mirror of
https://github.com/nextcloud/server.git
synced 2024-09-13 15:48:32 +02:00
Add ProvisioningAPI middleware
The provisioning API has 3 access levels: * Admin * SubAdmin * User This middleware adds a check for the SubAdmin part.
This commit is contained in:
parent
a0b22227fc
commit
0fdeefe47c
28
apps/provisioning_api/lib/AppInfo/Application.php
Normal file
28
apps/provisioning_api/lib/AppInfo/Application.php
Normal file
@ -0,0 +1,28 @@
|
||||
<?php
|
||||
|
||||
namespace OCA\Provisioning_API\AppInfo;
|
||||
|
||||
use OC\AppFramework\Utility\SimpleContainer;
|
||||
use OCA\Provisioning_API\Middleware\ProvisioningApiMiddleware;
|
||||
use OCP\AppFramework\App;
|
||||
|
||||
class Application extends App {
|
||||
public function __construct(array $urlParams = array()) {
|
||||
parent::__construct('provisioning_api', $urlParams);
|
||||
|
||||
$container = $this->getContainer();
|
||||
$server = $container->getServer();
|
||||
|
||||
$container->registerService('ProvisioningApiMiddleware', function(SimpleContainer $c) use ($server) {
|
||||
$user = $server->getUserManager()->get($c['UserId']);
|
||||
$isAdmin = $user !== null ? $server->getGroupManager()->isAdmin($user->getUID()) : false;
|
||||
$isSubAdmin = $user !== null ? $server->getGroupManager()->getSubAdmin()->isSubAdmin($user) : false;
|
||||
return new ProvisioningApiMiddleware(
|
||||
$c['ControllerMethodReflector'],
|
||||
$isAdmin,
|
||||
$isSubAdmin
|
||||
);
|
||||
});
|
||||
$container->registerMiddleWare('ProvisioningApiMiddleware');
|
||||
}
|
||||
}
|
@ -0,0 +1,11 @@
|
||||
<?php
|
||||
|
||||
namespace OCA\Provisioning_API\Middleware\Exceptions;
|
||||
|
||||
use OCP\AppFramework\Http;
|
||||
|
||||
class NotSubAdminException extends \Exception {
|
||||
public function __construct() {
|
||||
parent::__construct('Logged in user must be at least a sub admin', Http::STATUS_FORBIDDEN);
|
||||
}
|
||||
}
|
@ -0,0 +1,64 @@
|
||||
<?php
|
||||
|
||||
namespace OCA\Provisioning_API\Middleware;
|
||||
|
||||
use OCA\Provisioning_API\Middleware\Exceptions\NotSubAdminException;
|
||||
use OCP\AppFramework\Http\Response;
|
||||
use OCP\AppFramework\Middleware;
|
||||
use OCP\AppFramework\OCS\OCSException;
|
||||
use OCP\AppFramework\Utility\IControllerMethodReflector;
|
||||
|
||||
class ProvisioningApiMiddleware extends Middleware {
|
||||
|
||||
/** @var IControllerMethodReflector */
|
||||
private $reflector;
|
||||
|
||||
/** @var bool */
|
||||
private $isAdmin;
|
||||
|
||||
/** @var bool */
|
||||
private $isSubAdmin;
|
||||
|
||||
/**
|
||||
* ProvisioningApiMiddleware constructor.
|
||||
*
|
||||
* @param IControllerMethodReflector $reflector
|
||||
* @param bool $isAdmin
|
||||
* @param bool $isSubAdmin
|
||||
*/
|
||||
public function __construct(
|
||||
IControllerMethodReflector $reflector,
|
||||
$isAdmin,
|
||||
$isSubAdmin) {
|
||||
$this->reflector = $reflector;
|
||||
$this->isAdmin = $isAdmin;
|
||||
$this->isSubAdmin = $isSubAdmin;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \OCP\AppFramework\Controller $controller
|
||||
* @param string $methodName
|
||||
*
|
||||
* @throws NotSubAdminException
|
||||
*/
|
||||
public function beforeController($controller, $methodName) {
|
||||
if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) {
|
||||
throw new NotSubAdminException();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \OCP\AppFramework\Controller $controller
|
||||
* @param string $methodName
|
||||
* @param \Exception $exception
|
||||
* @throws \Exception
|
||||
* @return Response
|
||||
*/
|
||||
public function afterException($controller, $methodName, \Exception $exception) {
|
||||
if ($exception instanceof NotSubAdminException) {
|
||||
throw new OCSException($exception->getMessage(), \OCP\API::RESPOND_UNAUTHORISED);
|
||||
}
|
||||
|
||||
throw $exception;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user