Merge pull request #1177 from owncloud/OC_User--isAdminUser()

Check if user is admin - bool

19 files changed, 38 insertions, 113 deletions

diff --git a/config/config.sample.php b/config/config.sample.php
index b1655d02830..33aafab5484 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -36,12 +36,6 @@ $CONFIG = array(
 /* The automatic protocol detection of ownCloud can fail in certain reverse proxy situations. This option allows to manually override the protocol detection. For example "https" */
 "overwriteprotocol" => "",
 
-/* Enhanced auth forces users to enter their password again when performing potential sensitive actions like creating or deleting users */
-"enhancedauth" => true,
-
-/* Time in seconds how long an user is authenticated without entering his password again before performing sensitive actions like creating or deleting users etc...*/
-"enhancedauthtime" => 15 * 60,
-
 /* A proxy to use to connect to the internet. For example "myproxy.org:88" */
 "proxy" => "",
 
diff --git a/core/templates/verify.php b/core/templates/verify.php
deleted file mode 100644
index 600eaca05b7..00000000000
--- a/core/templates/verify.php
+++ /dev/null
@@ -1,18 +0,0 @@
-<form method="post">
-	<fieldset>
-		<ul>
-			<li class="errors">
-				<?php echo $l->t('Security Warning!'); ?><br>
-				<small><?php echo $l->t("Please verify your password. <br/>For security reasons you may be occasionally asked to enter your password again."); ?></small>
-			</li>
-		</ul>
-		<p class="infield">
-			<input type="text"  value="<?php echo $_['username']; ?>" disabled="disabled" />
-		</p>
-		<p class="infield">
-			<label for="password" class="infield"><?php echo $l->t( 'Password' ); ?></label>
-			<input type="password" name="password" id="password" value="" required />
-		</p>
-		<input type="submit" id="submit" class="login" value="<?php echo $l->t( 'Verify' ); ?>" />
-	</fieldset>
-</form>
diff --git a/lib/api.php b/lib/api.php
index cb67e0c2a89..c464cd04913 100644
--- a/lib/api.php
+++ b/lib/api.php
@@ -127,8 +127,7 @@ class OC_API {
 					return false;
 				} else {
 					$subAdmin = OC_SubAdmin::isSubAdmin($user);
-					$admin = OC_Group::inGroup($user, 'admin');
-					if($subAdmin || $admin) {
+					if($subAdmin) {
 						return true;
 					} else {
 						return false;
@@ -141,7 +140,7 @@ class OC_API {
 				if(!$user) {
 					return false;
 				} else {
-					return OC_Group::inGroup($user, 'admin');
+					return OC_User::isAdminUser($user);
 				}
 				break;
 			default:
diff --git a/lib/app.php b/lib/app.php
index e60bce2a201..3b039733fe5 100644
--- a/lib/app.php
+++ b/lib/app.php
@@ -313,14 +313,14 @@ class OC_App{
 				$settings[]=array( "id" => "settings", "order" => 1000, "href" => OC_Helper::linkToRoute( "settings_settings" ), "name" => $l->t("Settings"), "icon" => OC_Helper::imagePath( "settings", "settings.svg" ));
 
 			//SubAdmins are also allowed to access user management
-			if(OC_SubAdmin::isSubAdmin($_SESSION["user_id"]) || OC_Group::inGroup( $_SESSION["user_id"], "admin" )) {
+			if(OC_SubAdmin::isSubAdmin(OC_User::getUser())) {
 				// admin users menu
 				$settings[] = array( "id" => "core_users", "order" => 2, "href" => OC_Helper::linkToRoute( "settings_users" ), "name" => $l->t("Users"), "icon" => OC_Helper::imagePath( "settings", "users.svg" ));
 			}
 
 
 			// if the user is an admin
-			if(OC_Group::inGroup( $_SESSION["user_id"], "admin" )) {
+			if(OC_User::isAdminUser(OC_User::getUser())) {
 				// admin apps menu
 				$settings[] = array( "id" => "core_apps", "order" => 3, "href" => OC_Helper::linkToRoute( "settings_apps" ).'?installed', "name" => $l->t("Apps"), "icon" => OC_Helper::imagePath( "settings", "apps.svg" ));
 
