ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Add SharingMiddleware for permission checks and small fixes

Browse Source
This commit is contained in:
Julius Haertl
2016-08-24 01:22:45 +02:00
parent 33e99b9e7c
commit 2deffacd98
21 changed files with 452 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

251
lib/Middleware/SharingMiddleware.php
View File

@@ -23,31 +23,260 @@
namespace OCA\Deck\Middleware;
use OC\OCS\Exception;
use OCA\Deck\Controller\BoardController;
use OCA\Deck\Controller\CardController;
use OCA\Deck\Controller\LabelController;
use OCA\Deck\Controller\PageController;
use OCA\Deck\Controller\ShareController;
use OCA\Deck\Db\CardMapper;
use OCA\Deck\NoPermissionException;
use OCA\Deck\Service\ServicePermissionException;
use OCA\Files_Versions\Expiration;
use \OCP\AppFramework\Middleware;
use OCP\IContainer;
use OCP\IDBConnection;
use OCP\IGroupManager;
use OCP\IRequest;
use OCP\IUserManager;
use OCA\Deck\Controller\StackController;
use OCP\IUserSession;
use OCP\AppFramework\Http\JSONResponse;
use OC\AppFramework\Utility\ControllerMethodReflector;
class SharingMiddleware extends Middleware {
private $container;
private $request;
private $userSession;
private $reflector;
private $groupManager;
public function __construct(
IUserManager $userManager,
IGroupManager $groupManager,
IDBConnection $db,
$userId
IContainer $container,
IRequest $request,
IUserSession $userSession,
ControllerMethodReflector $reflector
) {
$this->userId = $userId;
$this->db = $db;
$this->userManager = $userManager;
$this->groupManager = $groupManager;
$this->container = $container;
$this->request = $request;
$this->userSession = $userSession;
$this->reflector = $reflector;
$this->aclMapper = $this->container->query('OCA\Deck\Db\AclMapper');
$this->groupManager = $this->container->query('\OCP\IGroupManager');
}
/**
* All permission checks for controller access
*
* The following method annotaitons are possible
* - RequireReadPermission
* - RequireEditPermission
* - RequireSharePermission
* - RequireManagePermission
*
* Depending on the Controller class we call a corresponding mapper to find the board_id
* With the board_id we can check for ownership/permissions in the acl table
*
* @param \OCP\AppFramework\Controller $controller
* @param string $methodName
* @throws NoPermissionException
*/
public function beforeController($controller, $methodName) {
\OCP\Util::writeLog('deck', "", \OCP\Util::ERROR);
//$userBoards = $this->boardMapper->findAllByUser($userInfo['user']);
//$groupBoards = $this->boardMapper->findAllByGroups($userInfo['user'], $userInfo['groups']);
$this->start = microtime(true);
$userId = null;
if($this->userSession->getUser()) {
$userId = $this->userSession->getUser()->getUID();
}
$method = $this->request->getMethod();
$params = $this->request->getParams();
$this->checkPermissions($userId, $controller, $method, $params);
// TODO: remove, just for testing
\OCP\Util::writeLog('deck', (microtime(true)-$this->start), \OCP\Util::ERROR);
}
private function checkPermissions($userId, $controller, $method, $params) {
// no permission checks needed for plain html page
if($controller instanceof PageController) {
return;
}
// FIXME: ShareController#search should be limited to board users/groups
if($controller instanceof BoardController or $controller instanceof ShareController) {
$mapper = $this->container->query('OCA\Deck\Db\BoardMapper');
$id = $params['boardId'];
}
if($controller instanceof StackController) {
if($method==="GET" || $method === "POST") {
$mapper = $this->container->query('OCA\Deck\Db\BoardMapper');
$id = $params['boardId'];
} else {
$mapper = $this->container->query('OCA\Deck\Db\StackMapper');
$id = $params['stackId'];
}
}
if($controller instanceof CardController) {
if($method==="GET" || $method === "POST") {
$mapper = $this->container->query('OCA\Deck\Db\StackMapper');
$id = $params['stackId'];
} else {
$mapper = $this->container->query('OCA\Deck\Db\CardMapper');
$id = $params['cardId'];
}
}
if($controller instanceof LabelController) {
if($method==="GET" || $method === "POST") {
$mapper = $this->container->query('OCA\Deck\Db\BoardMapper');
$id = $params['boardId'];
} else {
$mapper = $this->container->query('OCA\Deck\Db\LabelMapper');
$id = $params['labelId'];
}
}
if($this->reflector->hasAnnotation('RequireReadPermission')) {
if(!$this->checkReadPermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to read.");
}
}
if($this->reflector->hasAnnotation('RequireEditPermission')) {
if(!$this->checkEditPermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to edit.");
}
}
if($this->reflector->hasAnnotation('RequireSharePermission')) {
if(!$this->checkSharePermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to share.");
}
}
if($this->reflector->hasAnnotation('RequireManagePermission')) {
if(!$this->checkManagePermission($userId, $mapper, $id)) {
throw new NoPermissionException("User ". $userId . " has no permission to manage.");
}
}
// FIXME: Default should be nopermisison mybe add norequirepermission for index
}
/* TODO: Priorize groups with higher permissions */
public function checkReadPermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
return true;
}
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return true;
}
}
// check for groups
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return true;
}
}
throw new NoPermissionException("User ". $userId . " has no permission to read.");
}
public function checkEditPermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
return true;
}
// check if is in acl
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return $acl->getPermissionWrite();
}
}
// check for groups
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return $acl->getPermissionWrite();
}
}
throw new NoPermissionException("User ". $userId . " has no permission to edit.");
}
public function checkManagePermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
return true;
}
// check if is in acl
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return $acl->getPermissionManage();
}
}
// check for groups
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return $acl->getPermissionManage();
}
}
throw new NoPermissionException();
}
public function checkSharePermission($userId, $mapper, $id) {
// is owner
if($mapper->isOwner($userId, $id)) {
return true;
}
// check if is in acl
$boardId = $mapper->findBoardId($id);
$acls = $this->aclMapper->findAllShared($boardId);
// check for users
foreach ($acls as $acl) {
if($acl->getType() === "user" && $acl->getParticipant() === $userId) {
return $acl->getPermissionInvite();
}
}
// check for groups
foreach ($acls as $acl) {
if($acl->getType() === "user" && $this->groupManager->isInGroup($userId, $acl->getParticipant())) {
return $acl->getPermissionInvite();
}
}
throw new NoPermissionException();
}
public function afterException($controller, $methodName, \Exception $exception) {
\OCP\Util::writeLog('deck', (microtime(true)-$this->start), \OCP\Util::ERROR);
if(is_a($exception, '\OCA\Deck\NoPermissionException')) {
return new JSONResponse([
"status" => 401,
"message" => $exception->getMessage()
], 401);
}
throw $exception;
}
}