This commit is contained in:
John McLear 2026-07-18 07:14:17 +00:00 committed by GitHub
commit 2d889b92dc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 14 additions and 4 deletions

View file

@ -75,10 +75,13 @@ exports.checkAccess = async (padID:string, sessionCookie:string, token:string, u
}
// Authentication and authorization checks.
if (settings.loadTest) {
console.warn(
'bypassing socket.io authentication and authorization checks due to settings.loadTest');
} else if (settings.requireAuthentication) {
// settings.loadTest just short-circuits authn/authz; the user-facing
// warning about this configuration choice is logged from Settings.ts
// during settings load/reload, not on every request. Re-logging it
// here was costing ~4% of process CPU in the 100-400 author dive
// sweep (#7756): the routed-console-warn went through log4js's
// clustering dispatch on every message.
if (!settings.loadTest && settings.requireAuthentication) {
if (userSettings == null) {
authLogger.debug('access denied: authentication is required');
return DENY;

View file

@ -1262,6 +1262,13 @@ export const reloadSettings = () => {
logger.warn("logLayoutType: " + settings.logLayoutType);
initLogging(settings.logconfig);
if (settings.loadTest) {
logger.warn(
'settings.loadTest is true: SecurityManager.checkAccess() will bypass ' +
'authentication and authorization for both HTTP and socket.io requests. ' +
'Do NOT enable this in production.');
}
if (!settings.skinName) {
logger.warn('No "skinName" parameter found. Please check out settings.json.template and ' +
'update your settings.json. Falling back to the default "colibris".');