diff --git a/lib/json.php b/lib/json.php
index 204430411c0..c87de3e200b 100644
--- a/lib/json.php
+++ b/lib/json.php
@@ -57,9 +57,7 @@ class OC_JSON{
 	* Check if the user is a admin, send json error msg if not
 	*/
 	public static function checkAdminUser() {
-		self::checkLoggedIn();
-		self::verifyUser();
-		if( !OC_Group::inGroup( OC_User::getUser(), 'admin' )) {
+		if( !OC_User::isAdminUser(OC_User::getUser())) {
 			$l = OC_L10N::get('lib');
 			self::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
 			exit();
@@ -70,27 +68,12 @@ class OC_JSON{
 	* Check if the user is a subadmin, send json error msg if not
 	*/
 	public static function checkSubAdminUser() {
-		self::checkLoggedIn();
-		self::verifyUser();
-		if(!OC_Group::inGroup(OC_User::getUser(), 'admin') && !OC_SubAdmin::isSubAdmin(OC_User::getUser())) {
+		if(!OC_SubAdmin::isSubAdmin(OC_User::getUser())) {
 			$l = OC_L10N::get('lib');
 			self::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
 			exit();
 		}
 	}
-
-	/**
-	* Check if the user verified the login with his password
-	*/
-	public static function verifyUser() {
-		if(OC_Config::getValue('enhancedauth', false) === true) {
-			if(!isset($_SESSION['verifiedLogin']) OR $_SESSION['verifiedLogin'] < time()) {
-				$l = OC_L10N::get('lib');
-				self::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
-				exit();
-			}
-		}
-	}
 	
 	/**
 	* Send json error msg
diff --git a/lib/migrate.php b/lib/migrate.php
index 5ff8e338a44..62ab00bc332 100644
--- a/lib/migrate.php
+++ b/lib/migrate.php
@@ -219,7 +219,7 @@ class OC_Migrate{
 
 		// We need to be an admin if we are not importing our own data
 		if(($type == 'user' && self::$uid != $currentuser) || $type != 'user' ) {
-			if( !OC_Group::inGroup( OC_User::getUser(), 'admin' )) {
+			if( !OC_User::isAdminUser($currentuser)) {
 				// Naughty.
 				OC_Log::write( 'migration', 'Import not permitted.', OC_Log::ERROR );
 				return json_encode( array( 'success' => false ) );
diff --git a/lib/ocs/cloud.php b/lib/ocs/cloud.php
index 21095ec91e9..4564a1e9f1f 100644
--- a/lib/ocs/cloud.php
+++ b/lib/ocs/cloud.php
@@ -40,7 +40,7 @@ class OC_OCS_Cloud {
 	
 	public static function getUserQuota($parameters) {
 		$user = OC_User::getUser();
-		if(OC_Group::inGroup($user, 'admin') or ($user==$parameters['user'])) {
+		if(OC_User::isAdminUser($user) or ($user==$parameters['user'])) {
 
 			if(OC_User::userExists($parameters['user'])) {
 				// calculate the disc space
@@ -82,7 +82,7 @@ class OC_OCS_Cloud {
 	
 	public static function getUserPrivatekey($parameters) {
 		$user = OC_User::getUser();
-		if(OC_Group::inGroup($user, 'admin') or ($user==$parameters['user'])) {
+		if(OC_User::isAdminUser($user) or ($user==$parameters['user'])) {
 
 			if(OC_User::userExists($user)) {
 				// calculate the disc space
diff --git a/lib/subadmin.php b/lib/subadmin.php
index 9e83e6da430..8cda7240ac9 100644
--- a/lib/subadmin.php
+++ b/lib/subadmin.php
@@ -122,6 +122,11 @@ class OC_SubAdmin{
 	 * @return bool
 	 */
 	public static function isSubAdmin($uid) {
+		// Check if the user is already an admin
+		if(OC_Group::inGroup($uid, 'admin' )) {
+			return true;
+		}
+
 		$stmt = OC_DB::prepare('SELECT COUNT(*) AS `count` FROM `*PREFIX*group_admin` WHERE `uid` = ?');
 		$result = $stmt->execute(array($uid));
 		$result = $result->fetchRow();
@@ -141,7 +146,7 @@ class OC_SubAdmin{
 		if(!self::isSubAdmin($subadmin)) {
 			return false;
 		}
-		if(OC_Group::inGroup($user, 'admin')) {
+		if(OC_User::isAdminUser($user)) {
 			return false;
 		}
 		$accessiblegroups = self::getSubAdminsGroups($subadmin);
diff --git a/lib/user.php b/lib/user.php
index 80f88ca7052..8d4eb7aec4d 100644
--- a/lib/user.php
+++ b/lib/user.php
@@ -300,6 +300,19 @@ class OC_User {
 	}
 
