wbrawner/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixing SecurityMiddleware to use OC6 API

Browse source
This commit is contained in:
Thomas Müller 2013-10-07 00:33:54 +02:00
parent 3829a746a1
commit e071bfc144
7 changed files with 94 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
lib/private/appframework/dependencyinjection/dicontainer.php
View file

@ -35,6 +35,7 @@ use OC\AppFramework\Utility\TimeFactory;
use OCP\AppFramework\IApi;
use OCP\AppFramework\IAppContainer;
use OCP\AppFramework\IMiddleWare;
use OCP\AppFramework\Middleware;
use OCP\IServerContainer;
@ -86,7 +87,7 @@ class DIContainer extends SimpleContainer implements IAppContainer{
* Middleware
*/
$this['SecurityMiddleware'] = $this->share(function($c){
return new SecurityMiddleware($c['API'], $c['Request']);
return new SecurityMiddleware($this, $c['Request']);
});
$this['MiddlewareDispatcher'] = $this->share(function($c){
@ -129,10 +130,10 @@ class DIContainer extends SimpleContainer implements IAppContainer{
}
/**
* @param IMiddleWare $middleWare
* @param Middleware $middleWare
* @return boolean
*/
function registerMiddleWare(IMiddleWare $middleWare) {
function registerMiddleWare(Middleware $middleWare) {
array_push($this->middleWares, $middleWare);
}
@ -143,4 +144,49 @@ class DIContainer extends SimpleContainer implements IAppContainer{
function getAppName() {
return $this->query('AppName');
}
/**
* @return boolean
*/
function isLoggedIn() {
return \OC_User::isLoggedIn();
}
/**
* @return boolean
*/
function isAdminUser() {
$uid = $this->getUserId();
return \OC_User::isAdminUser($uid);
}
private function getUserId() {
return \OC::$session->get('user_id');
}
/**
* @param $message
* @param $level
* @return mixed
*/
function log($message, $level) {
switch($level){
case 'debug':
$level = \OCP\Util::DEBUG;
break;
case 'info':
$level = \OCP\Util::INFO;
break;
case 'warn':
$level = \OCP\Util::WARN;
break;
case 'fatal':
$level = \OCP\Util::FATAL;
break;
default:
$level = \OCP\Util::ERROR;
break;
}
\OCP\Util::writeLog($this->getAppName(), $message, $level);
}
}

2
lib/private/appframework/http/dispatcher.php
View file

@ -24,8 +24,8 @@
namespace OC\AppFramework\Http;
use \OC\AppFramework\Controller\Controller;
use \OC\AppFramework\Middleware\MiddlewareDispatcher;
use OCP\AppFramework\Controller\Controller;
/**

2
lib/private/appframework/middleware/middlewaredispatcher.php
View file

@ -24,7 +24,7 @@
namespace OC\AppFramework\Middleware;
use OC\AppFramework\Controller\Controller;
use OCP\AppFramework\Controller\Controller;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\MiddleWare;

