/** * This runs all the security checks before a method call. The * security checks are determined by inspecting the controller method * annotations * @param string/Controller $controller the controllername or string * @param string $methodName the name of the method * @throws AmpacheException when a security check fails */ public function beforeController($controller, $methodName) { // get annotations from comments $annotationReader = new MethodAnnotationReader($controller, $methodName); $this->isAmpacheCall = $annotationReader->hasAnnotation('AmpacheAPI'); // don't try to authenticate for the handshake request if ($this->isAmpacheCall && $this->request['action'] !== 'handshake') { $token = $this->request['auth']; if ($token !== null && $token !== '') { $user = $this->mapper->find($token); if ($user !== false && array_key_exists('user_id', $user)) { // setup the filesystem for the user - actual login isn't really needed \OC_Util::setupFS($user['user_id']); $this->ampacheUser->setUserId($user['user_id']); return; } } else { // for ping action without token the version information is provided if ($this->request['action'] === 'ping') { return; } } throw new AmpacheException('Invalid Login', 401); } }
/** * Checks if a controllermethod has the expected annotations * @param Controller/string $controller name or instance of the controller * @param array $expected an array containing the expected annotations * @param array $valid if you define your own annotations, pass them here */ protected function assertAnnotations($controller, $method, array $expected, array $valid = array()) { $standard = array('Ajax', 'CSRFExemption', 'IsAdminExemption', 'IsSubAdminExemption', 'IsLoggedInExemption', 'API'); $possible = array_merge($standard, $valid); // check if expected annotations are valid foreach ($expected as $annotation) { $this->assertTrue(in_array($annotation, $possible)); } $reader = new MethodAnnotationReader($controller, $method); foreach ($expected as $annotation) { $this->assertTrue($reader->hasAnnotation($annotation)); } }
/** * Checks if a controllermethod has the expected annotations * @param Controller/string $controller name or instance of the controller * @param array $expected an array containing the expected annotations * @param array $valid if you define your own annotations, pass them here */ protected function assertAnnotations($controller, $method, array $expected, array $valid = array()) { $standard = array('PublicPage', 'NoAdminRequired', 'NoCSRFRequired', 'API'); $possible = array_merge($standard, $valid); // check if expected annotations are valid foreach ($expected as $annotation) { $this->assertTrue(in_array($annotation, $possible)); } $reader = new MethodAnnotationReader($controller, $method); foreach ($expected as $annotation) { $this->assertTrue($reader->hasAnnotation($annotation)); } }
/** * This runs all the security checks before a method call. The * security checks are determined by inspecting the controller method * annotations * @param string/Controller $controller the controllername or string * @param string $methodName the name of the method * @throws SecurityException when a security check fails */ public function beforeController($controller, $methodName) { // get annotations from comments $annotationReader = new MethodAnnotationReader($controller, $methodName); // this will set the current navigation entry of the app, use this only // for normal HTML requests and not for AJAX requests if (!$annotationReader->hasAnnotation('Ajax')) { $this->api->activateNavigationEntry(); $ajax = false; } else { $ajax = true; } $this->isAPICall = $annotationReader->hasAnnotation('API'); // security checks if (!$annotationReader->hasAnnotation('IsLoggedInExemption')) { if (!$this->api->isLoggedIn()) { throw new SecurityException('Current user is not logged in', $ajax, Http::STATUS_UNAUTHORIZED); } } if (!$annotationReader->hasAnnotation('IsAdminExemption')) { if (!$this->api->isAdminUser($this->api->getUserId())) { throw new SecurityException('Logged in user must be an admin', $ajax, Http::STATUS_FORBIDDEN); } } if (!$annotationReader->hasAnnotation('IsSubAdminExemption')) { if (!$this->api->isSubAdminUser($this->api->getUserId())) { throw new SecurityException('Logged in user must be a subadmin', $ajax, Http::STATUS_FORBIDDEN); } } if (!$annotationReader->hasAnnotation('CSRFExemption')) { if (!$this->api->passesCSRFCheck()) { throw new SecurityException('CSRF check failed', $ajax, Http::STATUS_PRECONDITION_FAILED); } } }