/**
* This runs all the security checks before a method call. The
* security checks are determined by inspecting the controller method
* annotations
* @param string/Controller $controller the controllername or string
* @param string $methodName the name of the method
* @throws AmpacheException when a security check fails
*/
public function beforeController($controller, $methodName)
{
// get annotations from comments
$annotationReader = new MethodAnnotationReader($controller, $methodName);
$this->isAmpacheCall = $annotationReader->hasAnnotation('AmpacheAPI');
// don't try to authenticate for the handshake request
if ($this->isAmpacheCall && $this->request['action'] !== 'handshake') {
$token = $this->request['auth'];
if ($token !== null && $token !== '') {
$user = $this->mapper->find($token);
if ($user !== false && array_key_exists('user_id', $user)) {
// setup the filesystem for the user - actual login isn't really needed
\OC_Util::setupFS($user['user_id']);
$this->ampacheUser->setUserId($user['user_id']);
return;
}
} else {
// for ping action without token the version information is provided
if ($this->request['action'] === 'ping') {
return;
}
}
throw new AmpacheException('Invalid Login', 401);
}
}
/**
* Checks if a controllermethod has the expected annotations
* @param Controller/string $controller name or instance of the controller
* @param array $expected an array containing the expected annotations
* @param array $valid if you define your own annotations, pass them here
*/
protected function assertAnnotations($controller, $method, array $expected, array $valid = array())
{
$standard = array('Ajax', 'CSRFExemption', 'IsAdminExemption', 'IsSubAdminExemption', 'IsLoggedInExemption', 'API');
$possible = array_merge($standard, $valid);
// check if expected annotations are valid
foreach ($expected as $annotation) {
$this->assertTrue(in_array($annotation, $possible));
}
$reader = new MethodAnnotationReader($controller, $method);
foreach ($expected as $annotation) {
$this->assertTrue($reader->hasAnnotation($annotation));
}
}
/**
* Checks if a controllermethod has the expected annotations
* @param Controller/string $controller name or instance of the controller
* @param array $expected an array containing the expected annotations
* @param array $valid if you define your own annotations, pass them here
*/
protected function assertAnnotations($controller, $method, array $expected, array $valid = array())
{
$standard = array('PublicPage', 'NoAdminRequired', 'NoCSRFRequired', 'API');
$possible = array_merge($standard, $valid);
// check if expected annotations are valid
foreach ($expected as $annotation) {
$this->assertTrue(in_array($annotation, $possible));
}
$reader = new MethodAnnotationReader($controller, $method);
foreach ($expected as $annotation) {
$this->assertTrue($reader->hasAnnotation($annotation));
}
}
/**
* This runs all the security checks before a method call. The
* security checks are determined by inspecting the controller method
* annotations
* @param string/Controller $controller the controllername or string
* @param string $methodName the name of the method
* @throws SecurityException when a security check fails
*/
public function beforeController($controller, $methodName)
{
// get annotations from comments
$annotationReader = new MethodAnnotationReader($controller, $methodName);
// this will set the current navigation entry of the app, use this only
// for normal HTML requests and not for AJAX requests
if (!$annotationReader->hasAnnotation('Ajax')) {
$this->api->activateNavigationEntry();
$ajax = false;
} else {
$ajax = true;
}
$this->isAPICall = $annotationReader->hasAnnotation('API');
// security checks
if (!$annotationReader->hasAnnotation('IsLoggedInExemption')) {
if (!$this->api->isLoggedIn()) {
throw new SecurityException('Current user is not logged in', $ajax, Http::STATUS_UNAUTHORIZED);
}
}
if (!$annotationReader->hasAnnotation('IsAdminExemption')) {
if (!$this->api->isAdminUser($this->api->getUserId())) {
throw new SecurityException('Logged in user must be an admin', $ajax, Http::STATUS_FORBIDDEN);
}
}
if (!$annotationReader->hasAnnotation('IsSubAdminExemption')) {
if (!$this->api->isSubAdminUser($this->api->getUserId())) {
throw new SecurityException('Logged in user must be a subadmin', $ajax, Http::STATUS_FORBIDDEN);
}
}
if (!$annotationReader->hasAnnotation('CSRFExemption')) {
if (!$this->api->passesCSRFCheck()) {
throw new SecurityException('CSRF check failed', $ajax, Http::STATUS_PRECONDITION_FAILED);
}
}
}
