ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Various fixes

Browse Source
This commit is contained in:
Julius Haertl
2016-10-14 14:25:26 +02:00
parent 34d61eb039
commit 29c907ab7f
22 changed files with 171 additions and 2808 deletions
Download Patch File Download Diff File Expand all files Collapse all files

221
lib/Middleware/SharingMiddleware.php
View File

@@ -5,45 +5,38 @@
* @author Julius Härtl <jus@bitgrid.net>
*
* @license GNU AGPL version 3 or any later version
*
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*
*/
namespace OCA\Deck\Middleware;
use OC\OCS\Exception;
use OCA\Deck\Controller\BoardController;
use OCA\Deck\Controller\CardController;
use OCA\Deck\Controller\LabelController;
use OCA\Deck\Controller\PageController;
use OCA\Deck\Controller\ShareController;
use OCA\Deck\Db\CardMapper;
use OCA\Deck\NoPermissionException;
use OCA\Deck\Service\ServicePermissionException;
use OCA\Files_Versions\Expiration;
use \OCP\AppFramework\Middleware;
use OCP\IContainer;
use OCP\IDBConnection;
use OCP\IGroupManager;
use OCP\IRequest;
use OCP\IUserManager;
use OCA\Deck\Controller\StackController;
use OCP\IUserSession;
use OCP\AppFramework\Http\JSONResponse;
use OC\AppFramework\Utility\ControllerMethodReflector;
use OCA\Deck\Db\Acl;
class SharingMiddleware extends Middleware {
@@ -52,6 +45,8 @@ class SharingMiddleware extends Middleware {
private $userSession;
private $reflector;
private $groupManager;
private $aclMapper;
public function __construct(
IContainer $container,
@@ -65,17 +60,17 @@ class SharingMiddleware extends Middleware {
$this->reflector = $reflector;
$this->aclMapper = $this->container->query('OCA\Deck\Db\AclMapper');
$this->groupManager = $this->container->query('\OCP\IGroupManager');
}
/**
* All permission checks for controller access
*
* The following method annotaitons are possible
* The following method annotations are possible
* - RequireReadPermission
* - RequireEditPermission
* - RequireSharePermission
* - RequireManagePermission
* - RequireNoPermission
*
* Depending on the Controller class we call a corresponding mapper to find the board_id
* With the board_id we can check for ownership/permissions in the acl table
@@ -85,35 +80,50 @@ class SharingMiddleware extends Middleware {
* @throws NoPermissionException
*/
public function beforeController($controller, $methodName) {
$this->start = microtime(true);
$userId = null;
if($this->userSession->getUser()) {
if ($this->userSession->getUser()) {
$userId = $this->userSession->getUser()->getUID();
}
$method = $this->request->getMethod();
$params = $this->request->getParams();
$this->checkPermissions($userId, $controller, $method, $params);
// TODO: remove, just for testing
\OCP\Util::writeLog('deck', (microtime(true)-$this->start), \OCP\Util::ERROR);
$this->checkPermissions($userId, $controller, $method, $params, $methodName);
}
private function checkPermissions($userId, $controller, $method, $params) {
/**
* Check permission depending on the route (controller/method)
*
* @param $userId
* @param $controller
* @param $method
* @param $params
* @param $methodName
* @return bool
* @throws NoPermissionException
* @throws \Exception
*/
private function checkPermissions($userId, $controller, $method, $params, $methodName) {
// no permission checks needed for plain html page
if($controller instanceof PageController) {
return;
// no permission checks needed for plain html page or RequireNoPermission
if (
$controller instanceof PageController ||
$this->reflector->hasAnnotation('RequireNoPermission')
) {
return true;
}
$mapper = null;
$id = null;
// FIXME: ShareController#search should be limited to board users/groups
if($controller instanceof BoardController or $controller instanceof ShareController) {
if ($controller instanceof BoardController or $controller instanceof ShareController) {
$mapper = $this->container->query('OCA\Deck\Db\BoardMapper');
$id = $params['boardId'];
}
if($controller instanceof StackController) {
if($method==="GET" || $method === "POST") {
if ($controller instanceof StackController) {
if ($method === "GET" || $method === "POST") {
$mapper = $this->container->query('OCA\Deck\Db\BoardMapper');
$id = $params['boardId'];
} else {
@@ -122,8 +132,8 @@ class SharingMiddleware extends Middleware {
}
}
if($controller instanceof CardController) {
if($method === "POST" && !preg_match('/Label/', $method)) {
if ($controller instanceof CardController) {
if ($method === "POST" && !preg_match('/Label/', $method)) {
$mapper = $this->container->query('OCA\Deck\Db\StackMapper');
$id = $params['stackId'];
} else {
@@ -132,144 +142,91 @@ class SharingMiddleware extends Middleware {
}
}
if($controller instanceof LabelController) {
if($method==="GET" || $method === "POST") {
if ($controller instanceof LabelController) {
if ($method === "GET" || $method === "POST") {
$mapper = $this->container->query('OCA\Deck\Db\BoardMapper');
$id = $params['boardId'];
} else {
