read lockdown scope from token

Signed-off-by: Robin Appelman <icewind@owncloud.com>
This commit is contained in:
Robin Appelman 2016-08-01 19:06:54 +02:00 committed by Robin Appelman
parent b56f2c9ed0
commit 2389e0f250
No known key found for this signature in database
GPG Key ID: 425003AC385454C5
7 changed files with 46 additions and 11 deletions

View File

@ -1152,6 +1152,13 @@
<length>4</length> <length>4</length>
</field> </field>
<field>
<name>scope</name>
<type>clob</type>
<default></default>
<notnull>false</notnull>
</field>
<index> <index>
<name>authtoken_token_index</name> <name>authtoken_token_index</name>
<unique>true</unique> <unique>true</unique>

View File

@ -87,6 +87,11 @@ class DefaultToken extends Entity implements IToken {
*/ */
protected $lastCheck; protected $lastCheck;
/**
* @var string
*/
protected $scope;
public function getId() { public function getId() {
return $this->id; return $this->id;
} }
@ -119,6 +124,7 @@ class DefaultToken extends Entity implements IToken {
'name' => $this->name, 'name' => $this->name,
'lastActivity' => $this->lastActivity, 'lastActivity' => $this->lastActivity,
'type' => $this->type, 'type' => $this->type,
'scope' => $this->getScope()
]; ];
} }
@ -140,4 +146,11 @@ class DefaultToken extends Entity implements IToken {
return parent::setLastCheck($time); return parent::setLastCheck($time);
} }
public function getScope() {
return json_decode(parent::getScope(), true);
}
public function setScope($scope) {
return parent::setScope(json_encode($scope));
}
} }

View File

@ -72,7 +72,7 @@ class DefaultTokenMapper extends Mapper {
public function getToken($token) { public function getToken($token) {
/* @var $qb IQueryBuilder */ /* @var $qb IQueryBuilder */
$qb = $this->db->getQueryBuilder(); $qb = $this->db->getQueryBuilder();
$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check') $result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
->from('authtoken') ->from('authtoken')
->where($qb->expr()->eq('token', $qb->createParameter('token'))) ->where($qb->expr()->eq('token', $qb->createParameter('token')))
->setParameter('token', $token) ->setParameter('token', $token)
@ -98,7 +98,7 @@ class DefaultTokenMapper extends Mapper {
public function getTokenByUser(IUser $user) { public function getTokenByUser(IUser $user) {
/* @var $qb IQueryBuilder */ /* @var $qb IQueryBuilder */
$qb = $this->db->getQueryBuilder(); $qb = $this->db->getQueryBuilder();
$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check') $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
->from('authtoken') ->from('authtoken')
->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID()))) ->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
->setMaxResults(1000); ->setMaxResults(1000);

View File

@ -72,4 +72,8 @@ interface IToken extends JsonSerializable {
* @param int $time * @param int $time
*/ */
public function setLastCheck($time); public function setLastCheck($time);
public function getScope();
public function setScope($scope);
} }

View File

@ -23,24 +23,36 @@ use OC\Authentication\Token\IToken;
use OCP\Lockdown\ILockdownManager; use OCP\Lockdown\ILockdownManager;
class LockdownManager implements ILockdownManager { class LockdownManager implements ILockdownManager {
/** @var IToken|null */
private $token;
private $enabled = false; private $enabled = false;
/** @var array|null */
private $scope;
public function enable() { public function enable() {
$this->enabled = true; $this->enabled = true;
} }
public function setToken(IToken $token) { public function setToken(IToken $token) {
$this->token = $token; $this->scope = $token->getScope();
$this->enable();
} }
public function canAccessFilesystem() { public function canAccessFilesystem() {
if (!$this->enabled) {
return true; return true;
} }
return !$this->scope || $this->scope['filesystem'];
}
public function canAccessApp($app) { public function canAccessApp($app) {
return $app === 'logreader' || $app === 'files' || $app === 'dav'; if (!$this->enabled) {
return true;
}
if ($this->scope && $this->scope['apps']) {
return in_array($app, $this->scope['apps']);
} else {
// no limit
return true;
}
} }
} }

View File

@ -341,12 +341,10 @@ class Session implements IUserSession, Emitter {
if ($isTokenPassword) { if ($isTokenPassword) {
$this->session->set('app_password', $password); $this->session->set('app_password', $password);
\OC::$server->getLockdownManager()->setToken($this->tokenProvider->getToken($password));
} else if($this->supportsCookies($request)) { } else if($this->supportsCookies($request)) {
// Password login, but cookies supported -> create (browser) session token // Password login, but cookies supported -> create (browser) session token
$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password); $this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
} }
\OC::$server->getLockdownManager()->enable();
return true; return true;
} }
@ -527,6 +525,7 @@ class Session implements IUserSession, Emitter {
//login //login
$this->setUser($user); $this->setUser($user);
$this->setLoginName($dbToken->getLoginName()); $this->setLoginName($dbToken->getLoginName());
\OC::$server->getLockdownManager()->setToken($dbToken);
$this->manager->emit('\OC\User', 'postLogin', array($user, $password)); $this->manager->emit('\OC\User', 'postLogin', array($user, $password));
if ($this->isLoggedIn()) { if ($this->isLoggedIn()) {

View File

@ -25,7 +25,7 @@
// We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades // We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades
// between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel // between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
// when updating major/minor version number. // when updating major/minor version number.
$OC_Version = array(11, 0, 0, 0); $OC_Version = array(11, 0, 0, 1);
// The human readable string // The human readable string
$OC_VersionString = '11.0 alpha'; $OC_VersionString = '11.0 alpha';