Add ProvisioningAPI middleware

The provisioning API has 3 access levels:

* Admin
* SubAdmin
* User

This middleware adds a check for the SubAdmin part.

2 files changed, 75 insertions, 0 deletions

diff --git a/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php b/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php
new file mode 100644
index 00000000000..007ea04db46
--- /dev/null
+++ b/apps/provisioning_api/lib/Middleware/Exceptions/NotSubAdminException.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace OCA\Provisioning_API\Middleware\Exceptions;
+
+use OCP\AppFramework\Http;
+
+class NotSubAdminException extends \Exception {
+	public function __construct() {
+		parent::__construct('Logged in user must be at least a sub admin', Http::STATUS_FORBIDDEN);
+	}
+}
\ No newline at end of file
diff --git a/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
new file mode 100644
index 00000000000..d9afe596027
--- /dev/null
+++ b/apps/provisioning_api/lib/Middleware/ProvisioningApiMiddleware.php
@@ -0,0 +1,64 @@
+<?php
+
+namespace OCA\Provisioning_API\Middleware;
+
+use OCA\Provisioning_API\Middleware\Exceptions\NotSubAdminException;
+use OCP\AppFramework\Http\Response;
+use OCP\AppFramework\Middleware;
+use OCP\AppFramework\OCS\OCSException;
+use OCP\AppFramework\Utility\IControllerMethodReflector;
+
+class ProvisioningApiMiddleware extends Middleware {
+
+	/** @var IControllerMethodReflector */
+	private $reflector;
+
+	/** @var bool */
+	private $isAdmin;
+
+	/** @var bool */
+	private $isSubAdmin;
+
+	/**
+	 * ProvisioningApiMiddleware constructor.
+	 *
+	 * @param IControllerMethodReflector $reflector
+	 * @param bool $isAdmin
+	 * @param bool $isSubAdmin
+	 */
+	public function __construct(
+		IControllerMethodReflector $reflector,
+		$isAdmin,
+		$isSubAdmin) {
+		$this->reflector = $reflector;
+		$this->isAdmin = $isAdmin;
+		$this->isSubAdmin = $isSubAdmin;
+	}
+
+	/**
+	 * @param \OCP\AppFramework\Controller $controller
+	 * @param string $methodName
+	 *
+	 * @throws NotSubAdminException
+	 */
+	public function beforeController($controller, $methodName) {
+		if (!$this->isAdmin && !$this->reflector->hasAnnotation('NoSubAdminRequired') && !$this->isSubAdmin) {
+			throw new NotSubAdminException();
+		}
+	}
+
+	/**
+	 * @param \OCP\AppFramework\Controller $controller
+	 * @param string $methodName
+	 * @param \Exception $exception
+	 * @throws \Exception
+	 * @return Response
+	 */
+	public function afterException($controller, $methodName, \Exception $exception) {
+		if ($exception instanceof NotSubAdminException) {
+			throw new OCSException($exception->getMessage(), \OCP\API::RESPOND_UNAUTHORISED);
+		}
+
+		throw $exception;
+	}
+}
\ No newline at end of file