As of Etherpad 1.8.7 (and possibly earlier), the authorize hook did not
seem to be called anymore. According to the documentation, it is not
called for admin paths, and recent Etherpads allow admin access only to
admin users anyway.
Thus, this commit moves the admin check to be part of authentication.
This has the disadvantage that admin sessions will stay valid even if a
user is removed from an admin group, which is now documented in the
README.
Tested on Etherpad 1.8.7.
I did not test the anonymousReadonly feature. It's possible that some of this may need to be moved to a preAuthorize hook, but I did not test it. Though the documentation about the authorize hook writes:
(Requests for static content and API endpoints are always authorized, even if unauthenticated.)
The code certainly is not pretty, but is mostly inherited from the old code.
As of Etherpad 1.8.7 (and possibly earlier), the authorize hook did not seem to be called anymore. According to the documentation, it is not called for admin paths, and recent Etherpads allow admin access only to admin users anyway. Thus, this commit moves the admin check to be part of authentication. This has the disadvantage that admin sessions will stay valid even if a user is removed from an admin group, which is now documented in the README.
Tested on Etherpad 1.8.7. I did not test the
anonymousReadonlyfeature. It's possible that some of this may need to be moved to a preAuthorize hook, but I did not test it. Though the documentation about the authorize hook writes:The code certainly is not pretty, but is mostly inherited from the old code.