Revert "Implement more fine-grained external storage permissions model"

This reverts commit 0b97a05e7b.
This reverts commit d2e3c17c00.
This reverts commit cc88c5f4b8.
This commit is contained in:
Robin McCorkell 2015-09-17 10:24:19 +01:00 committed by Thomas Müller
parent ee649d58c5
commit 38a260e963
17 changed files with 190 additions and 237 deletions

View File

@ -98,7 +98,7 @@ class GlobalStoragesController extends StoragesController {
return $newStorage;
}
$response = $this->validate($newStorage, BackendService::PERMISSION_CREATE);
$response = $this->validate($newStorage);
if (!empty($response)) {
return $response;
}
@ -154,7 +154,7 @@ class GlobalStoragesController extends StoragesController {
}
$storage->setId($id);
$response = $this->validate($storage, BackendService::PERMISSION_MODIFY);
$response = $this->validate($storage);
if (!empty($response)) {
return $response;
}
@ -180,12 +180,12 @@ class GlobalStoragesController extends StoragesController {
}
/**
* Get the user type for this controller, used in validation
* Get the visibility type for this controller, used in validation
*
* @return string BackendService::USER_* constants
* @return string BackendService::VISIBILITY_* constants
*/
protected function getUserType() {
return BackendService::USER_ADMIN;
protected function getVisibilityType() {
return BackendService::VISIBILITY_ADMIN;
}

View File

@ -125,11 +125,10 @@ abstract class StoragesController extends Controller {
* Validate storage config
*
* @param StorageConfig $storage storage config
* @param int $permissionCheck permission to check
*
* @return DataResponse|null returns response in case of validation error
*/
protected function validate(StorageConfig $storage, $permissionCheck = BackendService::PERMISSION_CREATE) {
protected function validate(StorageConfig $storage) {
$mountPoint = $storage->getMountPoint();
if ($mountPoint === '' || $mountPoint === '/') {
return new DataResponse(
@ -166,7 +165,7 @@ abstract class StoragesController extends Controller {
);
}
if (!$backend->isPermitted($this->getUserType(), $permissionCheck)) {
if (!$backend->isVisibleFor($this->getVisibilityType())) {
// not permitted to use backend
return new DataResponse(
array(
@ -177,7 +176,7 @@ abstract class StoragesController extends Controller {
Http::STATUS_UNPROCESSABLE_ENTITY
);
}
if (!$authMechanism->isPermitted($this->getUserType(), $permissionCheck)) {
if (!$authMechanism->isVisibleFor($this->getVisibilityType())) {
// not permitted to use auth mechanism
return new DataResponse(
array(
@ -212,11 +211,11 @@ abstract class StoragesController extends Controller {
}
/**
* Get the user type for this controller, used in validation
* Get the visibility type for this controller, used in validation
*
* @return string BackendService::USER_* constants
* @return string BackendService::VISIBILITY_* constants
*/
abstract protected function getUserType();
abstract protected function getVisibilityType();
/**
* Check whether the given storage is available / valid.

View File

@ -103,7 +103,7 @@ class UserStoragesController extends StoragesController {
return $newStorage;
}
$response = $this->validate($newStorage, BackendService::PERMISSION_CREATE);
$response = $this->validate($newStorage);
if (!empty($response)) {
return $response;
}
@ -151,7 +151,7 @@ class UserStoragesController extends StoragesController {
}
$storage->setId($id);
$response = $this->validate($storage, BackendService::PERMISSION_MODIFY);
$response = $this->validate($storage);
if (!empty($response)) {
return $response;
}
@ -188,12 +188,12 @@ class UserStoragesController extends StoragesController {
}
/**
* Get the user type for this controller, used in validation
* Get the visibility type for this controller, used in validation
*
* @return string BackendService::USER_* constants
* @return string BackendService::VISIBILITY_* constants
*/
protected function getUserType() {
return BackendService::USER_PERSONAL;
protected function getVisibilityType() {
return BackendService::VISIBILITY_PERSONAL;
}
}

