mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixing SecurityMiddleware to use OC6 API

This commit is contained in:
Thomas Müller 2013-10-07 00:33:54 +02:00
parent 3829a746a1
commit e071bfc144
7 changed files with 94 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
lib/private/appframework/dependencyinjection/dicontainer.php
View File

@ -35,6 +35,7 @@ use OC\AppFramework\Utility\TimeFactory;
use OCP\AppFramework\IApi; use OCP\AppFramework\IApi;
use OCP\AppFramework\IAppContainer; use OCP\AppFramework\IAppContainer;
use OCP\AppFramework\IMiddleWare; use OCP\AppFramework\IMiddleWare;
use OCP\AppFramework\Middleware;
use OCP\IServerContainer; use OCP\IServerContainer;
@ -86,7 +87,7 @@ class DIContainer extends SimpleContainer implements IAppContainer{
* Middleware * Middleware
*/ */
$this['SecurityMiddleware'] = $this->share(function($c){ $this['SecurityMiddleware'] = $this->share(function($c){
return new SecurityMiddleware($c['API'], $c['Request']); return new SecurityMiddleware($this, $c['Request']);
}); });
$this['MiddlewareDispatcher'] = $this->share(function($c){ $this['MiddlewareDispatcher'] = $this->share(function($c){
@ -129,10 +130,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
} }
/** /**
* @param IMiddleWare $middleWare * @param Middleware $middleWare
* @return boolean * @return boolean
*/ */
function registerMiddleWare(IMiddleWare $middleWare) { function registerMiddleWare(Middleware $middleWare) {
array_push($this->middleWares, $middleWare); array_push($this->middleWares, $middleWare);
} }
@ -143,4 +144,49 @@ class DIContainer extends SimpleContainer implements IAppContainer{
function getAppName() { function getAppName() {
return $this->query('AppName'); return $this->query('AppName');
} }
/**
* @return boolean
*/
function isLoggedIn() {
return \OC_User::isLoggedIn();
}
/**
* @return boolean
*/
function isAdminUser() {
$uid = $this->getUserId();
return \OC_User::isAdminUser($uid);
}
private function getUserId() {
return \OC::$session->get('user_id');
}
/**
* @param $message
* @param $level
* @return mixed
*/
function log($message, $level) {
switch($level){
case 'debug':
$level = \OCP\Util::DEBUG;
break;
case 'info':
$level = \OCP\Util::INFO;
break;
case 'warn':
$level = \OCP\Util::WARN;
break;
case 'fatal':
$level = \OCP\Util::FATAL;
break;
default:
$level = \OCP\Util::ERROR;
break;
}
\OCP\Util::writeLog($this->getAppName(), $message, $level);
}
} }

2
lib/private/appframework/http/dispatcher.php
View File

@ -24,8 +24,8 @@
namespace OC\AppFramework\Http; namespace OC\AppFramework\Http;
use \OC\AppFramework\Controller\Controller;
use \OC\AppFramework\Middleware\MiddlewareDispatcher; use \OC\AppFramework\Middleware\MiddlewareDispatcher;
use OCP\AppFramework\Controller\Controller;
/** /**

2
lib/private/appframework/middleware/middlewaredispatcher.php
View File

@ -24,7 +24,7 @@
namespace OC\AppFramework\Middleware; namespace OC\AppFramework\Middleware;
use OC\AppFramework\Controller\Controller; use OCP\AppFramework\Controller\Controller;
use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\Response;
use OCP\AppFramework\MiddleWare; use OCP\AppFramework\MiddleWare;