34
lib/private/appframework/middleware/security/securitymiddleware.php
View file

@ -24,15 +24,14 @@
namespace OC\AppFramework\Middleware\Security;
use OC\AppFramework\Controller\Controller;
use OC\AppFramework\Http\Http;
use OC\AppFramework\Http\Request;
use OC\AppFramework\Http\RedirectResponse;
use OC\AppFramework\Utility\MethodAnnotationReader;
use OC\AppFramework\Core\API;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\IAppContainer;
use OCP\IRequest;
/**
@ -43,18 +42,22 @@ use OCP\AppFramework\Http\JSONResponse;
*/
class SecurityMiddleware extends Middleware {
private $api;
/**
* @var \OCP\AppFramework\IAppContainer
*/
private $app;
/**
* @var \OC\AppFramework\Http\Request
* @var \OCP\IRequest
*/
private $request;
/**
* @param API $api an instance of the api
* @param IAppContainer $app
* @param IRequest $request
*/
public function __construct(API $api, Request $request){
$this->api = $api;
public function __construct(IAppContainer $app, IRequest $request){
$this->app = $app;
$this->request = $request;
}
@ -74,24 +77,24 @@ class SecurityMiddleware extends Middleware {
// this will set the current navigation entry of the app, use this only
// for normal HTML requests and not for AJAX requests
$this->api->activateNavigationEntry();
$this->app->getServer()->getNavigationManager()->setActiveEntry($this->api->getAppName());
// security checks
$isPublicPage = $annotationReader->hasAnnotation('PublicPage');
if(!$isPublicPage) {
if(!$this->api->isLoggedIn()) {
if(!$this->app->isLoggedIn()) {
throw new SecurityException('Current user is not logged in', Http::STATUS_UNAUTHORIZED);
}
if(!$annotationReader->hasAnnotation('NoAdminRequired')) {
if(!$this->api->isAdminUser($this->api->getUserId())) {
if(!$this->app->isAdminUser()) {
throw new SecurityException('Logged in user must be an admin', Http::STATUS_FORBIDDEN);
}
}
}
if(!$annotationReader->hasAnnotation('NoCSRFRequired')) {
if(!$this->api->passesCSRFCheck()) {
if(!$this->request->passesCSRFCheck()) {
throw new SecurityException('CSRF check failed', Http::STATUS_PRECONDITION_FAILED);
}
}
@ -118,12 +121,13 @@ class SecurityMiddleware extends Middleware {
array('message' => $exception->getMessage()),
$exception->getCode()
);
$this->api->log($exception->getMessage(), 'debug');
$this->app->log($exception->getMessage(), 'debug');
} else {
$url = $this->api->linkToAbsolute('index.php', ''); // TODO: replace with link to route
// TODO: replace with link to route
$url = $this->app->getServer()->getURLGenerator()->getAbsoluteURL('index.php');
$response = new RedirectResponse($url);
$this->api->log($exception->getMessage(), 'debug');
$this->app->log($exception->getMessage(), 'debug');
}
return $response;

18
lib/public/appframework/http/templateresponse.php
View file

@ -24,8 +24,6 @@
namespace OCP\AppFramework\Http;
use OC\AppFramework\Core\API;
/**
* Response for a normal template
@ -34,20 +32,16 @@ class TemplateResponse extends Response {
protected $templateName;
protected $params;
protected $api;
protected $renderAs;
protected $appName;
/**
* @param API $api an API instance
* @param string $templateName the name of the template
* @param string $appName optional if you want to include a template from
* a different app
* @param string $appName the name of the app to load the template from
*/
public function __construct(API $api, $templateName, $appName=null) {
public function __construct($appName, $templateName) {
$this->templateName = $templateName;
$this->appName = $appName;
$this->api = $api;
$this->params = array();
$this->renderAs = 'user';
}
@ -108,13 +102,7 @@ class TemplateResponse extends Response {
*/
public function render(){
if($this->appName !== null){
$appName = $this->appName;
} else {
$appName = $this->api->getAppName();
}
$template = $this->api->getTemplate($this->templateName, $this->renderAs, $appName);
$template = new \OCP\Template($this->appName, $this->templateName, $this->renderAs);
foreach($this->params as $key => $value){
$template->assign($key, $value);

22
lib/public/appframework/iappcontainer.php
View file

@ -50,8 +50,26 @@ interface IAppContainer extends IContainer{
function getServer();
/**
* @param IMiddleWare $middleWare
* @param Middleware $middleWare
* @return boolean
*/
function registerMiddleWare(IMiddleWare $middleWare);
function registerMiddleWare(Middleware $middleWare);
/**
* @return boolean
*/
function isLoggedIn();
/**
* @return boolean
*/
function isAdminUser();
/**
* @param $message
* @param $level
* @return mixed
*/
function log($message, $level);
}

1
lib/public/appframework/middleware.php
View file

@ -24,6 +24,7 @@
namespace OCP\AppFramework;
use OCP\AppFramework\Controller\Controller;
use OCP\AppFramework\Http\Response;