View File

@ -22,7 +22,7 @@
namespace OCA\Files_External\Lib\Auth;
use \OCA\Files_External\Lib\StorageConfig;
use \OCA\Files_External\Lib\PermissionsTrait;
use \OCA\Files_External\Lib\VisibilityTrait;
use \OCA\Files_External\Lib\IdentifierTrait;
use \OCA\Files_External\Lib\FrontendDefinitionTrait;
use \OCA\Files_External\Lib\StorageModifierTrait;
@ -40,7 +40,7 @@ use \OCA\Files_External\Lib\StorageModifierTrait;
* scheme, which are provided from the authentication mechanism.
*
* This class uses the following traits:
* - PermissionsTrait
* - VisibilityTrait
* Restrict usage to admin-only/none
* - FrontendDefinitionTrait
* Specify configuration parameters and other definitions
@ -58,7 +58,7 @@ class AuthMechanism implements \JsonSerializable {
const SCHEME_PUBLICKEY = 'publickey';
const SCHEME_OPENSTACK = 'openstack';
use PermissionsTrait;
use VisibilityTrait;
use FrontendDefinitionTrait;
use StorageModifierTrait;
use IdentifierTrait;

View File

@ -22,7 +22,7 @@
namespace OCA\Files_External\Lib\Backend;
use \OCA\Files_External\Lib\StorageConfig;
use \OCA\Files_External\Lib\PermissionsTrait;
use \OCA\Files_External\Lib\VisibilityTrait;
use \OCA\Files_External\Lib\FrontendDefinitionTrait;
use \OCA\Files_External\Lib\PriorityTrait;
use \OCA\Files_External\Lib\DependencyTrait;
@ -43,7 +43,7 @@ use \OCA\Files_External\Lib\Auth\AuthMechanism;
* scheme, which are provided from the authentication mechanism.
*
* This class uses the following traits:
* - PermissionsTrait
* - VisibilityTrait
* Restrict usage to admin-only/none
* - FrontendDefinitionTrait
* Specify configuration parameters and other definitions
@ -56,7 +56,7 @@ use \OCA\Files_External\Lib\Auth\AuthMechanism;
*/
class Backend implements \JsonSerializable {
use PermissionsTrait;
use VisibilityTrait;
use FrontendDefinitionTrait;
use PriorityTrait;
use DependencyTrait;

View File

@ -39,7 +39,7 @@ class Local extends Backend {
->addParameters([
(new DefinitionParameter('datadir', $l->t('Location'))),
])
->setAllowedPermissions(BackendService::USER_PERSONAL, BackendService::PERMISSION_NONE)
->setAllowedVisibility(BackendService::VISIBILITY_ADMIN)
->setPriority(BackendService::PRIORITY_DEFAULT + 50)
->addAuthScheme(AuthMechanism::SCHEME_NULL)
->setLegacyAuthMechanism($legacyAuth)

View File

@ -40,8 +40,6 @@ class SFTP_Key extends Backend {
(new DefinitionParameter('root', $l->t('Remote subfolder')))
->setFlag(DefinitionParameter::FLAG_OPTIONAL),
])
->removeAllowedPermission(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE)
->removeAllowedPermission(BackendService::USER_ADMIN, BackendService::PERMISSION_CREATE)
->addAuthScheme(AuthMechanism::SCHEME_PUBLICKEY)
->setLegacyAuthMechanism($legacyAuth)
;

View File

@ -51,8 +51,6 @@ class SMB_OC extends Backend {
(new DefinitionParameter('root', $l->t('Remote subfolder')))
->setFlag(DefinitionParameter::FLAG_OPTIONAL),
])
->removeAllowedPermission(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE)
->removeAllowedPermission(BackendService::USER_ADMIN, BackendService::PERMISSION_CREATE)
->setPriority(BackendService::PRIORITY_DEFAULT - 10)
->addAuthScheme(AuthMechanism::SCHEME_PASSWORD)
->setLegacyAuthMechanism($legacyAuth)

