nextcloud/apps/dav/lib/Connector/PublicAuth.php

<?php
/**
 * @copyright Copyright (c) 2016, ownCloud, Inc.
 *
 * @author Bjoern Schiessle <bjoern@schiessle.org>
 * @author Björn Schießle <bjoern@schiessle.org>
 * @author Joas Schilling <coding@schilljs.com>
 * @author Lukas Reschke <lukas@statuscode.ch>
 * @author Morris Jobke <hey@morrisjobke.de>
 * @author Robin Appelman <robin@icewind.nl>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 * @author Thomas Müller <thomas.mueller@tmit.eu>
 * @author Vincent Petry <pvince81@owncloud.com>
 *
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program.  If not, see <http://www.gnu.org/licenses/>
 *
 */

namespace OCA\DAV\Connector;

use OCP\IRequest;
use OCP\ISession;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager;
use Sabre\DAV\Auth\Backend\AbstractBasic;

/**
 * Class PublicAuth
 *
 * @package OCA\DAV\Connector
 */
class PublicAuth extends AbstractBasic {

	/** @var \OCP\Share\IShare */
	private $share;

	/** @var IManager */
	private $shareManager;

	/** @var ISession */
	private $session;

	/** @var IRequest */
	private $request;

	/**
	 * @param IRequest $request
	 * @param IManager $shareManager
	 * @param ISession $session
	 */
	public function __construct(IRequest $request,
								IManager $shareManager,
								ISession $session) {
		$this->request = $request;
		$this->shareManager = $shareManager;
		$this->session = $session;

		// setup realm
		$defaults = new \OCP\Defaults();
		$this->realm = $defaults->getName();
	}

	/**
	 * Validates a username and password
	 *
	 * This method should return true or false depending on if login
	 * succeeded.
	 *
	 * @param string $username
	 * @param string $password
	 *
	 * @return bool
	 * @throws \Sabre\DAV\Exception\NotAuthenticated
	 */
	protected function validateUserPass($username, $password) {
		try {
			$share = $this->shareManager->getShareByToken($username);
		} catch (ShareNotFound $e) {
			return false;
		}

		$this->share = $share;

		\OC_User::setIncognitoMode(true);

		// check if the share is password protected
		if ($share->getPassword() !== null) {
			if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK || $share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) {
				if ($this->shareManager->checkPassword($share, $password)) {
					return true;
				} else if ($this->session->exists('public_link_authenticated')
					&& $this->session->get('public_link_authenticated') === (string)$share->getId()) {
					return true;
				} else {
					if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) {
						// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
						http_response_code(401);
						header('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');
						throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
					}
					return false;
				}
			} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_REMOTE) {
				return true;
			} else {
				return false;
			}
		} else {
			return true;
		}
	}

	/**
	 * @return \OCP\Share\IShare
	 */
	public function getShare() {
		return $this->share;
	}
}
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`<?php`
			`/**`
Fix apps/ 2016-07-21 17:49:16 +03:00			`* @copyright Copyright (c) 2016, ownCloud, Inc.`
			`*`
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2017-11-06 17:56:42 +03:00			`* @author Bjoern Schiessle <bjoern@schiessle.org>`
Update license headers 2016-05-26 20:56:05 +03:00			`* @author Björn Schießle <bjoern@schiessle.org>`
Fix apps/ 2016-07-21 17:49:16 +03:00			`* @author Joas Schilling <coding@schilljs.com>`
Update license headers 2016-05-26 20:56:05 +03:00			`* @author Lukas Reschke <lukas@statuscode.ch>`
Update license headers 2015-03-26 13:44:34 +03:00			`* @author Morris Jobke <hey@morrisjobke.de>`
Update with robin 2016-07-21 19:13:36 +03:00			`* @author Robin Appelman <robin@icewind.nl>`
Fix apps/ 2016-07-21 17:49:16 +03:00			`* @author Roeland Jago Douma <roeland@famdouma.nl>`
Update license headers 2015-03-26 13:44:34 +03:00			`* @author Thomas Müller <thomas.mueller@tmit.eu>`
update licence headers via script 2015-10-05 21:54:56 +03:00			`* @author Vincent Petry <pvince81@owncloud.com>`
Update license headers 2015-03-26 13:44:34 +03:00			`*`
			`* @license AGPL-3.0`
			`*`
			`* This code is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License, version 3,`
			`* as published by the Free Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public License, version 3,`
			`* along with this program. If not, see <http://www.gnu.org/licenses/>`
			`*`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`*/`
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36. 2015-02-26 13:37:37 +03:00
Consolidate webdav code - move all to one app 2015-08-30 20:13:01 +03:00			`namespace OCA\DAV\Connector;`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00
Return 401 DummyBasicAuth in case of ajax call 2016-03-24 18:02:36 +03:00			`use OCP\IRequest;`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`use OCP\ISession;`
			`use OCP\Share\Exceptions\ShareNotFound;`
			`use OCP\Share\IManager;`
Use the correct realm for basic authentication - fixes #23427 2016-06-09 14:53:32 +03:00			`use Sabre\DAV\Auth\Backend\AbstractBasic;`
Return 401 DummyBasicAuth in case of ajax call 2016-03-24 18:02:36 +03:00
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`/**`
			`* Class PublicAuth`
			`*`
			`* @package OCA\DAV\Connector`
			`*/`
Use the correct realm for basic authentication - fixes #23427 2016-06-09 14:53:32 +03:00			`class PublicAuth extends AbstractBasic {`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`/** @var \OCP\Share\IShare */`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`private $share;`

Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`/** @var IManager */`
			`private $shareManager;`

			`/** @var ISession */`
			`private $session;`

			`/** @var IRequest */`
Return 401 DummyBasicAuth in case of ajax call 2016-03-24 18:02:36 +03:00			`private $request;`

Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`/**`
Return 401 DummyBasicAuth in case of ajax call 2016-03-24 18:02:36 +03:00			`* @param IRequest $request`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`* @param IManager $shareManager`
			`* @param ISession $session`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`*/`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`public function __construct(IRequest $request,`
			`IManager $shareManager,`
			`ISession $session) {`
Return 401 DummyBasicAuth in case of ajax call 2016-03-24 18:02:36 +03:00			`$this->request = $request;`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`$this->shareManager = $shareManager;`
			`$this->session = $session;`
Use the correct realm for basic authentication - fixes #23427 2016-06-09 14:53:32 +03:00
			`// setup realm`
Use the themed Defaults everywhere 2016-07-15 09:46:31 +03:00			`$defaults = new \OCP\Defaults();`
Use the correct realm for basic authentication - fixes #23427 2016-06-09 14:53:32 +03:00			`$this->realm = $defaults->getName();`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`}`

			`/**`
			`* Validates a username and password`
			`*`
			`* This method should return true or false depending on if login`
			`* succeeded.`
			`*`
			`* @param string $username`
			`* @param string $password`
			`*`
			`* @return bool`
Enforce type 2016-03-31 20:32:30 +03:00			`* @throws \Sabre\DAV\Exception\NotAuthenticated`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`*/`
			`protected function validateUserPass($username, $password) {`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`try {`
			`$share = $this->shareManager->getShareByToken($username);`
			`} catch (ShareNotFound $e) {`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`return false;`
			`}`

Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`$this->share = $share;`
Set proper public webdav permissions when public upload disabled Fixes #23325 It can happen that a user shares a folder with public upload. And some time later the admin disables public upload on the server. To make sure this is handled correctly we need to check the config value and reduce the permissions. Fix is kept small to be easy backportable. 2016-03-17 13:35:31 +03:00
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`\OC_User::setIncognitoMode(true);`
Remove phpass and migrate to new Hasher interface This PR removes phpass and migrates to the new Hasher interface. Please notice that due to https://github.com/owncloud/core/issues/10671 old hashes are not updated but the hashes are backwards compatible so this shouldn't hurt. Once the sharing classes have a possibility to update the passwords of single shares those methods should be used within the newHash if block. 2014-11-17 15:10:15 +03:00
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`// check if the share is password protected`
			`if ($share->getPassword() !== null) {`
check password for mail shares as well Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org> 2017-05-04 12:20:20 +03:00			`if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK \|\| $share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) {`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`if ($this->shareManager->checkPassword($share, $password)) {`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`return true;`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`} else if ($this->session->exists('public_link_authenticated')`
Cast share id to string (#25402) 2016-07-11 11:27:47 +03:00			`&& $this->session->get('public_link_authenticated') === (string)$share->getId()) {`
Allow public auth to recognize sesssion When a public link password has been input, its auth is stored in the session. This fix makes it possible to recognize the session when using public webdav from the files UI. 2015-07-13 18:39:07 +03:00			`return true;`
Remove phpass and migrate to new Hasher interface This PR removes phpass and migrates to the new Hasher interface. Please notice that due to https://github.com/owncloud/core/issues/10671 old hashes are not updated but the hashes are backwards compatible so this shouldn't hurt. Once the sharing classes have a possibility to update the passwords of single shares those methods should be used within the newHash if block. 2014-11-17 15:10:15 +03:00			`} else {`
Return 401 DummyBasicAuth in case of ajax call 2016-03-24 18:02:36 +03:00			`if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) {`
			`// do not re-authenticate over ajax, use dummy auth name to prevent browser popup`
Enforce type 2016-03-31 20:32:30 +03:00			`http_response_code(401);`
Use the correct realm for basic authentication - fixes #23427 2016-06-09 14:53:32 +03:00			`header('WWW-Authenticate','DummyBasic realm="' . $this->realm . '"');`
Return 401 DummyBasicAuth in case of ajax call 2016-03-24 18:02:36 +03:00			`throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');`
			`}`
Remove phpass and migrate to new Hasher interface This PR removes phpass and migrates to the new Hasher interface. Please notice that due to https://github.com/owncloud/core/issues/10671 old hashes are not updated but the hashes are backwards compatible so this shouldn't hurt. Once the sharing classes have a possibility to update the passwords of single shares those methods should be used within the newHash if block. 2014-11-17 15:10:15 +03:00			`return false;`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`}`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_REMOTE) {`
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00			`return true;`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`} else {`
			`return false;`
			`}`
			`} else {`
			`return true;`
			`}`
			`}`

			`/**`
Move public webdav auth over to share manager The public webdav auth should use the shiny new share manager. 2016-04-01 18:04:10 +03:00			`* @return \OCP\Share\IShare`
Expose public shares over webdav 2014-03-06 19:00:25 +04:00			`*/`
			`public function getShare() {`
			`return $this->share;`
			`}`
			`}`