 	/**
+	 * @brief Check if the user is an admin user
+	 * @param $uid uid of the admin
+	 * @returns bool
+	 */
+	public static function isAdminUser($uid) {
+		if(OC_Group::inGroup($uid, 'admin' )) {
+			return true;
+		}
+		return false;
+	}
+
+
+	/**
 	 * @brief get the user id of the user currently logged in.
 	 * @return string uid or false
 	 */
diff --git a/lib/util.php b/lib/util.php
index 7b1de094ead..a8576fc1057 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -342,10 +342,7 @@ class OC_Util {
 	 * Check if the user is a admin, redirects to home if not
 	 */
 	public static function checkAdminUser() {
-		// Check if we are a user
-		self::checkLoggedIn();
-		self::verifyUser();
-		if( !OC_Group::inGroup( OC_User::getUser(), 'admin' )) {
+		if( !OC_User::isAdminUser(OC_User::getUser())) {
 			header( 'Location: '.OC_Helper::linkToAbsolute( '', 'index.php' ));
 			exit();
 		}
@@ -356,12 +353,6 @@ class OC_Util {
 	 * @return array $groups where the current user is subadmin
 	 */
 	public static function checkSubAdminUser() {
-		// Check if we are a user
-		self::checkLoggedIn();
-		self::verifyUser();
-		if(OC_Group::inGroup(OC_User::getUser(), 'admin')) {
-			return true;
-		}
 		if(!OC_SubAdmin::isSubAdmin(OC_User::getUser())) {
 			header( 'Location: '.OC_Helper::linkToAbsolute( '', 'index.php' ));
 			exit();
@@ -370,40 +361,6 @@ class OC_Util {
 	}
 
 	/**
-	 * Check if the user verified the login with his password in the last 15 minutes
-	 * If not, the user will be shown a password verification page
-	 */
-	public static function verifyUser() {
-		if(OC_Config::getValue('enhancedauth', false) === true) {
-			// Check password to set session
-			if(isset($_POST['password'])) {
-				if (OC_User::login(OC_User::getUser(), $_POST["password"] ) === true) {
-					$_SESSION['verifiedLogin']=time() + OC_Config::getValue('enhancedauthtime', 15 * 60);
-				}
-			}
-
-			// Check if the user verified his password
-			if(!isset($_SESSION['verifiedLogin']) OR $_SESSION['verifiedLogin'] < time()) {
-				OC_Template::printGuestPage("", "verify",  array('username' => OC_User::getUser()));
-				exit();
-			}
-		}
-	}
-
-	/**
-	 * Check if the user verified the login with his password
-	 * @return bool
-	 */
-	public static function isUserVerified() {
-		if(OC_Config::getValue('enhancedauth', false) === true) {
-			if(!isset($_SESSION['verifiedLogin']) OR $_SESSION['verifiedLogin'] < time()) {
-				return false;
-			}
-		}
-		return true;
-	}
-
-	/**
 	 * Redirect to the user default page
 	 */
 	public static function redirectToDefaultPage() {
diff --git a/settings/ajax/changepassword.php b/settings/ajax/changepassword.php
index b2db2611518..8d45e62e4d8 100644
--- a/settings/ajax/changepassword.php
+++ b/settings/ajax/changepassword.php
@@ -9,7 +9,7 @@ $password = $_POST["password"];
 $oldPassword=isset($_POST["oldpassword"])?$_POST["oldpassword"]:'';
 
 $userstatus = null;
-if(OC_Group::inGroup(OC_User::getUser(), 'admin')) {
+if(OC_User::isAdminUser(OC_User::getUser())) {
 	$userstatus = 'admin';
 }
 if(OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username)) {
@@ -30,10 +30,6 @@ if(is_null($userstatus)) {
 	exit();
 }
 
-if($userstatus === 'admin' || $userstatus === 'subadmin') {
-	OC_JSON::verifyUser();
-}
-
 // Return Success story
 if( OC_User::setPassword( $username, $password )) {
 	OC_JSON::success(array("data" => array( "username" => $username )));
diff --git a/settings/ajax/createuser.php b/settings/ajax/createuser.php
index addae78517a..09ef25d92fa 100644
--- a/settings/ajax/createuser.php
+++ b/settings/ajax/createuser.php
@@ -3,9 +3,7 @@
 OCP\JSON::callCheck();
 OC_JSON::checkSubAdminUser();
 
-$isadmin = OC_Group::inGroup(OC_User::getUser(), 'admin')?true:false;
-
-if($isadmin) {
+if(OC_User::isAdminUser(OC_User::getUser())) {
 	$groups = array();
 	if( isset( $_POST["groups"] )) {
 		$groups = $_POST["groups"];
diff --git a/settings/ajax/removeuser.php b/settings/ajax/removeuser.php
index 9ffb32a0b23..bf3a34f1472 100644
--- a/settings/ajax/removeuser.php
+++ b/settings/ajax/removeuser.php
@@ -10,7 +10,7 @@ if(OC_User::getUser() === $username) {
 	exit;
 }
 