View File

@ -1,164 +0,0 @@
<?php
/**
* @author Robin McCorkell <rmccorkell@karoshi.org.uk>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OCA\Files_External\Lib;
use \OCA\Files_External\Service\BackendService;
/**
* Trait to implement backend and auth mechanism permissions
*
* For user type constants, see BackendService::USER_*
* For permission constants, see BackendService::PERMISSION_*
*/
trait PermissionsTrait {
/** @var array [user type => permissions] */
protected $permissions = [
BackendService::USER_PERSONAL => BackendService::PERMISSION_DEFAULT,
BackendService::USER_ADMIN => BackendService::PERMISSION_DEFAULT,
];
/** @var array [user type => allowed permissions] */
protected $allowedPermissions = [
BackendService::USER_PERSONAL => BackendService::PERMISSION_DEFAULT,
BackendService::USER_ADMIN => BackendService::PERMISSION_DEFAULT,
];
/**
* @param string $userType
* @return int
*/
public function getPermissions($userType) {
if (isset($this->permissions[$userType])) {
return $this->permissions[$userType];
}
return BackendService::PERMISSION_NONE;
}
/**
* Check if the user type has permission
*
* @param string $userType
* @param int $permission
* @return bool
*/
public function isPermitted($userType, $permission) {
if ($this->getPermissions($userType) & $permission) {
return true;
}
return false;
}
/**
* @param string $userType
* @param int $permissions
* @return self
*/
public function setPermissions($userType, $permissions) {
$this->permissions[$userType] = $permissions;
$this->allowedPermissions[$userType] =
$this->getAllowedPermissions($userType) | $permissions;
return $this;
}
/**
* @param string $userType
* @param int $permission
* @return self
*/
public function addPermission($userType, $permission) {
return $this->setPermissions($userType,
$this->getPermissions($userType) | $permission
);
}
/**
* @param string $userType
* @param int $permission
* @return self
*/
public function removePermission($userType, $permission) {
return $this->setPermissions($userType,
$this->getPermissions($userType) & ~$permission
);
}
/**
* @param string $userType
* @return int
*/
public function getAllowedPermissions($userType) {
if (isset($this->allowedPermissions[$userType])) {
return $this->allowedPermissions[$userType];
}
return BackendService::PERMISSION_NONE;
}
/**
* Check if the user type has an allowed permission
*
* @param string $userType
* @param int $permission
* @return bool
*/
public function isAllowedPermitted($userType, $permission) {
if ($this->getAllowedPermissions($userType) & $permission) {
return true;
}
return false;
}
/**
* @param string $userType
* @param int $permissions
* @return self
*/
public function setAllowedPermissions($userType, $permissions) {
$this->allowedPermissions[$userType] = $permissions;
$this->permissions[$userType] =
$this->getPermissions($userType) & $permissions;
return $this;
}
/**
* @param string $userType
* @param int $permission
* @return self
*/
public function addAllowedPermission($userType, $permission) {
return $this->setAllowedPermissions($userType,
$this->getAllowedPermissions($userType) | $permission
);
}
/**
* @param string $userType
* @param int $permission
* @return self
*/
public function removeAllowedPermission($userType, $permission) {
return $this->setAllowedPermissions($userType,
$this->getAllowedPermissions($userType) & ~$permission
);
}
}

View File

@ -0,0 +1,136 @@
<?php
/**
* @author Robin McCorkell <rmccorkell@karoshi.org.uk>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OCA\Files_External\Lib;
use \OCA\Files_External\Service\BackendService;
/**
* Trait to implement visibility mechanics for a configuration class
*
* The standard visibility defines which users/groups can use or see the
* object. The allowed visibility defines the maximum visibility allowed to be
* set on the object. The standard visibility is often set dynamically by
* stored configuration parameters that can be modified by the administrator,
* while the allowed visibility is set directly by the object and cannot be
* modified by the administrator.
*/
trait VisibilityTrait {
/** @var int visibility */
protected $visibility = BackendService::VISIBILITY_DEFAULT;
/** @var int allowed visibilities */
protected $allowedVisibility = BackendService::VISIBILITY_DEFAULT;
/**
* @return int
*/
public function getVisibility() {
return $this->visibility;
}
/**
* Check if the backend is visible for a user type
*
* @param int $visibility
* @return bool
*/
public function isVisibleFor($visibility) {
if ($this->visibility & $visibility) {
return true;
}
return false;
}
/**
* @param int $visibility
* @return self
*/
public function setVisibility($visibility) {
$this->visibility = $visibility;
$this->allowedVisibility |= $visibility;
return $this;
}
/**
* @param int $visibility
* @return self
*/
public function addVisibility($visibility) {
return $this->setVisibility($this->visibility | $visibility);
}
/**
* @param int $visibility
* @return self
*/
public function removeVisibility($visibility) {
return $this->setVisibility($this->visibility & ~$visibility);
}
/**
* @return int
*/
public function getAllowedVisibility() {
return $this->allowedVisibility;
}
/**
* Check if the backend is allowed to be visible for a user type
*
* @param int $allowedVisibility
* @return bool
*/
public function isAllowedVisibleFor($allowedVisibility) {
if ($this->allowedVisibility & $allowedVisibility) {
return true;
}
return false;
}
/**
* @param int $allowedVisibility
* @return self
*/
public function setAllowedVisibility($allowedVisibility) {
$this->allowedVisibility = $allowedVisibility;
$this->visibility &= $allowedVisibility;
return $this;
}
/**
* @param int $allowedVisibility
* @return self
*/
public function addAllowedVisibility($allowedVisibility) {
return $this->setAllowedVisibility($this->allowedVisibility | $allowedVisibility);
}
/**
* @param int $allowedVisibility
* @return self
*/
public function removeAllowedVisibility($allowedVisibility) {
return $this->setAllowedVisibility($this->allowedVisibility & ~$allowedVisibility);
}
}

