etherpad-lite/src/tests
John McLear ce038b0b0f
fix(pad): keep token-less Delete pad reachable without pad-wide settings (#7959) (#7960)
* fix(pad): keep token-less Delete pad reachable without pad-wide settings (#7959)

The token-less "Delete pad" button (#delete-pad) was nested inside the
enablePadWideSettings-gated pad-settings section, so disabling pad-wide
settings removed the only way to delete a pad without a recovery token.
Combined with #7926 hiding the token disclosure when deletion needs no
token (e.g. allowPadDeletionByAllUsers), a user who was allowed to delete
could be left with no deletion UI at all.

Pad deletion is unrelated to pad-wide settings, so:

- Move #delete-pad out of the enablePadWideSettings block in pad.html; it
  is now always rendered and hidden by default.
- Add a canDeletePad clientVar (isCreator || allowPadDeletionByAllUsers)
  and drive the button's visibility from it in pad_editor.ts, mirroring the
  existing canDeleteWithoutToken handling for the token disclosure.

The two controls are now mutually coherent and neither depends on
enablePadWideSettings: the plain button shows when this session can delete
without a token, the recovery-token disclosure shows otherwise.

Tests:
- backend padDeletionUiPlacement.ts: #delete-pad is rendered with
  enablePadWideSettings both on and off (fails without the template move).
- backend socketio.ts: canDeletePad reflects the creator/allow-all matrix,
  including a non-creator who only gains it under allowPadDeletionByAllUsers.
- frontend pad_settings.spec.ts: asserts #delete-pad is no longer a
  descendant of #pad-settings-section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(pad): never let readonly sessions delete via token-less paths (#7959)

Qodo review of #7960: `canDeletePad` was `isCreator || allowPadDeletionByAllUsers`,
so under allowPadDeletionByAllUsers a readonly viewer received
canDeletePad=true and the relocated #delete-pad button unhid for them.
Worse, the server-side handlePadDelete `flagOk`/`creatorOk` branches never
checked session.readonly either, so a readonly-link holder could actually
delete the pad without a token — a data-loss hole that the new always-rendered
button would expose.

Exclude readonly sessions from both the clientVar and the server's token-less
authorization paths. A valid recovery token (tokenOk) stays a sufficient
credential regardless of session mode.

Test: socketio.ts asserts a readonly viewer gets canDeletePad=false and that a
token-less PAD_DELETE from a readonly session leaves the pad intact (red before
this change on the clientVar assertion).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 15:18:23 +01:00
..
backend fix(pad): keep token-less Delete pad reachable without pad-wide settings (#7959) (#7960) 2026-06-17 15:18:23 +01:00
backend-new fix(editor): tag inserts with clientVars author until userAuthor propagates (Firefox authorship flake) (#7910) 2026-06-08 20:41:13 +01:00
container test(docker): admin save persists across container restart (#7819) (#7821) 2026-05-19 17:17:12 +01:00
downstream ci(downstream): robust per-client error handling in run-clients.sh (#7927) 2026-06-09 14:31:05 +01:00
fixtures test: downstream client compatibility gate (Phase 1) (#7923) 2026-06-09 11:40:58 +01:00
frontend test(timeslider): port legacy mocha specs to Playwright, retire orphaned suite (#7949) 2026-06-12 12:14:39 +01:00
frontend-new fix(pad): keep token-less Delete pad reachable without pad-wide settings (#7959) (#7960) 2026-06-17 15:18:23 +01:00
ratelimit chore: updated clients to esm (#7627) 2026-04-28 21:46:49 +02:00
README.md restructure: move bin/ and tests/ to src/ 2021-02-04 17:15:08 -05:00
settings.json Add creator-owned pad settings defaults (#7545) 2026-04-19 11:13:44 +01:00

About this folder: Tests

Before running the tests, start an Etherpad instance on your machine.

Frontend

To run the frontend tests, point your browser to <yourdomainhere>/tests/frontend

Backend

To run the backend tests, run cd src and then npm test