Add "single user mode" which restricts access to users in the admin group

This can be enabled by setting 'singleuser' to true in config.php

2 files changed, 19 insertions, 1 deletions

diff --git a/lib/base.php b/lib/base.php
index 865d174d212..b361ac3c71a 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -230,6 +230,22 @@ class OC {
 		}
 	}
 
+	public static function checkSingleUserMode() {
+		$user = OC_User::getUserSession()->getUser();
+		$group = OC_Group::getManager()->get('admin');
+		if ($user && OC_Config::getValue('singleuser', false) && !$group->inGroup($user)) {
+			// send http status 503
+			header('HTTP/1.1 503 Service Temporarily Unavailable');
+			header('Status: 503 Service Temporarily Unavailable');
+			header('Retry-After: 120');
+
+			// render error page
+			$tmpl = new OC_Template('', 'singleuser.user', 'guest');
+			$tmpl->printPage();
+			die();
+		}
+	}
+
 	public static function checkUpgrade($showTemplate = true) {
 		if (OC_Config::getValue('installed', false)) {
 			$installedVersion = OC_Config::getValue('version', '0.0.0');
@@ -652,11 +668,12 @@ class OC {
 		// Test it the user is already authenticated using Apaches AuthType Basic... very usable in combination with LDAP
 		OC::tryBasicAuthLogin();
 
-		if (!self::$CLI) {
+		if (!self::$CLI and (!isset($_GET["logout"]) or ($_GET["logout"] !== 'true'))) {
 			try {
 				if (!OC_Config::getValue('maintenance', false)) {
 					OC_App::loadApps();
 				}
+				self::checkSingleUserMode();
 				OC::getRouter()->match(OC_Request::getRawPathInfo());
 				return;
 			} catch (Symfony\Component\Routing\Exception\ResourceNotFoundException $e) {
diff --git a/public.php b/public.php
index 203372fe1ea..767295b98db 100644
--- a/public.php
+++ b/public.php
@@ -5,6 +5,7 @@ try {
 
 	require_once 'lib/base.php';
 	OC::checkMaintenanceMode();
+	OC::checkSingleUserMode();
 	if (!isset($_GET['service'])) {
 		header('HTTP/1.0 404 Not Found');
 		exit;