View File

@ -35,10 +35,10 @@ OCP\Util::addScript('files_external', 'settings');
OCP\Util::addStyle('files_external', 'settings');
$backends = array_filter($backendService->getAvailableBackends(), function($backend) {
return $backend->isPermitted(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE);
return $backend->isVisibleFor(BackendService::VISIBILITY_PERSONAL);
});
$authMechanisms = array_filter($backendService->getAuthMechanisms(), function($authMechanism) {
return $authMechanism->isPermitted(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE);
return $authMechanism->isVisibleFor(BackendService::VISIBILITY_PERSONAL);
});
foreach ($backends as $backend) {
if ($backend->getCustomJs()) {

View File

@ -31,17 +31,13 @@ use \OCA\Files_External\Lib\Auth\AuthMechanism;
*/
class BackendService {
/** Permission constants for PermissionsTrait */
const PERMISSION_NONE = 0;
const PERMISSION_MOUNT = 1;
const PERMISSION_CREATE = 2;
const PERMISSION_MODIFY = 4;
/** Visibility constants for VisibilityTrait */
const VISIBILITY_NONE = 0;
const VISIBILITY_PERSONAL = 1;
const VISIBILITY_ADMIN = 2;
//const VISIBILITY_ALIENS = 4;
const PERMISSION_DEFAULT = 7; // MOUNT | CREATE | MODIFY
/** User contants */
const USER_ADMIN = 'admin';
const USER_PERSONAL = 'personal';
const VISIBILITY_DEFAULT = 3; // PERSONAL | ADMIN
/** Priority constants for PriorityTrait */
const PRIORITY_DEFAULT = 100;
@ -85,7 +81,7 @@ class BackendService {
*/
public function registerBackend(Backend $backend) {
if (!$this->isAllowedUserBackend($backend)) {
$backend->removePermission(self::USER_PERSONAL, self::PERMISSION_CREATE | self::PERMISSION_MOUNT);
$backend->removeVisibility(BackendService::VISIBILITY_PERSONAL);
}
foreach ($backend->getIdentifierAliases() as $alias) {
$this->backends[$alias] = $backend;
@ -107,7 +103,7 @@ class BackendService {
*/
public function registerAuthMechanism(AuthMechanism $authMech) {
if (!$this->isAllowedAuthMechanism($authMech)) {
$authMech->removePermission(self::USER_PERSONAL, self::PERMISSION_CREATE | self::PERMISSION_MOUNT);
$authMech->removeVisibility(BackendService::VISIBILITY_PERSONAL);
}
foreach ($authMech->getIdentifierAliases() as $alias) {
$this->authMechanisms[$alias] = $authMech;

View File

@ -42,10 +42,10 @@ OCP\Util::addStyle('files_external', 'settings');
\OC_Util::addVendorStyle('select2/select2');
$backends = array_filter($backendService->getAvailableBackends(), function($backend) {
return $backend->isPermitted(BackendService::USER_ADMIN, BackendService::PERMISSION_CREATE);
return $backend->isVisibleFor(BackendService::VISIBILITY_ADMIN);
});
$authMechanisms = array_filter($backendService->getAuthMechanisms(), function($authMechanism) {
return $authMechanism->isPermitted(BackendService::USER_ADMIN, BackendService::PERMISSION_CREATE);
return $authMechanism->isVisibleFor(BackendService::VISIBILITY_ADMIN);
});
foreach ($backends as $backend) {
if ($backend->getCustomJs()) {
@ -59,9 +59,7 @@ foreach ($authMechanisms as $authMechanism) {
}
$userBackends = array_filter($backendService->getAvailableBackends(), function($backend) {
return $backend->isAllowedPermitted(
BackendService::USER_PERSONAL, BackendService::PERMISSION_MOUNT
);
return $backend->isAllowedVisibleFor(BackendService::VISIBILITY_PERSONAL);
});
$tmpl = new OCP\Template('files_external', 'settings');