34
lib/private/appframework/middleware/security/securitymiddleware.php
View File

@ -24,15 +24,14 @@
namespace OC\AppFramework\Middleware\Security; namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Controller\Controller;
use OC\AppFramework\Http\Http; use OC\AppFramework\Http\Http;
use OC\AppFramework\Http\Request;
use OC\AppFramework\Http\RedirectResponse; use OC\AppFramework\Http\RedirectResponse;
use OC\AppFramework\Utility\MethodAnnotationReader; use OC\AppFramework\Utility\MethodAnnotationReader;
use OC\AppFramework\Core\API;
use OCP\AppFramework\Middleware; use OCP\AppFramework\Middleware;
use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\JSONResponse; use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\IAppContainer;
use OCP\IRequest;
/** /**
@ -43,18 +42,22 @@ use OCP\AppFramework\Http\JSONResponse;
*/ */
class SecurityMiddleware extends Middleware { class SecurityMiddleware extends Middleware {
private $api; /**
* @var \OCP\AppFramework\IAppContainer
*/
private $app;
/** /**
* @var \OC\AppFramework\Http\Request * @var \OCP\IRequest
*/ */
private $request; private $request;
/** /**
* @param API $api an instance of the api * @param IAppContainer $app
* @param IRequest $request
*/ */
public function __construct(API $api, Request $request){ public function __construct(IAppContainer $app, IRequest $request){
$this->api = $api; $this->app = $app;
$this->request = $request; $this->request = $request;
} }
@ -74,24 +77,24 @@ class SecurityMiddleware extends Middleware {
// this will set the current navigation entry of the app, use this only // this will set the current navigation entry of the app, use this only
// for normal HTML requests and not for AJAX requests // for normal HTML requests and not for AJAX requests
$this->api->activateNavigationEntry(); $this->app->getServer()->getNavigationManager()->setActiveEntry($this->api->getAppName());
// security checks // security checks
$isPublicPage = $annotationReader->hasAnnotation('PublicPage'); $isPublicPage = $annotationReader->hasAnnotation('PublicPage');
if(!$isPublicPage) { if(!$isPublicPage) {
if(!$this->api->isLoggedIn()) { if(!$this->app->isLoggedIn()) {
throw new SecurityException('Current user is not logged in', Http::STATUS_UNAUTHORIZED); throw new SecurityException('Current user is not logged in', Http::STATUS_UNAUTHORIZED);
} }
if(!$annotationReader->hasAnnotation('NoAdminRequired')) { if(!$annotationReader->hasAnnotation('NoAdminRequired')) {
if(!$this->api->isAdminUser($this->api->getUserId())) { if(!$this->app->isAdminUser()) {
throw new SecurityException('Logged in user must be an admin', Http::STATUS_FORBIDDEN); throw new SecurityException('Logged in user must be an admin', Http::STATUS_FORBIDDEN);
} }
} }
} }
if(!$annotationReader->hasAnnotation('NoCSRFRequired')) { if(!$annotationReader->hasAnnotation('NoCSRFRequired')) {
if(!$this->api->passesCSRFCheck()) { if(!$this->request->passesCSRFCheck()) {
throw new SecurityException('CSRF check failed', Http::STATUS_PRECONDITION_FAILED); throw new SecurityException('CSRF check failed', Http::STATUS_PRECONDITION_FAILED);
} }
} }
@ -118,12 +121,13 @@ class SecurityMiddleware extends Middleware {
array('message' => $exception->getMessage()), array('message' => $exception->getMessage()),
$exception->getCode() $exception->getCode()
); );
$this->api->log($exception->getMessage(), 'debug'); $this->app->log($exception->getMessage(), 'debug');
} else { } else {
$url = $this->api->linkToAbsolute('index.php', ''); // TODO: replace with link to route // TODO: replace with link to route
$url = $this->app->getServer()->getURLGenerator()->getAbsoluteURL('index.php');
$response = new RedirectResponse($url); $response = new RedirectResponse($url);
$this->api->log($exception->getMessage(), 'debug'); $this->app->log($exception->getMessage(), 'debug');
} }
return $response; return $response;

18
lib/public/appframework/http/templateresponse.php
View File

@ -24,8 +24,6 @@
namespace OCP\AppFramework\Http; namespace OCP\AppFramework\Http;
use OC\AppFramework\Core\API;
/** /**
* Response for a normal template * Response for a normal template
@ -34,20 +32,16 @@ class TemplateResponse extends Response {
protected $templateName; protected $templateName;
protected $params; protected $params;
protected $api;
protected $renderAs; protected $renderAs;
protected $appName; protected $appName;
/** /**
* @param API $api an API instance
* @param string $templateName the name of the template * @param string $templateName the name of the template
* @param string $appName optional if you want to include a template from * @param string $appName the name of the app to load the template from
* a different app
*/ */
public function __construct(API $api, $templateName, $appName=null) { public function __construct($appName, $templateName) {
$this->templateName = $templateName; $this->templateName = $templateName;
$this->appName = $appName; $this->appName = $appName;
$this->api = $api;
$this->params = array(); $this->params = array();
$this->renderAs = 'user'; $this->renderAs = 'user';
} }
@ -108,13 +102,7 @@ class TemplateResponse extends Response {
*/ */
public function render(){ public function render(){
if($this->appName !== null){ $template = new \OCP\Template($this->appName, $this->templateName, $this->renderAs);
$appName = $this->appName;
} else {
$appName = $this->api->getAppName();
}
$template = $this->api->getTemplate($this->templateName, $this->renderAs, $appName);
foreach($this->params as $key => $value){ foreach($this->params as $key => $value){
$template->assign($key, $value); $template->assign($key, $value);

22
lib/public/appframework/iappcontainer.php
View File

@ -50,8 +50,26 @@ interface IAppContainer extends IContainer{
function getServer(); function getServer();
/** /**
* @param IMiddleWare $middleWare * @param Middleware $middleWare
* @return boolean * @return boolean
*/ */
function registerMiddleWare(IMiddleWare $middleWare); function registerMiddleWare(Middleware $middleWare);
/**
* @return boolean
*/
function isLoggedIn();
/**
* @return boolean
*/
function isAdminUser();
/**
* @param $message
* @param $level
* @return mixed
*/
function log($message, $level);
} }

1
lib/public/appframework/middleware.php
View File

@ -24,6 +24,7 @@
namespace OCP\AppFramework; namespace OCP\AppFramework;
use OCP\AppFramework\Controller\Controller;
use OCP\AppFramework\Http\Response; use OCP\AppFramework\Http\Response;