However, this appears to be non-functional when tested and may prove to be in-effective for multiple users, since in that case multiple sessionIDs would be needed to fetched from the database.
  • Even after the unix timestamp that is supposed to expire after 5 minutes, the user is still able to edit the pad and make changes, when in fact, they shouldn't be allowed to do so.
  • Thus, another alternative needs to be investigated...

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.