-if(!OC_Group::inGroup(OC_User::getUser(), 'admin') && !OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username)) {
+if(!OC_User::isAdminUser(OC_User::getUser()) && !OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username)) {
 	$l = OC_L10N::get('core');
 	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
 	exit();
diff --git a/settings/ajax/setquota.php b/settings/ajax/setquota.php
index 845f8ea408c..356466c0c00 100644
--- a/settings/ajax/setquota.php
+++ b/settings/ajax/setquota.php
@@ -10,7 +10,7 @@ OCP\JSON::callCheck();
 
 $username = isset($_POST["username"])?$_POST["username"]:'';
 
-if(($username == '' && !OC_Group::inGroup(OC_User::getUser(), 'admin')) || (!OC_Group::inGroup(OC_User::getUser(), 'admin') && !OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username))) {
+if(($username == '' && !OC_User::isAdminUser(OC_User::getUser()))|| (!OC_User::isAdminUser(OC_User::getUser()) && !OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username))) {
 	$l = OC_L10N::get('core');
 	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
 	exit();
diff --git a/settings/ajax/togglegroups.php b/settings/ajax/togglegroups.php
index 83d455550ae..548dc2e209b 100644
--- a/settings/ajax/togglegroups.php
+++ b/settings/ajax/togglegroups.php
@@ -7,13 +7,13 @@ $success = true;
 $username = $_POST["username"];
 $group = $_POST["group"];
 
-if($username == OC_User::getUser() && $group == "admin" &&  OC_Group::inGroup($username, 'admin')) {
+if($username == OC_User::getUser() && $group == "admin" &&  OC_User::isAdminUser($username)) {
 	$l = OC_L10N::get('core');
 	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Admins can\'t remove themself from the admin group'))));
 	exit();
 }
 
-if(!OC_Group::inGroup(OC_User::getUser(), 'admin') && (!OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username) || !OC_SubAdmin::isGroupAccessible(OC_User::getUser(), $group))) {
+if(!OC_User::isAdminUser(OC_User::getUser()) && (!OC_SubAdmin::isUserAccessible(OC_User::getUser(), $username) || !OC_SubAdmin::isGroupAccessible(OC_User::getUser(), $group))) {
 	$l = OC_L10N::get('core');
 	OC_JSON::error(array( 'data' => array( 'message' => $l->t('Authentication error') )));
 	exit();
diff --git a/settings/ajax/userlist.php b/settings/ajax/userlist.php
index eaeade60a39..9bbff80ea0c 100644
--- a/settings/ajax/userlist.php
+++ b/settings/ajax/userlist.php
@@ -28,7 +28,7 @@ if (isset($_GET['offset'])) {
 	$offset = 0;
 }
 $users = array();
-if (OC_Group::inGroup(OC_User::getUser(), 'admin')) {
+if (OC_User::isAdminUser(OC_User::getUser())) {
 	$batch = OC_User::getUsers('', 10, $offset);
 	foreach ($batch as $user) {
 		$users[] = array(
diff --git a/settings/help.php b/settings/help.php
index cd3d615425c..a5ac11ec9a3 100644
--- a/settings/help.php
+++ b/settings/help.php
@@ -27,7 +27,7 @@ $url1=OC_Helper::linkToRoute( "settings_help" ).'?mode=user';
 $url2=OC_Helper::linkToRoute( "settings_help" ).'?mode=admin';
 
 $tmpl = new OC_Template( "settings", "help", "user" );
-$tmpl->assign( "admin", OC_Group::inGroup(OC_User::getUser(), 'admin') );
+$tmpl->assign( "admin", OC_User::isAdminUser(OC_User::getUser()));
 $tmpl->assign( "url", $url );
 $tmpl->assign( "url1", $url1 );
 $tmpl->assign( "url2", $url2 );
diff --git a/settings/settings.php b/settings/settings.php
index add94b5b011..1e05452ec4d 100644
--- a/settings/settings.php
+++ b/settings/settings.php
@@ -6,7 +6,6 @@
  */
 
 OC_Util::checkLoggedIn();
-OC_Util::verifyUser();
 OC_App::loadApps();
 
 OC_Util::addStyle( 'settings', 'settings' );
diff --git a/settings/users.php b/settings/users.php
index 07a7620d3c0..1a32a7ecb5b 100644
--- a/settings/users.php
+++ b/settings/users.php
@@ -18,8 +18,7 @@ OC_App::setActiveNavigationEntry( 'core_users' );
 $users = array();
 $groups = array();
 
-$isadmin = OC_Group::inGroup(OC_User::getUser(), 'admin')?true:false;
-if($isadmin) {
+if(OC_User::isAdminUser(OC_User::getUser())) {
 	$accessiblegroups = OC_Group::getGroups();
 	$accessibleusers = OC_User::getUsers('', 30);
 	$subadmins = OC_SubAdmin::getAllSubAdmins();