public function updateCollaboratorPermission(IShareable $object, AbstractEyeosPrincipal $collaborator, IPermission $permission) { try { if ($object->getId() === null) { throw new EyeNullPointerException('$object ID cannot be null.'); } $handlerClassName = null; foreach (self::getAllShareableObjectsHandlers() as $handler) { if ($handler->checkType($object)) { $handlerClassName = get_class($handler); break; } } if ($handlerClassName === null) { throw new EyeHandlerNotFoundException('Unable to find a ShareableObjectHandler for object of class ' . get_class($object) . '.'); } $owner = $object->getShareOwner(); SecurityManager::getInstance()->checkPermission($object, new SharePermission(array('updatecollaborator'), $collaborator)); //prepare query array $shareInfoQuery = array(self::SHAREINFO_KEY_OWNERID => $owner->getId(), self::SHAREINFO_KEY_SHAREABLEID => $object->getId(), self::SHAREINFO_KEY_COLLABORATORID => $collaborator->getId(), self::SHAREINFO_KEY_PERMISSIONACTIONS => $permission->getActionsAsString(), self::SHAREINFO_KEY_HANDLERCLASSNAME => $handlerClassName); $this->getProvider()->updateShareInfo($owner, $shareInfoQuery); // TODO: we could also add the ShareInfo object containing the old permission as a // "related source" of the event $event = new SharingEvent(new BasicShareInfo($owner, $object, $collaborator, $permission, $handlerClassName)); foreach ($this->listeners as $listener) { $listener->collaboratorPermissionUpdated($event); } } catch (Exception $e) { self::$Logger->warn('Unable to update collaborator ' . $collaborator->getName() . ' permissions for object of class ' . get_class($object) . '.'); if (self::$Logger->isDebugEnabled()) { self::$Logger->debug(ExceptionStackUtil::getStackTrace($e, false)); } throw $e; } }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof IFile) { throw new EyeInvalidArgumentException('$object must be an IFile.'); } if ($object instanceof EyeUserFile) { $name = $object->getName(); if ($name == '.htaccess') { throw new EyeAccessControlException('You cannot access that kind of file (.HTACCESS).'); } if ('' == $name) { throw new EyeAccessControlException('Empty filename not allowed'); } if (strstr($name, '?')) { throw new EyeAccessControlException('Invalid character ? on filename'); } if (strstr($name, '#')) { throw new EyeAccessControlException('Invalid character # on filename'); } if (strstr($name, '&')) { throw new EyeAccessControlException('Invalid character & on filename'); } if (strstr($name, '<')) { throw new EyeAccessControlException('Invalid character < on filename'); } if (strstr($name, '>')) { throw new EyeAccessControlException('Invalid character > on filename'); } } // If the target file does not exist or we are requesting a deletion permission, // we must check write permissions on the parent folder, to know whether the current // user is allowed or not to manipulate files within it. if (!$object->exists() || in_array('delete', $permission->getActions())) { $parentFolder = $object->getParentFile(); if (!$parentFolder->equals($object)) { $parentFolder->checkWritePermission(); return true; } } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $objectPermissions = $object->getPermissions(true); if (!is_int($objectPermissions)) { $this->failureException = new EyeHandlerFailureException('"' . $objectPermissions . '" is not a valid octal UNIX permission for file ' . $object->getPath() . '.'); return false; } try { $owner = UMManager::getInstance()->getUserByName($object->getOwner()); } catch (EyeNoSuchUserException $e) { //This is a workaround: when the owner of a workgroup file not longer exist //we have to set a new owner for that file, otherwise we have an exception //when we try to access to load owner informations. if (get_class($object) == 'EyeWorkgroupFile') { $object->fixOwner(); $owner = UMManager::getInstance()->getUserByName($object->getOwner()); } else { throw $e; } } $group = UMManager::getInstance()->getGroupByName($object->getGroup()); $accessGranted = false; $actionText = ''; foreach ($permission->getActions() as $action) { if ($action == 'admin') { if ($eyeosUser->getName() != $object->getOwner()) { throw new EyeAccessControlException('Only the owner ' . $object->getOwner() . ' has admin rights for file ' . $object->getPath() . '.'); } continue; } else { if ($action == 'read') { $ref = 0400; $actionText = 'Read'; } else { if ($action == 'write') { $ref = 0200; $actionText = 'Write'; } else { if ($action == 'execute') { $ref = 0100; $actionText = 'Execution'; } else { // the given action is not supported by this handler $this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '. Wrong configuration?'); return false; } } } } //owner if ($eyeosUser->getId() == $owner->getId()) { if ($ref & $objectPermissions) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //group if ($context->getSubject()->getPrincipals()->contains($group)) { if ($ref & $objectPermissions) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //others if ($ref & $objectPermissions) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for file ' . $object->getPath() . ' (insufficient permissions).'); } } } } if (self::$Logger->isInfoEnabled()) { self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on file ' . $object->getPath() . '.'); } return true; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof IShareable) { throw new EyeInvalidArgumentException('$object must be an IShareable.'); } if ($object->getId(false) === null) { $this->failureException = new EyeHandlerFailureException('$object has no ID and though is probably not currently shared.'); return false; } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } // General sharing actions (addCollaborator, removeCollaborator, updateCollaborator) $actions = $permission->getActions(); if (in_array('addcollaborator', $actions) || in_array('removecollaborator', $actions) || in_array('updatecollaborator', $actions)) { // currently, only the owner can perform those actions if ($eyeosUser->getId() != $object->getShareOwner()->getId()) { self::$Logger->info('Access denied to non-owner user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.'); throw new EyeAccessControlException('Only the owner of the object can perform that kind of actions (' . $permission->getActionsAsString() . ').'); } self::$Logger->debug('Access granted to owner ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on object ' . $object->getId() . '.'); return true; } // Object-dependant sharing actions try { $shareInfos = SharingManager::getInstance()->getAllShareInfo($object); } catch (Exception $e) { $logger = Logger::getLogger('system.services.Security.ShareableObjectSecurityHandler'); $logger->warn('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false)); if ($logger->isDebugEnabled()) { $logger->debug(ExceptionStackUtil::getStackTrace($e, false)); } else { $logger->warn('Exception message: ' . $e->getMessage()); } $this->failureException = new EyeHandlerFailureException('Cannot retrieve shareinfo on object with ID: ' . $object->getId(false) . ': ' . $e->getMessage()); return false; } foreach ($shareInfos as $shareInfo) { $collaborator = $shareInfo->getCollaborator(); //$collaborator is a group if ($collaborator instanceof IGroup) { // "is the subject in the current login context representative of the group collaborator?" if (in_array($collaborator, $context->getSubject()->getPrincipals())) { if ($shareInfo->getPermissions()->implies($permission)) { return true; } else { throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . ''); } } } else { if ($shareInfo->getCollaborator()->getId() == $eyeosUser->getId()) { if ($shareInfo->getPermissions()->implies($permission)) { return true; } else { throw new EyeAccessControlException('$object permission actions (' . $shareInfo->getPermissions()->getActionsAsString() . ') ' . 'do not imply requested permission (' . $permission->getActionsAsString() . ') for collaborator ' . $eyeosUser->getName() . ''); } } } } // No matching collaborator found => this module is not applicable to the current check => set it as FAILED $this->failureException = new EyeHandlerFailureException('No matching collaborator found for object with ID ' . $object->getId(false) . '.'); return false; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof AbstractEyeosWorkgroup && !$object instanceof EyeosUserWorkgroupAssignation) { throw new EyeInvalidArgumentException('$object must be an AbstractEyeosWorkgroup or an EyeosUserWorkgroupAssignation.'); } // $object is a Workgroup => check for actions: Create, Update, Delete if ($object instanceof AbstractEyeosWorkgroup) { $wgManagersGroups = UMManager::getInstance()->getGroupByName('wg-managers'); // The user must be member of the system group "wg-managers" if (!