diff options
| author | provokateurin <kate@provokateurin.de> | 2024-06-07 11:34:40 +0200 |
|---|---|---|
| committer | provokateurin <kate@provokateurin.de> | 2024-07-01 14:41:20 +0200 |
| commit | 5aefdc399eb17a86f3c2b59713ca6448479f99fd (patch) | |
| tree | 2da8269d8669db9ee05c677a0d8c59e1866994ce /lib/private/AppFramework | |
| parent | beececf66068f57c416225efcde9b44ce5c2e835 (diff) | |
| download | nextcloud-server-5aefdc399eb17a86f3c2b59713ca6448479f99fd.tar.gz nextcloud-server-5aefdc399eb17a86f3c2b59713ca6448479f99fd.zip | |
feat(AppFramework): Add ExAppRequired attribute
Signed-off-by: provokateurin <kate@provokateurin.de>
Diffstat (limited to 'lib/private/AppFramework')
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/Exceptions/ExAppRequiredException.php | 18 | ||||
| -rw-r--r-- | lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php | 10 |
2 files changed, 27 insertions, 1 deletions
diff --git a/lib/private/AppFramework/Middleware/Security/Exceptions/ExAppRequiredException.php b/lib/private/AppFramework/Middleware/Security/Exceptions/ExAppRequiredException.php new file mode 100644 index 00000000000..77bc7efebac --- /dev/null +++ b/lib/private/AppFramework/Middleware/Security/Exceptions/ExAppRequiredException.php @@ -0,0 +1,18 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OC\AppFramework\Middleware\Security\Exceptions; + +use OCP\AppFramework\Http; + +/** + * Class ExAppRequiredException is thrown when an endpoint can only be called by an ExApp but the caller is not an ExApp. + */ +class ExAppRequiredException extends SecurityException { + public function __construct() { + parent::__construct('ExApp required', Http::STATUS_PRECONDITION_FAILED); + } +} diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php index a38ad610fc6..bc2014da246 100644 --- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php +++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php @@ -10,16 +10,19 @@ namespace OC\AppFramework\Middleware\Security; use OC\AppFramework\Middleware\Security\Exceptions\AppNotEnabledException; use OC\AppFramework\Middleware\Security\Exceptions\CrossSiteRequestForgeryException; +use OC\AppFramework\Middleware\Security\Exceptions\ExAppRequiredException; use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException; use OC\AppFramework\Middleware\Security\Exceptions\NotLoggedInException; use OC\AppFramework\Middleware\Security\Exceptions\SecurityException; use OC\AppFramework\Middleware\Security\Exceptions\StrictCookieMissingException; use OC\AppFramework\Utility\ControllerMethodReflector; use OC\Settings\AuthorizedGroupMapper; +use OC\User\Session; use OCP\App\AppPathNotFoundException; use OCP\App\IAppManager; use OCP\AppFramework\Controller; use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting; +use OCP\AppFramework\Http\Attribute\ExAppRequired; use OCP\AppFramework\Http\Attribute\NoAdminRequired; use OCP\AppFramework\Http\Attribute\NoCSRFRequired; use OCP\AppFramework\Http\Attribute\PublicPage; @@ -127,7 +130,12 @@ class SecurityMiddleware extends Middleware { // security checks $isPublicPage = $this->hasAnnotationOrAttribute($reflectionMethod, 'PublicPage', PublicPage::class); - if (!$isPublicPage) { + + if ($this->hasAnnotationOrAttribute($reflectionMethod, 'ExAppRequired', ExAppRequired::class)) { + if (!$this->userSession instanceof Session || $this->userSession->getSession()->get('app_api') !== true) { + throw new ExAppRequiredException(); + } + } elseif (!$isPublicPage) { if (!$this->isLoggedIn) { throw new NotLoggedInException(); } |