7 files changed, 46 insertions, 11 deletions

diff --git a/db_structure.xml b/db_structure.xml
index 09dbde710d3..c7e1e072a8e 100644
--- a/db_structure.xml
+++ b/db_structure.xml
@@ -1152,6 +1152,13 @@
 				<length>4</length>
 			</field>
 
+			<field>
+				<name>scope</name>
+				<type>clob</type>
+				<default></default>
+				<notnull>false</notnull>
+			</field>
+
 			<index>
 				<name>authtoken_token_index</name>
 				<unique>true</unique>
diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php
index faef2f73b33..0c45c9efa56 100644
--- a/lib/private/Authentication/Token/DefaultToken.php
+++ b/lib/private/Authentication/Token/DefaultToken.php
@@ -87,6 +87,11 @@ class DefaultToken extends Entity implements IToken {
 	 */
 	protected $lastCheck;
 
+	/**
+	 * @var string
+	 */
+	protected $scope;
+
 	public function getId() {
 		return $this->id;
 	}
@@ -119,6 +124,7 @@ class DefaultToken extends Entity implements IToken {
 			'name' => $this->name,
 			'lastActivity' => $this->lastActivity,
 			'type' => $this->type,
+			'scope' => $this->getScope()
 		];
 	}
 
@@ -140,4 +146,11 @@ class DefaultToken extends Entity implements IToken {
 		return parent::setLastCheck($time);
 	}
 
+	public function getScope() {
+		return json_decode(parent::getScope(), true);
+	}
+
+	public function setScope($scope) {
+		return parent::setScope(json_encode($scope));
+	}
 }
diff --git a/lib/private/Authentication/Token/DefaultTokenMapper.php b/lib/private/Authentication/Token/DefaultTokenMapper.php
index 752974ff240..e2a17ca0f91 100644
--- a/lib/private/Authentication/Token/DefaultTokenMapper.php
+++ b/lib/private/Authentication/Token/DefaultTokenMapper.php
@@ -72,7 +72,7 @@ class DefaultTokenMapper extends Mapper {
 	public function getToken($token) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
+		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
 			->from('authtoken')
 			->where($qb->expr()->eq('token', $qb->createParameter('token')))
 			->setParameter('token', $token)
@@ -98,7 +98,7 @@ class DefaultTokenMapper extends Mapper {
 	public function getTokenByUser(IUser $user) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
+		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
 			->from('authtoken')
 			->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
 			->setMaxResults(1000);
diff --git a/lib/private/Authentication/Token/IToken.php b/lib/private/Authentication/Token/IToken.php
index 14811dd3201..3fa8ccbb078 100644
--- a/lib/private/Authentication/Token/IToken.php
+++ b/lib/private/Authentication/Token/IToken.php
@@ -72,4 +72,8 @@ interface IToken extends JsonSerializable {
 	 * @param int $time
 	 */
 	public function setLastCheck($time);
+
+	public function getScope();
+
+	public function setScope($scope);
 }
diff --git a/lib/private/Lockdown/LockdownManager.php b/lib/private/Lockdown/LockdownManager.php
index 9f10646a9dd..150b54bdba2 100644
--- a/lib/private/Lockdown/LockdownManager.php
+++ b/lib/private/Lockdown/LockdownManager.php
@@ -23,24 +23,36 @@ use OC\Authentication\Token\IToken;
 use OCP\Lockdown\ILockdownManager;
 
 class LockdownManager implements ILockdownManager {
-	/** @var IToken|null */
-	private $token;
-
 	private $enabled = false;
 
+	/** @var array|null */
+	private $scope;
+
 	public function enable() {
 		$this->enabled = true;
 	}
 
 	public function setToken(IToken $token) {
-		$this->token = $token;
+		$this->scope = $token->getScope();
+		$this->enable();
 	}
 
 	public function canAccessFilesystem() {
-		return true;
+		if (!$this->enabled) {
+			return true;
+		}
+		return !$this->scope || $this->scope['filesystem'];
 	}
 
 	public function canAccessApp($app) {
-		return $app === 'logreader' || $app === 'files' || $app === 'dav';
+		if (!$this->enabled) {
+			return true;
+		}
+		if ($this->scope && $this->scope['apps']) {
+			return in_array($app, $this->scope['apps']);
+		} else {
+			// no limit
+			return true;
+		}
 	}
 }
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 82af9281a4c..6033f060504 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -341,12 +341,10 @@ class Session implements IUserSession, Emitter {
 
 		if ($isTokenPassword) {
 			$this->session->set('app_password', $password);
-			\OC::$server->getLockdownManager()->setToken($this->tokenProvider->getToken($password));
 		} else if($this->supportsCookies($request)) {
 			// Password login, but cookies supported -> create (browser) session token
 			$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
 		}
-		\OC::$server->getLockdownManager()->enable();
 
 		return true;
 	}
@@ -527,6 +525,7 @@ class Session implements IUserSession, Emitter {
 		//login
 		$this->setUser($user);
 		$this->setLoginName($dbToken->getLoginName());
+		\OC::$server->getLockdownManager()->setToken($dbToken);
 		$this->manager->emit('\OC\User', 'postLogin', array($user, $password));
 
 		if ($this->isLoggedIn()) {
diff --git a/version.php b/version.php
index 42a0e7c9bdb..d556386a848 100644
--- a/version.php
+++ b/version.php
@@ -25,7 +25,7 @@
 // We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades
 // between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
 // when updating major/minor version number.
-$OC_Version = array(11, 0, 0, 0);
+$OC_Version = array(11, 0, 0, 1);
 
 // The human readable string
 $OC_VersionString = '11.0 alpha';