8 files changed, 28 insertions, 56 deletions

diff --git a/lib/config/default.js b/lib/config/default.js
index 00fa9eae..fe9b7059 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -160,7 +160,6 @@ module.exports = {
   email: true,
   allowEmailRegister: true,
   allowGravatar: true,
-  allowPDFExport: true,
   openID: false,
   // linkifyHeaderStyle - How is a header text converted into a link id.
   // Header Example: "3.1. Good Morning my Friend! - Do you have 5$?"
diff --git a/lib/config/environment.js b/lib/config/environment.js
index cf9fb5a1..2a2c5fbb 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -87,6 +87,7 @@ module.exports = {
     providerName: process.env.CMD_OAUTH2_PROVIDERNAME,
     baseURL: process.env.CMD_OAUTH2_BASEURL,
     userProfileURL: process.env.CMD_OAUTH2_USER_PROFILE_URL,
+    userProfileIdAttr: process.env.CMD_OAUTH2_USER_PROFILE_ID_ATTR,
     userProfileUsernameAttr: process.env.CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR,
     userProfileDisplayNameAttr: process.env.CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR,
     userProfileEmailAttr: process.env.CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR,
@@ -94,7 +95,9 @@ module.exports = {
     authorizationURL: process.env.CMD_OAUTH2_AUTHORIZATION_URL,
     clientID: process.env.CMD_OAUTH2_CLIENT_ID,
     clientSecret: process.env.CMD_OAUTH2_CLIENT_SECRET,
-    scope: process.env.CMD_OAUTH2_SCOPE
+    scope: process.env.CMD_OAUTH2_SCOPE,
+    rolesClaim: process.env.CMD_OAUTH2_ROLES_CLAIM,
+    accessRole: process.env.CMD_OAUTH2_ACCESS_ROLE
   },
   dropbox: {
     clientID: process.env.CMD_DROPBOX_CLIENTID,
@@ -137,7 +140,6 @@ module.exports = {
   email: toBooleanConfig(process.env.CMD_EMAIL),
   allowEmailRegister: toBooleanConfig(process.env.CMD_ALLOW_EMAIL_REGISTER),
   allowGravatar: toBooleanConfig(process.env.CMD_ALLOW_GRAVATAR),
-  allowPDFExport: toBooleanConfig(process.env.CMD_ALLOW_PDF_EXPORT),
   openID: toBooleanConfig(process.env.CMD_OPENID),
   linkifyHeaderStyle: process.env.CMD_LINKIFY_HEADER_STYLE
 }
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
index d4ae77f0..76e41361 100644
--- a/lib/config/hackmdEnvironment.js
+++ b/lib/config/hackmdEnvironment.js
@@ -121,6 +121,5 @@ module.exports = {
     }
   },
   email: toBooleanConfig(process.env.HMD_EMAIL),
-  allowEmailRegister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER),
-  allowPDFExport: toBooleanConfig(process.env.HMD_ALLOW_PDF_EXPORT)
+  allowEmailRegister: toBooleanConfig(process.env.HMD_ALLOW_EMAIL_REGISTER)
 }
diff --git a/lib/config/index.js b/lib/config/index.js
index c4727e8f..1657ba7a 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -125,7 +125,6 @@ config.isMattermostEnable = config.mattermost.clientID && config.mattermost.clie
 config.isLDAPEnable = config.ldap.url
 config.isSAMLEnable = config.saml.idpSsoUrl
 config.isOAuth2Enable = config.oauth2.clientID && config.oauth2.clientSecret
-config.isPDFExportEnable = config.allowPDFExport
 
 // Check gitlab api version
 if (config.gitlab && config.gitlab.version !== 'v4' && config.gitlab.version !== 'v3') {
@@ -194,12 +193,6 @@ switch (config.imageUploadType) {
     ]
 }
 
-// Disable PDF export due to security issue
-if (config.allowPDFExport) {
-  config.allowPDFExport = false
-  logger.warn('PDF export was disabled for this release to mitigate a critical security issue. This feature will hopefully become available again in future releases.')
-}
-
 // generate correct path
 config.sslCAPath.forEach(function (capath, i, array) {
   array[i] = path.resolve(appRootPath, capath)
diff --git a/lib/config/oldDefault.js b/lib/config/oldDefault.js
index 90942951..738ad9f7 100644
--- a/lib/config/oldDefault.js
+++ b/lib/config/oldDefault.js
@@ -37,6 +37,5 @@ module.exports = {
   // document
   documentmaxlength: undefined,
   imageuploadtype: undefined,
-  allowemailregister: undefined,
-  allowpdfexport: undefined
+  allowemailregister: undefined
 }
diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js
index 6e3e8373..b8e62dda 100644
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@@ -4,6 +4,7 @@ const Router = require('express').Router
 const passport = require('passport')
 const { Strategy, InternalOAuthError } = require('passport-oauth2')
 const config = require('../../../config')
+const logger = require('../../../logger')
 const { passportGeneralCallback } = require('../utils')
 
 let oauth2Auth = module.exports = Router()
@@ -31,6 +32,7 @@ class OAuth2CustomStrategy extends Strategy {
         return done(new Error('Failed to parse user profile'))
       }
 