View File

@ -197,7 +197,7 @@
<p id="userMountingBackends"<?php if ($_['allowUserMounting'] != 'yes'): ?> class="hidden"<?php endif; ?>>
<?php p($l->t('Allow users to mount the following external storage')); ?><br />
<?php $i = 0; foreach ($_['userBackends'] as $backend): ?>
<input type="checkbox" id="allowUserMountingBackends<?php p($i); ?>" name="allowUserMountingBackends[]" value="<?php p($backend->getIdentifier()); ?>" <?php if ($backend->isPermitted(BackendService::USER_PERSONAL, BackendService::PERMISSION_MOUNT)) print_unescaped(' checked="checked"'); ?> />
<input type="checkbox" id="allowUserMountingBackends<?php p($i); ?>" name="allowUserMountingBackends[]" value="<?php p($backend->getIdentifier()); ?>" <?php if ($backend->isVisibleFor(BackendService::VISIBILITY_PERSONAL)) print_unescaped(' checked="checked"'); ?> />
<label for="allowUserMountingBackends<?php p($i); ?>"><?php p($backend->getText()); ?></label> <br />
<?php $i++; ?>
<?php endforeach; ?>

View File

@ -75,12 +75,12 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->willReturn(true);
$authMech->method('isPermitted')
$authMech->method('isVisibleFor')
->willReturn(true);
$backend = $this->getBackendMock();
$backend->method('validateStorage')
->willReturn(true);
$backend->method('isPermitted')
$backend->method('isVisibleFor')
->willReturn(true);
$storageConfig = new StorageConfig(1);
@ -116,12 +116,12 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->willReturn(true);
$authMech->method('isPermitted')
$authMech->method('isVisibleFor')
->willReturn(true);
$backend = $this->getBackendMock();
$backend->method('validateStorage')
->willReturn(true);
$backend->method('isPermitted')
$backend->method('isVisibleFor')
->willReturn(true);
$storageConfig = new StorageConfig(1);
@ -249,12 +249,12 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->willReturn(true);
$authMech->method('isPermitted')
$authMech->method('isVisibleFor')
->willReturn(true);
$backend = $this->getBackendMock();
$backend->method('validateStorage')
->willReturn(true);
$backend->method('isPermitted')
$backend->method('isVisibleFor')
->willReturn(true);
$storageConfig = new StorageConfig(255);
@ -338,13 +338,13 @@ abstract class StoragesControllerTest extends \Test\TestCase {
$backend = $this->getBackendMock();
$backend->method('validateStorage')
->willReturn($backendValidate);
$backend->method('isPermitted')
$backend->method('isVisibleFor')
->willReturn(true);
$authMech = $this->getAuthMechMock();
$authMech->method('validateStorage')
->will($this->returnValue($authMechValidate));
$authMech->method('isPermitted')
$authMech->method('isVisibleFor')
->willReturn(true);
$storageConfig = new StorageConfig();

View File

@ -49,21 +49,15 @@ class UserStoragesControllerTest extends StoragesControllerTest {
}
public function testAddOrUpdateStorageDisallowedBackend() {
$backend1 = $this->getBackendMock();
$backend1->expects($this->once())
->method('isPermitted')
->with(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE)
->willReturn(false);
$backend2 = $this->getBackendMock();
$backend2->expects($this->once())
->method('isPermitted')
->with(BackendService::USER_PERSONAL, BackendService::PERMISSION_MODIFY)
$backend = $this->getBackendMock();
$backend->method('isVisibleFor')
->with(BackendService::VISIBILITY_PERSONAL)
->willReturn(false);
$authMech = $this->getAuthMechMock();
$storageConfig = new StorageConfig(1);
$storageConfig->setMountPoint('mount');
$storageConfig->setBackend($backend1);
$storageConfig->setBackend($backend);
$storageConfig->setAuthMechanism($authMech);
$storageConfig->setBackendOptions([]);
@ -88,8 +82,6 @@ class UserStoragesControllerTest extends StoragesControllerTest {
$this->assertEquals(Http::STATUS_UNPROCESSABLE_ENTITY, $response->getStatus());
$storageConfig->setBackend($backend2);
$response = $this->controller->update(
1,
'mount',

View File

@ -83,11 +83,11 @@ class BackendServiceTest extends \Test\TestCase {
$backendAllowed = $this->getBackendMock('\User\Mount\Allowed');
$backendAllowed->expects($this->never())
->method('removePermission');
->method('removeVisibility');
$backendNotAllowed = $this->getBackendMock('\User\Mount\NotAllowed');
$backendNotAllowed->expects($this->once())
->method('removePermission')
->with(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE | BackendService::PERMISSION_MOUNT);
->method('removeVisibility')
->with(BackendService::VISIBILITY_PERSONAL);
$backendAlias = $this->getMockBuilder('\OCA\Files_External\Lib\Backend\Backend')
->disableOriginalConstructor()