From 71c1327691225a0a517aa3929a48743f95b177d0 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 25 Nov 2013 15:08:24 +0100 Subject: [PATCH 1/4] Add "single user mode" which restricts access to users in the admin group This can be enabled by setting 'singleuser' to true in config.php --- lib/base.php | 19 ++++++++++++++++++- public.php | 1 + 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/base.php b/lib/base.php index 865d174d21..b361ac3c71 100644 --- a/lib/base.php +++ b/lib/base.php @@ -230,6 +230,22 @@ class OC { } } + public static function checkSingleUserMode() { + $user = OC_User::getUserSession()->getUser(); + $group = OC_Group::getManager()->get('admin'); + if ($user && OC_Config::getValue('singleuser', false) && !$group->inGroup($user)) { + // send http status 503 + header('HTTP/1.1 503 Service Temporarily Unavailable'); + header('Status: 503 Service Temporarily Unavailable'); + header('Retry-After: 120'); + + // render error page + $tmpl = new OC_Template('', 'singleuser.user', 'guest'); + $tmpl->printPage(); + die(); + } + } + public static function checkUpgrade($showTemplate = true) { if (OC_Config::getValue('installed', false)) { $installedVersion = OC_Config::getValue('version', '0.0.0'); @@ -652,11 +668,12 @@ class OC { // Test it the user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP OC::tryBasicAuthLogin(); - if (!self::$CLI) { + if (!self::$CLI and (!isset($_GET["logout"]) or ($_GET["logout"] !== 'true'))) { try { if (!OC_Config::getValue('maintenance', false)) { OC_App::loadApps(); } + self::checkSingleUserMode(); OC::getRouter()->match(OC_Request::getRawPathInfo()); return; } catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) { diff --git a/public.php b/public.php index 203372fe1e..767295b98d 100644 --- a/public.php +++ b/public.php @@ -5,6 +5,7 @@ try { require_once 'lib/base.php'; OC::checkMaintenanceMode(); + OC::checkSingleUserMode(); if (!isset($_GET['service'])) { header('HTTP/1.0 404 Not Found'); exit; From a324c09e6cd9d9199642666505f3d77f87478883 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 25 Nov 2013 15:27:05 +0100 Subject: [PATCH 2/4] Add occ command to enable and disable single user mode --- core/command/maintenance/singleuser.php | 51 +++++++++++++++++++++++++ core/register_command.php | 1 + 2 files changed, 52 insertions(+) create mode 100644 core/command/maintenance/singleuser.php diff --git a/core/command/maintenance/singleuser.php b/core/command/maintenance/singleuser.php new file mode 100644 index 0000000000..f9a1bbcaca --- /dev/null +++ b/core/command/maintenance/singleuser.php @@ -0,0 +1,51 @@ + + * This file is licensed under the Affero General Public License version 3 or + * later. + * See the COPYING-README file. + */ + +namespace OC\Core\Command\Maintenance; + +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class SingleUser extends Command { + + protected function configure() { + $this + ->setName('maintenance:singleuser') + ->setDescription('set single user mode') + ->addOption( + 'on', + null, + InputOption::VALUE_NONE, + 'enable single user mode' + ) + ->addOption( + 'off', + null, + InputOption::VALUE_NONE, + 'disable single user mode' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output) { + if ($input->getOption('on')) { + \OC_Config::setValue('singleuser', true); + $output->writeln('Single user mode enabled'); + } elseif ($input->getOption('off')) { + \OC_Config::setValue('singleuser', false); + $output->writeln('Single user mode disabled'); + } else { + if (\OC_Config::getValue('singleuser', false)) { + $output->writeln('Single user mode is currently enabled'); + } else { + $output->writeln('Single user mode is currently disabled'); + } + } + } +} diff --git a/core/register_command.php b/core/register_command.php index cfea1a6b88..2f351b67a1 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -10,3 +10,4 @@ $application->add(new OC\Core\Command\Status); $application->add(new OC\Core\Command\Db\GenerateChangeScript()); $application->add(new OC\Core\Command\Upgrade()); +$application->add(new OC\Core\Command\Maintenance\SingleUser()); From 1bcb04f94eefda2145ad9f0eed978010bfa85769 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 25 Nov 2013 15:59:37 +0100 Subject: [PATCH 3/4] Add template for single user mode message --- core/templates/singleuser.user.php | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 core/templates/singleuser.user.php diff --git a/core/templates/singleuser.user.php b/core/templates/singleuser.user.php new file mode 100644 index 0000000000..a5f56f6e2c --- /dev/null +++ b/core/templates/singleuser.user.php @@ -0,0 +1,10 @@ +
    +
  • + t('This ownCloud instance is currently in single user mode.')) ?>

    + t('This means only administrators can use the instance.')) ?>

    + t('Contact your system administrator if this message persists or appeared unexpectedly.')) ?> +

    + t('Thank you for your patience.')); ?>

    + >t('Log out')); ?> +
  • +
From a609a5364779acb8ac27b337ad453dc9c8a39811 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 25 Nov 2013 16:01:42 +0100 Subject: [PATCH 4/4] add documentation for single user config option to config.sample.php --- config/config.sample.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/config.sample.php b/config/config.sample.php index 105d4759cc..7b533a8b9c 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -235,4 +235,7 @@ $CONFIG = array( 'openssl' => array( //'config' => '/absolute/location/of/openssl.cnf', ), + +/* whether usage of the instance should be restricted to admin users only */ +'singleuser' => false, );