$context->getSubject()->getPrincipals()->contains($wgManagersGroups)) { throw new EyeAccessControlException('The specified action requires privileges of group "wg-managers".'); } // Update or Delete? Must be owner if (in_array('update', $permission->getActions()) || in_array('delete', $permission->getActions())) { try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } if ($object->getOwnerId() != $eyeosUser->getId()) { throw new EyeAccessControlException('Only the owner of the workgroup can perform the requested action(s): ' . $permission->getActionsAsString() . '.'); } } return true; } else { try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } try { $workgroup = UMManager::getInstance()->getWorkgroupById($object->getWorkgroupId()); } catch (EyeNoSuchWorkgroupException $e) { throw new EyeAccessControlException('Unknown workgroup with ID "' . $object->getWorkgroupId() . '".', 0, $e); } // Retrieve the role of the current user in the workgroup $currentUserAssignation = UMManager::getInstance()->getNewUserWorkgroupAssignationInstance(); $currentUserAssignation->setUserId($eyeosUser->getId()); $currentUserAssignation->setWorkgroupId($object->getWorkgroupId()); $currentUserAssignation = current(UMManager::getInstance()->getAllUserWorkgroupAssignations($currentUserAssignation)); foreach ($permission->getActions() as $action) { // Add to workgroup if ($action == 'addtoworkgroup') { // If the workgroup's privacy mode is OPEN if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_OPEN) { // If the current user is the one joining the workgroup if ($eyeosUser->getId() == $object->getUserId()) { // Check for illegal role if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot join a workgroup as owner or admin.'); } return true; } else { // If the current user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // If the current user is the owner or an admin, he has the right to INVITE if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.'); } return true; } } else { if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONREQUEST) { // If the current user is the one joining the workgroup if ($eyeosUser->getId() == $object->getUserId()) { // Check for illegal role if ($object->getRole() === WorkgroupConstants::ROLE_OWNER && $workgroup->getOwnerId() != $object->getUserId() || $object->getRole() === WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ' as owner or admin.'); } // The status must be PENDING if ($workgroup->getOwnerId() != $object->getUserId() && $object->getStatus() !== WorkgroupConstants::STATUS_PENDING) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": can only apply for membership of workgroup ' . $workgroup->getName() . '.'); } return true; } else { // If the current user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // If the current user is the owner or an admin, he has the right to INVITE if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.'); } return true; } } else { if ($workgroup->getPrivacyMode() === WorkgroupConstants::PRIVACY_ONINVITATION) { // If the current user is the one joining the workgroup if ($eyeosUser->getId() == $object->getUserId()) { // If the owner joins his workgroup (at creation), access granted if ($eyeosUser->getId() == $workgroup->getOwnerId()) { return true; } throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '": cannot apply for membership of workgroup ' . $workgroup->getName() . ', access is on invitation only.'); } else { // If the current user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // If the current user is the owner or an admin, he has the right to INVITE if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($object->getStatus() !== WorkgroupConstants::STATUS_INVITED) { throw new EyeAccessControlException('Access denied to admin of workgroup "' . $workgroup->getName() . '": can only invite a member into the workgroup.'); } return true; } } } } } else { if ($action == 'removefromworkgroup') { // If the current user is the one leaving the workgroup if ($eyeosUser->getId() == $object->getUserId()) { return true; } // if the user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } return true; } else { if ($action == 'update') { // if the user is not a member, exit here if ($currentUserAssignation === false) { throw new EyeAccessControlException('Access denied to non-member of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } // Current user is the one from the assignation $object, // and the transition is from "invited" to "member" => access granted if ($eyeosUser->getId() == $currentUserAssignation->getUserId() && $currentUserAssignation->getStatus() === WorkgroupConstants::STATUS_INVITED && $object->getStatus() === WorkgroupConstants::STATUS_MEMBER) { return true; } else { if ($currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_OWNER && $currentUserAssignation->getRole() !