Merge pull request #49 from ONLYOFFICE/feature/check-jwt-permissions

Feature/check jwt permissions
2026-04-07 14:04:35 +08:00 · 2017-10-19 14:02:44 +03:00
parent f3c70f3da6 f28a908a1a
commit 321ef1d5af
2 changed files with 12 additions and 2 deletions
--- a/DocService/package.json
+++ b/DocService/package.json
@ -9,6 +9,7 @@
    "co": "^4.6.0",
    "config": "^1.21.0",
    "cron": "^1.1.0",
+    "deep-equal": "^1.0.1",
    "express": "^4.14.0",
    "fakeredis": "^1.0.3",
    "jsonwebtoken": "^7.1.9",
--- a/DocService/sources/DocsCoServer.js
+++ b/DocService/sources/DocsCoServer.js
@ -85,6 +85,7 @@ const co = require('co');
 const jwt = require('jsonwebtoken');
 const jwa = require('jwa');
 const ms = require('ms');
+const deepEqual  = require('deep-equal');
 const storage = require('./../../Common/sources/storage-base');
 const logger = require('./../../Common/sources/logger');
 const constants = require('./../../Common/sources/constants');
@ -1654,12 +1655,14 @@ exports.install = function(server, callbackFunction) {
  function isEditMode(permissions, mode, def) {
    if (permissions && mode) {
      //as in web-apps/apps/documenteditor/main/app/controller/Main.js
-      return (permissions.edit !== false || permissions.review === true) && mode !== 'view';
+      return ((permissions.edit !== false || permissions.review === true) && mode !== 'view') ||
+        permissions.comment === true;
    } else {
      return def;
    }
  }
  function fillDataFromJwt(decoded, data) {
+    let res = true;
    var openCmd = data.openCmd;
    if (decoded.document) {
      var doc = decoded.document;
@ -1670,6 +1673,7 @@ exports.install = function(server, callbackFunction) {
        }
      }
      if(doc.permissions) {
+        res = deepEqual(data.permissions, doc.permissions, {strict: true});
        if(!data.permissions){
          data.permissions = {};
        }
@ -1729,6 +1733,7 @@ exports.install = function(server, callbackFunction) {
    if (decoded.iss) {
      data.iss = decoded.iss;
    }
+    return res;
  }
  function fillVersionHistoryFromJwt(decoded, cmd) {
    if (decoded.changesUrl && decoded.previous && (cmd.getServerVersion() === commonDefines.buildVersion)) {
@ -1779,7 +1784,11 @@ exports.install = function(server, callbackFunction) {
        const isSession = !!data.jwtSession;
        const checkJwtRes = checkJwt(docId, data.jwtSession || data.jwtOpen, isSession);
        if (checkJwtRes.decoded) {
-          fillDataFromJwt(checkJwtRes.decoded, data);
+          if (!fillDataFromJwt(checkJwtRes.decoded, data)) {
+            logger.warn("fillDataFromJwt return false: docId = %s", docId);
+            conn.close(constants.ACCESS_DENIED_CODE, constants.ACCESS_DENIED_REASON);
+            return;
+          }
        } else {
          conn.close(checkJwtRes.code, checkJwtRes.description);
          return;