read lockdown scope from token
Signed-off-by: Robin Appelman <icewind@owncloud.com>
This commit is contained in:
parent
b56f2c9ed0
commit
2389e0f250
|
@ -1152,6 +1152,13 @@
|
||||||
<length>4</length>
|
<length>4</length>
|
||||||
</field>
|
</field>
|
||||||
|
|
||||||
|
<field>
|
||||||
|
<name>scope</name>
|
||||||
|
<type>clob</type>
|
||||||
|
<default></default>
|
||||||
|
<notnull>false</notnull>
|
||||||
|
</field>
|
||||||
|
|
||||||
<index>
|
<index>
|
||||||
<name>authtoken_token_index</name>
|
<name>authtoken_token_index</name>
|
||||||
<unique>true</unique>
|
<unique>true</unique>
|
||||||
|
|
|
@ -87,6 +87,11 @@ class DefaultToken extends Entity implements IToken {
|
||||||
*/
|
*/
|
||||||
protected $lastCheck;
|
protected $lastCheck;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
protected $scope;
|
||||||
|
|
||||||
public function getId() {
|
public function getId() {
|
||||||
return $this->id;
|
return $this->id;
|
||||||
}
|
}
|
||||||
|
@ -119,6 +124,7 @@ class DefaultToken extends Entity implements IToken {
|
||||||
'name' => $this->name,
|
'name' => $this->name,
|
||||||
'lastActivity' => $this->lastActivity,
|
'lastActivity' => $this->lastActivity,
|
||||||
'type' => $this->type,
|
'type' => $this->type,
|
||||||
|
'scope' => $this->getScope()
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -140,4 +146,11 @@ class DefaultToken extends Entity implements IToken {
|
||||||
return parent::setLastCheck($time);
|
return parent::setLastCheck($time);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function getScope() {
|
||||||
|
return json_decode(parent::getScope(), true);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function setScope($scope) {
|
||||||
|
return parent::setScope(json_encode($scope));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -72,7 +72,7 @@ class DefaultTokenMapper extends Mapper {
|
||||||
public function getToken($token) {
|
public function getToken($token) {
|
||||||
/* @var $qb IQueryBuilder */
|
/* @var $qb IQueryBuilder */
|
||||||
$qb = $this->db->getQueryBuilder();
|
$qb = $this->db->getQueryBuilder();
|
||||||
$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
|
$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
|
||||||
->from('authtoken')
|
->from('authtoken')
|
||||||
->where($qb->expr()->eq('token', $qb->createParameter('token')))
|
->where($qb->expr()->eq('token', $qb->createParameter('token')))
|
||||||
->setParameter('token', $token)
|
->setParameter('token', $token)
|
||||||
|
@ -98,7 +98,7 @@ class DefaultTokenMapper extends Mapper {
|
||||||
public function getTokenByUser(IUser $user) {
|
public function getTokenByUser(IUser $user) {
|
||||||
/* @var $qb IQueryBuilder */
|
/* @var $qb IQueryBuilder */
|
||||||
$qb = $this->db->getQueryBuilder();
|
$qb = $this->db->getQueryBuilder();
|
||||||
$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
|
$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
|
||||||
->from('authtoken')
|
->from('authtoken')
|
||||||
->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
|
->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
|
||||||
->setMaxResults(1000);
|
->setMaxResults(1000);
|
||||||
|
|
|
@ -72,4 +72,8 @@ interface IToken extends JsonSerializable {
|
||||||
* @param int $time
|
* @param int $time
|
||||||
*/
|
*/
|
||||||
public function setLastCheck($time);
|
public function setLastCheck($time);
|
||||||
|
|
||||||
|
public function getScope();
|
||||||
|
|
||||||
|
public function setScope($scope);
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,24 +23,36 @@ use OC\Authentication\Token\IToken;
|
||||||
use OCP\Lockdown\ILockdownManager;
|
use OCP\Lockdown\ILockdownManager;
|
||||||
|
|
||||||
class LockdownManager implements ILockdownManager {
|
class LockdownManager implements ILockdownManager {
|
||||||
/** @var IToken|null */
|
|
||||||
private $token;
|
|
||||||
|
|
||||||
private $enabled = false;
|
private $enabled = false;
|
||||||
|
|
||||||
|
/** @var array|null */
|
||||||
|
private $scope;
|
||||||
|
|
||||||
public function enable() {
|
public function enable() {
|
||||||
$this->enabled = true;
|
$this->enabled = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function setToken(IToken $token) {
|
public function setToken(IToken $token) {
|
||||||
$this->token = $token;
|
$this->scope = $token->getScope();
|
||||||
|
$this->enable();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function canAccessFilesystem() {
|
public function canAccessFilesystem() {
|
||||||
|
if (!$this->enabled) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
return !$this->scope || $this->scope['filesystem'];
|
||||||
|
}
|
||||||
|
|
||||||
public function canAccessApp($app) {
|
public function canAccessApp($app) {
|
||||||
return $app === 'logreader' || $app === 'files' || $app === 'dav';
|
if (!$this->enabled) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if ($this->scope && $this->scope['apps']) {
|
||||||
|
return in_array($app, $this->scope['apps']);
|
||||||
|
} else {
|
||||||
|
// no limit
|
||||||
|
return true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -341,12 +341,10 @@ class Session implements IUserSession, Emitter {
|
||||||
|
|
||||||
if ($isTokenPassword) {
|
if ($isTokenPassword) {
|
||||||
$this->session->set('app_password', $password);
|
$this->session->set('app_password', $password);
|
||||||
\OC::$server->getLockdownManager()->setToken($this->tokenProvider->getToken($password));
|
|
||||||
} else if($this->supportsCookies($request)) {
|
} else if($this->supportsCookies($request)) {
|
||||||
// Password login, but cookies supported -> create (browser) session token
|
// Password login, but cookies supported -> create (browser) session token
|
||||||
$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
|
$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
|
||||||
}
|
}
|
||||||
\OC::$server->getLockdownManager()->enable();
|
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -527,6 +525,7 @@ class Session implements IUserSession, Emitter {
|
||||||
//login
|
//login
|
||||||
$this->setUser($user);
|
$this->setUser($user);
|
||||||
$this->setLoginName($dbToken->getLoginName());
|
$this->setLoginName($dbToken->getLoginName());
|
||||||
|
\OC::$server->getLockdownManager()->setToken($dbToken);
|
||||||
$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
|
$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
|
||||||
|
|
||||||
if ($this->isLoggedIn()) {
|
if ($this->isLoggedIn()) {
|
||||||
|
|
|
@ -25,7 +25,7 @@
|
||||||
// We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades
|
// We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades
|
||||||
// between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
|
// between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
|
||||||
// when updating major/minor version number.
|
// when updating major/minor version number.
|
||||||
$OC_Version = array(11, 0, 0, 0);
|
$OC_Version = array(11, 0, 0, 1);
|
||||||
|
|
||||||
// The human readable string
|
// The human readable string
|
||||||
$OC_VersionString = '11.0 alpha';
|
$OC_VersionString = '11.0 alpha';
|
||||||
|
|
Loading…
Reference in New Issue