== WorkgroupConstants::ROLE_ADMIN) { throw new EyeAccessControlException('Access denied to non-admin of workgroup "' . $workgroup->getName() . '" for action(s): ' . $permission->getActionsAsString() . '.'); } return true; } } else { // Unknown action $this->failureException = new EyeHandlerFailureException('Unknown action specified: ' . $action); return false; } } } } } }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof EyeosApplicationDescriptor) { throw new EyeInvalidArgumentException('$object must be an EyeosApplicationDescriptor.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } $meta = $object->getMeta(); if ($meta === null) { throw new EyeNullPointerException('$meta cannot be null.'); } $sysParams = $meta->get('eyeos.application.systemParameters'); // Extract owner, group and permissions from application's metadata try { $owner = UMManager::getInstance()->getUserByName($sysParams['owner']); } catch (EyeNoSuchPrincipalException $e) { $this->failureException = new EyeHandlerFailureException('Unknown owner "' . $owner . '".'); return false; } try { $group = UMManager::getInstance()->getGroupByName($sysParams['group']); } catch (EyeNoSuchPrincipalException $e) { $this->failureException = new EyeHandlerFailureException('Unknown group "' . $group . '".'); return false; } try { $perms = AdvancedPathLib::permsToOctal($sysParams['permissions']); } catch (Exception $e) { $this->failureException = new EyeHandlerFailureException('"' . $perms . '" is not a valid octal UNIX permission for application ' . $object->getName() . '.'); return false; } // Loop on actions (but here we currently know the action "execute" only) $accessGranted = false; $actionText = ''; foreach ($permission->getActions() as $action) { if ($action == 'execute') { $ref = 0100; $actionText = 'Execution'; } else { // the given action is not supported by this handler $this->failureException = new EyeHandlerFailureException('Unknown action received: ' . $action . '.'); return false; } //owner if ($eyeosUser->getId() == $owner->getId()) { if ($ref & $perms) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //group if ($context->getSubject()->getPrincipals()->contains($group)) { if ($ref & $perms) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).'); } } else { $ref = $ref >> 3; //others if ($ref & $perms) { $accessGranted = true; continue; } else { throw new EyeAccessControlException($actionText . ' access denied to user ' . $eyeosUser->getName() . ' for application ' . $object->getName() . ' (insufficient permissions).'); } } } } if (self::$Logger->isInfoEnabled()) { self::$Logger->info('Access granted to user ' . $eyeosUser->getName() . ' for actions "' . $permission->getActionsAsString() . '" on application ' . $object->getName() . '.'); } return true; }
/** * TODO * * @param mixed $object * @param IPermission $permission * @param LoginContext $context * @return bool TRUE if the handler performed the permission check successfully, FALSE otherwise. * * @throws EyeInvalidArgumentException * @throws EyeUnexpectedValueException * @throws EyeAccessControlException */ public function checkPermission($object, IPermission $permission, LoginContext $context) { if (!$object instanceof EyeosPrincipalGroupAssignation) { throw new EyeInvalidArgumentException('$object must be a EyeosPrincipalGroupAssignation.'); } try { $eyeosUser = $context->getEyeosUser(); } catch (EyeNullPointerException $e) { $this->failureException = new EyeHandlerFailureException('No eyeos user found in login context.'); return false; } try { $principal = UMManager::getInstance()->getPrincipalById($object->getPrincipalId()); } catch (EyeNoSuchPrincipalException $e) { $actions = $permission->getActions(); if (in_array('removefromgroup', $actions)) { // The principal we want to remove from the group is not found // => we can delete assignation safely, whoever we are return true; } } $group = UMManager::getInstance()->getPrincipalById($object->getGroupId()); // Special processing for workgroup/master group assignations if ($principal instanceof IWorkgroup) { foreach ($permission->getActions() as $action) { switch ($action) { case 'addtogroup': if (!$context->getSubject()->getPrincipals()->contains($group)) { throw new EyeAccessControlException('Cannot add workgroup "' . $principal->getName() . '" to group ' . $group->getName() . ': insufficient permissions.)'); } break; case 'removefromgroup': if ($principal->getOwnerId() != $eyeosUser->getId()) { throw new EyeAccessControlException('Cannot remove workgroup "' . $principal->getName() . '" from group ' . $group->getName() . ': insufficient permissions.)'); } break; } } return true; } throw new EyeAccessControlException('Access denied to UM assignation (actions: ' . $permission->getActionsAsString() . ')'); }