+      checkAuthorization(json, done)
       let profile = parseProfile(json)
       profile.provider = 'oauth2'
 
@@ -50,18 +52,36 @@ function extractProfileAttribute (data, path) {
 }
 
 function parseProfile (data) {
+  const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr)
   const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
   const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
   const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
 
   return {
-    id: username,
+    id: id || username,
     username: username,
     displayName: displayName,
     email: email
   }
 }
 
+function checkAuthorization (data, done) {
+  const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
+  const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
+
+  if (config.oauth2.accessRole) {
+    if (!roles) {
+      logger.error('oauth2: "accessRole" configured, but user profile doesn\'t contain roles attribute. Permission denied')
+      return done('Permission denied', null)
+    }
+
+    if (!roles.includes(config.oauth2.accessRole)) {
+      logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`)
+      return done('Permission denied', null)
+    }
+  }
+}
+
 OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
   this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
     var json
@@ -76,6 +96,7 @@ OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
       return done(new Error('Failed to parse user profile'))
     }
 
+    checkAuthorization(json, done)
     let profile = parseProfile(json)
     profile.provider = 'oauth2'
 
diff --git a/lib/web/note/actions.js b/lib/web/note/actions.js
index 9ff7fedb..d92d2443 100644
--- a/lib/web/note/actions.js
+++ b/lib/web/note/actions.js
@@ -2,9 +2,7 @@ const models = require('../../models')
 const logger = require('../../logger')
 const config = require('../../config')
 const errors = require('../../errors')
-const fs = require('fs')
 const shortId = require('shortid')
-const markdownpdf = require('markdown-pdf')
 const moment = require('moment')
 const querystring = require('querystring')
 
@@ -33,37 +31,6 @@ exports.getInfo = function getInfo (req, res, note) {
   res.send(data)
 }
 
-exports.createPDF = function createPDF (req, res, note) {
-  const url = config.serverURL || 'http://' + req.get('host')
-  const body = note.content
-  const extracted = models.Note.extractMeta(body)
-  let content = extracted.markdown
-  const title = models.Note.decodeTitle(note.title)
-
-  if (!fs.existsSync(config.tmpPath)) {
-    fs.mkdirSync(config.tmpPath)
-  }
-  const path = config.tmpPath + '/' + Date.now() + '.pdf'
-  content = content.replace(/\]\(\//g, '](' + url + '/')
-  markdownpdf().from.string(content).to(path, function () {
-    if (!fs.existsSync(path)) {
-      logger.error('PDF seems to not be generated as expected. File doesn\'t exist: ' + path)
-      return errors.errorInternalError(res)
-    }
-    const stream = fs.createReadStream(path)
-    let filename = title
-    // Be careful of special characters
-    filename = encodeURIComponent(filename)
-    // Ideally this should strip them
-    res.setHeader('Content-disposition', 'attachment; filename="' + filename + '.pdf"')
-    res.setHeader('Cache-Control', 'private')
-    res.setHeader('Content-Type', 'application/pdf; charset=UTF-8')
-    res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling
-    stream.pipe(res)
-    fs.unlinkSync(path)
-  })
-}
-
 exports.createGist = function createGist (req, res, note) {
   const data = {
     client_id: config.github.clientID,
diff --git a/lib/web/note/controller.js b/lib/web/note/controller.js
index f79574df..45aea9e2 100644
--- a/lib/web/note/controller.js
+++ b/lib/web/note/controller.js
@@ -110,14 +110,6 @@ exports.doAction = function (req, res, next) {
       case 'info':
         noteActions.getInfo(req, res, note)
         break
-      case 'pdf':
-        if (config.allowPDFExport) {
-          noteActions.createPDF(req, res, note)
-        } else {
-          logger.error('PDF export failed: Disabled by config. Set "allowPDFExport: true" to enable. Check the documentation for details')
-          errors.errorForbidden(res)
-        }
-        break
       case 'gist':
         noteActions.createGist(req, res, note)
         break