Validate permissions for created admin storages, auth mechanism

Backend and auth mechanism permissions are checked on storage creation,
both for personal storages and for admin storages
This commit is contained in:
Robin McCorkell 2015-08-28 16:15:21 +01:00
parent cc88c5f4b8
commit f0c8cfa9a6
5 changed files with 63 additions and 34 deletions

View File

@ -32,6 +32,7 @@ use \OCP\AppFramework\Http;
use \OCA\Files_external\Service\GlobalStoragesService;
use \OCA\Files_external\NotFoundException;
use \OCA\Files_external\Lib\StorageConfig;
use \OCA\Files_External\Service\BackendService;
/**
* Global storages controller
@ -178,4 +179,14 @@ class GlobalStoragesController extends StoragesController {
}
/**
* Get the user type for this controller, used in validation
*
* @return string BackendService::USER_* constants
*/
protected function getUserType() {
return BackendService::USER_ADMIN;
}
}

View File

@ -36,6 +36,7 @@ use \OCA\Files_External\Lib\Backend\Backend;
use \OCA\Files_External\Lib\Auth\AuthMechanism;
use \OCP\Files\StorageNotAvailableException;
use \OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
use \OCA\Files_External\Service\BackendService;
/**
* Base class for storages controllers
@ -157,12 +158,36 @@ abstract class StoragesController extends Controller {
return new DataResponse(
array(
'message' => (string)$this->l10n->t('Invalid storage backend "%s"', [
$storage->getBackend()->getIdentifier()
$backend->getIdentifier()
])
),
Http::STATUS_UNPROCESSABLE_ENTITY
);
}
if (!$backend->isPermitted($this->getUserType(), BackendService::PERMISSION_CREATE)) {
// not permitted to use backend
return new DataResponse(
array(
'message' => (string)$this->l10n->t('Not permitted to use backend "%s"', [
$backend->getIdentifier()
])
),
Http::STATUS_UNPROCESSABLE_ENTITY
);
}
if (!$authMechanism->isPermitted($this->getUserType(), BackendService::PERMISSION_CREATE)) {
// not permitted to use auth mechanism
return new DataResponse(
array(
'message' => (string)$this->l10n->t('Not permitted to use authentication mechanism "%s"', [
$authMechanism->getIdentifier()
])
),
Http::STATUS_UNPROCESSABLE_ENTITY
);
}
if (!$backend->validateStorage($storage)) {
// unsatisfied parameters
return new DataResponse(
@ -185,6 +210,13 @@ abstract class StoragesController extends Controller {
return null;
}
/**
* Get the user type for this controller, used in validation
*
* @return string BackendService::USER_* constants
*/
abstract protected function getUserType();
/**
* Check whether the given storage is available / valid.
*

View File

@ -61,38 +61,6 @@ class UserStoragesController extends StoragesController {
);
}
/**
* Validate storage config
*
* @param StorageConfig $storage storage config
*
* @return DataResponse|null returns response in case of validation error
*/
protected function validate(StorageConfig $storage) {
$result = parent::validate($storage);
if ($result !== null) {
return $result;
}
// Verify that the mount point applies for the current user
// Prevent non-admin users from mounting local storage and other disabled backends
/** @var Backend */
$backend = $storage->getBackend();
if (!$backend->isPermitted(BackendService::USER_PERSONAL, BackendService::PERMISSION_MOUNT)) {
return new DataResponse(
array(
'message' => (string)$this->l10n->t('Admin-only storage backend "%s"', [
$storage->getBackend()->getIdentifier()
])
),
Http::STATUS_UNPROCESSABLE_ENTITY
);
}
return null;
}
/**
* Return storage
*
@ -218,4 +186,14 @@ class UserStoragesController extends StoragesController {
public function destroy($id) {
return parent::destroy($id);
}
/**
* Get the user type for this controller, used in validation
*
* @return string BackendService::USER_* constants
*/
protected function getUserType() {
return BackendService::USER_PERSONAL;
}
}

View File

@ -75,6 +75,8 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->willReturn(true);
$authMech->method('isPermitted')
->willReturn(true);
$backend = $this->getBackendMock();
$backend->method('validateStorage')
->willReturn(true);
@ -114,6 +116,8 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->willReturn(true);
$authMech->method('isPermitted')
->willReturn(true);
$backend = $this->getBackendMock();
$backend->method('validateStorage')
->willReturn(true);
@ -245,6 +249,8 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->willReturn(true);
$authMech->method('isPermitted')
->willReturn(true);
$backend = $this->getBackendMock();
$backend->method('validateStorage')
->willReturn(true);
@ -338,6 +344,8 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->will($this->returnValue($authMechValidate));
$authMech->method('isPermitted')
->willReturn(true);
$storageConfig = new StorageConfig();
$storageConfig->setMountPoint('mount');

View File

@ -51,7 +51,7 @@ class UserStoragesControllerTest extends StoragesControllerTest {
public function testAddOrUpdateStorageDisallowedBackend() {
$backend = $this->getBackendMock();
$backend->method('isPermitted')
->with(BackendService::USER_PERSONAL, BackendService::PERMISSION_MOUNT)
->with(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE)
->willReturn(false);
$authMech = $this->getAuthMechMock();