Exemplo n.º 1
0
 /**
  * This runs all the security checks before a method call. The
  * security checks are determined by inspecting the controller method
  * annotations
  * @param string/Controller $controller the controllername or string
  * @param string $methodName the name of the method
  * @throws AmpacheException when a security check fails
  */
 public function beforeController($controller, $methodName)
 {
     // get annotations from comments
     $annotationReader = new MethodAnnotationReader($controller, $methodName);
     $this->isAmpacheCall = $annotationReader->hasAnnotation('AmpacheAPI');
     // don't try to authenticate for the handshake request
     if ($this->isAmpacheCall && $this->request['action'] !== 'handshake') {
         $token = $this->request['auth'];
         if ($token !== null && $token !== '') {
             $user = $this->mapper->find($token);
             if ($user !== false && array_key_exists('user_id', $user)) {
                 // setup the filesystem for the user - actual login isn't really needed
                 \OC_Util::setupFS($user['user_id']);
                 $this->ampacheUser->setUserId($user['user_id']);
                 return;
             }
         } else {
             // for ping action without token the version information is provided
             if ($this->request['action'] === 'ping') {
                 return;
             }
         }
         throw new AmpacheException('Invalid Login', 401);
     }
 }
Exemplo n.º 2
0
 /**
  * Checks if a controllermethod has the expected annotations
  * @param Controller/string $controller name or instance of the controller
  * @param array $expected an array containing the expected annotations
  * @param array $valid if you define your own annotations, pass them here
  */
 protected function assertAnnotations($controller, $method, array $expected, array $valid = array())
 {
     $standard = array('Ajax', 'CSRFExemption', 'IsAdminExemption', 'IsSubAdminExemption', 'IsLoggedInExemption', 'API');
     $possible = array_merge($standard, $valid);
     // check if expected annotations are valid
     foreach ($expected as $annotation) {
         $this->assertTrue(in_array($annotation, $possible));
     }
     $reader = new MethodAnnotationReader($controller, $method);
     foreach ($expected as $annotation) {
         $this->assertTrue($reader->hasAnnotation($annotation));
     }
 }
 /**
  * Checks if a controllermethod has the expected annotations
  * @param Controller/string $controller name or instance of the controller
  * @param array $expected an array containing the expected annotations
  * @param array $valid if you define your own annotations, pass them here
  */
 protected function assertAnnotations($controller, $method, array $expected, array $valid = array())
 {
     $standard = array('PublicPage', 'NoAdminRequired', 'NoCSRFRequired', 'API');
     $possible = array_merge($standard, $valid);
     // check if expected annotations are valid
     foreach ($expected as $annotation) {
         $this->assertTrue(in_array($annotation, $possible));
     }
     $reader = new MethodAnnotationReader($controller, $method);
     foreach ($expected as $annotation) {
         $this->assertTrue($reader->hasAnnotation($annotation));
     }
 }
Exemplo n.º 4
0
 /**
  * This runs all the security checks before a method call. The
  * security checks are determined by inspecting the controller method
  * annotations
  * @param string/Controller $controller the controllername or string
  * @param string $methodName the name of the method
  * @throws SecurityException when a security check fails
  */
 public function beforeController($controller, $methodName)
 {
     // get annotations from comments
     $annotationReader = new MethodAnnotationReader($controller, $methodName);
     // this will set the current navigation entry of the app, use this only
     // for normal HTML requests and not for AJAX requests
     if (!$annotationReader->hasAnnotation('Ajax')) {
         $this->api->activateNavigationEntry();
         $ajax = false;
     } else {
         $ajax = true;
     }
     $this->isAPICall = $annotationReader->hasAnnotation('API');
     // security checks
     if (!$annotationReader->hasAnnotation('IsLoggedInExemption')) {
         if (!$this->api->isLoggedIn()) {
             throw new SecurityException('Current user is not logged in', $ajax, Http::STATUS_UNAUTHORIZED);
         }
     }
     if (!$annotationReader->hasAnnotation('IsAdminExemption')) {
         if (!$this->api->isAdminUser($this->api->getUserId())) {
             throw new SecurityException('Logged in user must be an admin', $ajax, Http::STATUS_FORBIDDEN);
         }
     }
     if (!$annotationReader->hasAnnotation('IsSubAdminExemption')) {
         if (!$this->api->isSubAdminUser($this->api->getUserId())) {
             throw new SecurityException('Logged in user must be a subadmin', $ajax, Http::STATUS_FORBIDDEN);
         }
     }
     if (!$annotationReader->hasAnnotation('CSRFExemption')) {
         if (!$this->api->passesCSRFCheck()) {
             throw new SecurityException('CSRF check failed', $ajax, Http::STATUS_PRECONDITION_FAILED);
         }
     }
 }