$mapper = $this->container->query('OCA\Deck\Db\LabelMapper');
$id = $params['labelId'];
}
}
// check if there is a mapper so we can find the corresponding board for the request
if ($mapper === null) {
throw new \Exception("No mappers specified for permission checks");
}
if($this->reflector->hasAnnotation('RequireReadPermission')) {
if(!$this->checkReadPermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to read.", $controller, $method);
if ($this->reflector->hasAnnotation('RequireReadPermission')) {
if (!$this->checkMapperPermission(Acl::PERMISSION_READ, $userId, $mapper, $id)) {
throw new NoPermissionException("User " . $userId . " has no permission to read.", $controller, $methodName);
}
}
if($this->reflector->hasAnnotation('RequireEditPermission')) {
if(!$this->checkEditPermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to edit.", $controller, $method);
}
}
if($this->reflector->hasAnnotation('RequireSharePermission')) {
if(!$this->checkSharePermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to share.", $controller, $method);
if ($this->reflector->hasAnnotation('RequireEditPermission')) {
if (!$this->checkMapperPermission(Acl::PERMISSION_EDIT, $userId, $mapper, $id)) {
throw new NoPermissionException("User " . $userId . " has no permission to edit.", $controller, $methodName);
}
}
if($this->reflector->hasAnnotation('RequireManagePermission')) {
if(!$this->checkManagePermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to manage.", $controller, $method);
if ($this->reflector->hasAnnotation('RequireSharePermission')) {
if (!$this->checkMapperPermission(Acl::PERMISSION_SHARE, $userId, $mapper, $id)) {
throw new NoPermissionException("User " . $userId . " has no permission to share.", $controller, $methodName);
}
}
// FIXME: Default should be nopermisison mybe add norequirepermission for index
if ($this->reflector->hasAnnotation('RequireManagePermission')) {
if (!$this->checkMapperPermission(Acl::PERMISSION_MANAGE, $userId, $mapper, $id)) {
throw new NoPermissionException("User " . $userId . " has no permission to manage.", $controller, $methodName);
}
}
// all permission checks succeeded
return true;
}
/* TODO: Priorize groups with higher permissions */
public function checkReadPermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
return true;
}
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return true;
}
}
// check for groups
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return true;
}
}
/**
* Check if $userId is authorized for $permission on board related to $mapper with $id
*
* @param $permission
* @param $userId
* @param $mapper
* @param $id
* @return bool
*/
public function checkMapperPermission($permission, $userId, $mapper, $id) {
throw new NoPermissionException("User ". $userId . " has no permission to read.");
}
public function checkEditPermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
if ($mapper->isOwner($userId, $id)) {
return true;
}
// check if is in acl
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
$acls = $this->aclMapper->findAll($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return $acl->getPermissionWrite();
if ($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return $acl->getPermission($permission);
}
}
// check for groups
$hasGroupPermission = false;
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return $acl->getPermissionWrite();
if (!$hasGroupPermission && $acl->getType() === "group" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
$hasGroupPermission = $acl->getPermission($permission);
}
}
throw new NoPermissionException("User ". $userId . " has no permission to edit.");
}
public function checkManagePermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
return true;
}
// check if is in acl
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return $acl->getPermissionManage();
}
}
// check for groups
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return $acl->getPermissionManage();
}
}
throw new NoPermissionException();
}
public function checkSharePermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
return true;
}
// check if is in acl
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return $acl->getPermissionInvite();
}
}
// check for groups
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return $acl->getPermissionInvite();
}
}
throw new NoPermissionException();
return $hasGroupPermission;
}
/**
* Return JSON error response if the user has no sufficient permission
*
* @param \OCP\AppFramework\Controller $controller
* @param string $methodName
* @param \Exception $exception
* @return JSONResponse
* @throws \Exception
*/
public function afterException($controller, $methodName, \Exception $exception) {
\OCP\Util::writeLog('deck', (microtime(true)-$this->start), \OCP\Util::ERROR);
if(is_a($exception, '\OCA\Deck\NoPermissionException')) {
if (is_a($exception, '\OCA\Deck\NoPermissionException')) {
return new JSONResponse([
"status" => 401,
"message" => $exception->getMessage()