diff options
| author | Robin Appelman <icewind@owncloud.com> | 2016-08-01 19:06:54 +0200 |
|---|---|---|
| committer | Robin Appelman <robin@icewind.nl> | 2016-11-16 15:24:27 +0100 |
| commit | 2389e0f25065ca9c7afbc70cc13d555524e363a8 (patch) | |
| tree | 0bd2e8196922e5d62231a67d37a1c07ad876bca9 /lib/private | |
| parent | b56f2c9ed01332bbeaee73599a0ea166c62d01e8 (diff) | |
| download | nextcloud-server-2389e0f25065ca9c7afbc70cc13d555524e363a8.tar.gz nextcloud-server-2389e0f25065ca9c7afbc70cc13d555524e363a8.zip | |
read lockdown scope from token
Signed-off-by: Robin Appelman <icewind@owncloud.com>
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/Authentication/Token/DefaultToken.php | 13 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/DefaultTokenMapper.php | 4 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/IToken.php | 4 | ||||
| -rw-r--r-- | lib/private/Lockdown/LockdownManager.php | 24 | ||||
| -rw-r--r-- | lib/private/User/Session.php | 3 |
5 files changed, 38 insertions, 10 deletions
diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php index faef2f73b33..0c45c9efa56 100644 --- a/lib/private/Authentication/Token/DefaultToken.php +++ b/lib/private/Authentication/Token/DefaultToken.php @@ -87,6 +87,11 @@ class DefaultToken extends Entity implements IToken { */ protected $lastCheck; + /** + * @var string + */ + protected $scope; + public function getId() { return $this->id; } @@ -119,6 +124,7 @@ class DefaultToken extends Entity implements IToken { 'name' => $this->name, 'lastActivity' => $this->lastActivity, 'type' => $this->type, + 'scope' => $this->getScope() ]; } @@ -140,4 +146,11 @@ class DefaultToken extends Entity implements IToken { return parent::setLastCheck($time); } + public function getScope() { + return json_decode(parent::getScope(), true); + } + + public function setScope($scope) { + return parent::setScope(json_encode($scope)); + } } diff --git a/lib/private/Authentication/Token/DefaultTokenMapper.php b/lib/private/Authentication/Token/DefaultTokenMapper.php index 752974ff240..e2a17ca0f91 100644 --- a/lib/private/Authentication/Token/DefaultTokenMapper.php +++ b/lib/private/Authentication/Token/DefaultTokenMapper.php @@ -72,7 +72,7 @@ class DefaultTokenMapper extends Mapper { public function getToken($token) { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); - $result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check') + $result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope') ->from('authtoken') ->where($qb->expr()->eq('token', $qb->createParameter('token'))) ->setParameter('token', $token) @@ -98,7 +98,7 @@ class DefaultTokenMapper extends Mapper { public function getTokenByUser(IUser $user) { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); - $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check') + $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope') ->from('authtoken') ->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID()))) ->setMaxResults(1000); diff --git a/lib/private/Authentication/Token/IToken.php b/lib/private/Authentication/Token/IToken.php index 14811dd3201..3fa8ccbb078 100644 --- a/lib/private/Authentication/Token/IToken.php +++ b/lib/private/Authentication/Token/IToken.php @@ -72,4 +72,8 @@ interface IToken extends JsonSerializable { * @param int $time */ public function setLastCheck($time); + + public function getScope(); + + public function setScope($scope); } diff --git a/lib/private/Lockdown/LockdownManager.php b/lib/private/Lockdown/LockdownManager.php index 9f10646a9dd..150b54bdba2 100644 --- a/lib/private/Lockdown/LockdownManager.php +++ b/lib/private/Lockdown/LockdownManager.php @@ -23,24 +23,36 @@ use OC\Authentication\Token\IToken; use OCP\Lockdown\ILockdownManager; class LockdownManager implements ILockdownManager { - /** @var IToken|null */ - private $token; - private $enabled = false; + /** @var array|null */ + private $scope; + public function enable() { $this->enabled = true; } public function setToken(IToken $token) { - $this->token = $token; + $this->scope = $token->getScope(); + $this->enable(); } public function canAccessFilesystem() { - return true; + if (!$this->enabled) { + return true; + } + return !$this->scope || $this->scope['filesystem']; } public function canAccessApp($app) { - return $app === 'logreader' || $app === 'files' || $app === 'dav'; + if (!$this->enabled) { + return true; + } + if ($this->scope && $this->scope['apps']) { + return in_array($app, $this->scope['apps']); + } else { + // no limit + return true; + } } } diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 82af9281a4c..6033f060504 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -341,12 +341,10 @@ class Session implements IUserSession, Emitter { if ($isTokenPassword) { $this->session->set('app_password', $password); - \OC::$server->getLockdownManager()->setToken($this->tokenProvider->getToken($password)); } else if($this->supportsCookies($request)) { // Password login, but cookies supported -> create (browser) session token $this->createSessionToken($request, $this->getUser()->getUID(), $user, $password); } - \OC::$server->getLockdownManager()->enable(); return true; } @@ -527,6 +525,7 @@ class Session implements IUserSession, Emitter { //login $this->setUser($user); $this->setLoginName($dbToken->getLoginName()); + \OC::$server->getLockdownManager()->setToken($dbToken); $this->manager->emit('\OC\User', 'postLogin', array($user, $password)); if ($this->isLoggedIn()) { |