From: Evan Prodromou Date: Mon, 21 Feb 2011 15:20:42 +0000 (-0500) Subject: Extend authorization framework to cover login and API use X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=1525acdca197b598e20c6c4a5636a5cc24b89b32;p=quix0rs-gnu-social.git Extend authorization framework to cover login and API use I've extended the rights framework (centering on the Right class and Profile::hasRight()) to cover Web login and API use. This will make it possible to prevent login and API use by users. I added two new Right constants to the Right class: WEBLOGIN and API. I check these rights using Profile::hasRight() when initializing users. If the rights check fails, I throw an exception. I created a new AuthorizationException class for this particular exception, in order to allow a different UI for these kinds of exceptions (or whatever). --- diff --git a/classes/Profile.php b/classes/Profile.php index bdac3ba453..397b96bbc1 100644 --- a/classes/Profile.php +++ b/classes/Profile.php @@ -865,6 +865,12 @@ class Profile extends Memcached_DataObject case Right::EMAILONFAVE: $result = !$this->isSandboxed(); break; + case Right::WEBLOGIN: + $result = !$this->isSilenced(); + break; + case Right::API: + $result = !$this->isSilenced(); + break; case Right::BACKUPACCOUNT: $result = common_config('profile', 'backup'); break; diff --git a/lib/apiauth.php b/lib/apiauth.php index 0cc184c04c..8a1af8c27d 100644 --- a/lib/apiauth.php +++ b/lib/apiauth.php @@ -196,7 +196,13 @@ class ApiAuthAction extends ApiAction // Set the auth user if (Event::handle('StartSetApiUser', array(&$user))) { - $this->auth_user = User::staticGet('id', $appUser->profile_id); + $user = User::staticGet('id', $appUser->profile_id); + if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + throw new AuthorizationException(_('Not allowed to use API.')); + } + } + $this->auth_user = $user; Event::handle('EndSetApiUser', array($user)); } @@ -274,6 +280,9 @@ class ApiAuthAction extends ApiAction if (Event::handle('StartSetApiUser', array(&$user))) { if (!empty($user)) { + if (!$user->hasRight(Right::API)) { + throw new AuthorizationException(_('Not allowed to use API.')); + } $this->auth_user = $user; } diff --git a/lib/authorizationexception.php b/lib/authorizationexception.php new file mode 100644 index 0000000000..a9576e3a70 --- /dev/null +++ b/lib/authorizationexception.php @@ -0,0 +1,59 @@ +. + * + * @category Exception + * @package StatusNet + * @author Evan Prodromou + * @copyright 2011 StatusNet, Inc. + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET')) { + // This check helps protect against security problems; + // your code file can't be executed directly from the web. + exit(1); +} + +/** + * An exception for authorization issues + * + * @category Exception + * @package StatusNet + * @author Evan Prodromou + * @copyright 2011 StatusNet, Inc. + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0 + * @link http://status.net/ + */ + +class AuthorizationException extends ClientException +{ + /** + * Constructor + * + * @param string $message Message for the exception + */ + public function __construct($message=null) + { + parent::__construct($message, 403); + } +} diff --git a/lib/right.php b/lib/right.php index d144b21ae9..baa18d3c13 100644 --- a/lib/right.php +++ b/lib/right.php @@ -66,5 +66,7 @@ class Right const DELETEACCOUNT = 'deleteaccount'; const MOVEACCOUNT = 'moveaccount'; const CREATEGROUP = 'creategroup'; + const WEBLOGIN = 'weblogin'; + const API = 'api'; } diff --git a/lib/util.php b/lib/util.php index 85f49e4c59..1e73ff9ac9 100644 --- a/lib/util.php +++ b/lib/util.php @@ -300,7 +300,10 @@ function common_set_user($user) if ($user) { if (Event::handle('StartSetUser', array(&$user))) { - if($user){ + if (!empty($user)) { + if (!$user->hasRight(Right::WEBLOGIN)) { + throw new AuthorizationException(_('Not allowed to log in.')); + } common_ensure_session(); $_SESSION['userid'] = $user->id; $_cur = $user;