Extend authorization framework to cover login and API use

I've extended the rights framework (centering on the Right class and Profile::hasRight()) to cover
Web login and API use. This will make it possible to prevent login and API use by users.

I added two new Right constants to the Right class: WEBLOGIN and API. I check these rights using
Profile::hasRight() when initializing users. If the rights check fails, I throw an exception.

I created a new AuthorizationException class for this particular
exception, in order to allow a different UI for these kinds of exceptions (or whatever).

diff --git a/classes/Profile.php b/classes/Profile.php
index bdac3ba453aa6e09dfd1e247aff7b98b30a1ac71..397b96bbc18c3850a2d7a4ea2eed20f71b1705cc 100644 (file)
--- a/classes/Profile.php
+++ b/classes/Profile.php
@@ -865,6 +865,12 @@ class Profile extends Memcached_DataObject
             case Right::EMAILONFAVE:
                 $result = !$this->isSandboxed();
                 break;
+            case Right::WEBLOGIN:
+                $result = !$this->isSilenced();
+                break;
+            case Right::API:
+                $result = !$this->isSilenced();
+                break;
             case Right::BACKUPACCOUNT:
                 $result = common_config('profile', 'backup');
                 break;

diff --git a/lib/apiauth.php b/lib/apiauth.php
index 0cc184c04c678e3ee1183fc53326d390db8a9e12..8a1af8c27d3d9048f73aa74a082cb26162263516 100644 (file)
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@@ -196,7 +196,13 @@ class ApiAuthAction extends ApiAction
 
                     // Set the auth user
                     if (Event::handle('StartSetApiUser', array(&$user))) {
-                        $this->auth_user = User::staticGet('id', $appUser->profile_id);
+                        $user = User::staticGet('id', $appUser->profile_id);
+                        if (!empty($user)) {
+                            if (!$user->hasRight(Right::API)) {
+                                throw new AuthorizationException(_('Not allowed to use API.'));
+                            }
+                        }
+                        $this->auth_user = $user;
                         Event::handle('EndSetApiUser', array($user));
                     }
 
@@ -274,6 +280,9 @@ class ApiAuthAction extends ApiAction
             if (Event::handle('StartSetApiUser', array(&$user))) {
 
                 if (!empty($user)) {
+                    if (!$user->hasRight(Right::API)) {
+                        throw new AuthorizationException(_('Not allowed to use API.'));
+                    }
                     $this->auth_user = $user;
                 }
 

diff --git a/lib/authorizationexception.php b/lib/authorizationexception.php
new file mode 100644 (file)
index 0000000..a9576e3
--- /dev/null
+++ b/lib/authorizationexception.php
@@ -0,0 +1,59 @@
+<?php
+/**
+ * StatusNet - the distributed open-source microblogging tool
+ * Copyright (C) 2011, StatusNet, Inc.
+ *
+ * An exception for authorization errors
+ * 
+ * PHP version 5
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @category  Exception
+ * @package   StatusNet
+ * @author    Evan Prodromou <evan@status.net>
+ * @copyright 2011 StatusNet, Inc.
+ * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
+ * @link      http://status.net/
+ */
+
+if (!defined('STATUSNET')) {
+    // This check helps protect against security problems;
+    // your code file can't be executed directly from the web.
+    exit(1);
+}
+
+/**
+ * An exception for authorization issues
+ *
+ * @category  Exception
+ * @package   StatusNet
+ * @author    Evan Prodromou <evan@status.net>
+ * @copyright 2011 StatusNet, Inc.
+ * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
+ * @link      http://status.net/
+ */
+
+class AuthorizationException extends ClientException
+{
+    /**
+     * Constructor
+     *
+     * @param string $message Message for the exception
+     */
+    public function __construct($message=null)
+    {
+        parent::__construct($message, 403);
+    }
+}

diff --git a/lib/right.php b/lib/right.php
index d144b21ae98469595f24c84ffc8dff47ae9e66f3..baa18d3c13606b011cc6ea96e6b924065bccb0e0 100644 (file)
--- a/lib/right.php
+++ b/lib/right.php
@@ -66,5 +66,7 @@ class Right
     const DELETEACCOUNT      = 'deleteaccount';
     const MOVEACCOUNT        = 'moveaccount';
     const CREATEGROUP        = 'creategroup';
+    const WEBLOGIN           = 'weblogin';
+    const API                = 'api';
 }
 

diff --git a/lib/util.php b/lib/util.php
index 85f49e4c59f40c57ae2b74c54fffd76a48dcf064..1e73ff9ac9b0c1428ef2c0b25d444476c54d5b05 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -300,7 +300,10 @@ function common_set_user($user)
 
     if ($user) {
         if (Event::handle('StartSetUser', array(&$user))) {
-            if($user){
+            if (!empty($user)) {
+                if (!$user->hasRight(Right::WEBLOGIN)) {
+                    throw new AuthorizationException(_('Not allowed to log in.'));
+                }
                 common_ensure_session();
                 $_SESSION['userid'] = $user->id;
                 $_cur = $user;