read lockdown scope from token

Signed-off-by: Robin Appelman <icewind@owncloud.com>
8 years ago · 2389e0f250
parent b56f2c9ed0
commit 2389e0f250
7 changed files with 46 additions and 11 deletions
--- a/db_structure.xml
+++ b/db_structure.xml
@ -1152,6 +1152,13 @@
 				<length>4</length>
 			</field>

+			<field>
+				<name>scope</name>
+				<type>clob</type>
+				<default></default>
+				<notnull>false</notnull>
+			</field>
+
 			<index>
 				<name>authtoken_token_index</name>
 				<unique>true</unique>
--- a/lib/private/Authentication/Token/DefaultToken.php
+++ b/lib/private/Authentication/Token/DefaultToken.php
@ -87,6 +87,11 @@ class DefaultToken extends Entity implements IToken {
 	 */
 	protected $lastCheck;

+	/**
+	 * @var string
+	 */
+	protected $scope;
+
 	public function getId() {
 		return $this->id;
 	}
@ -119,6 +124,7 @@ class DefaultToken extends Entity implements IToken {
 			'name' => $this->name,
 			'lastActivity' => $this->lastActivity,
 			'type' => $this->type,
+			'scope' => $this->getScope()
 		];
 	}

@ -140,4 +146,11 @@ class DefaultToken extends Entity implements IToken {
 		return parent::setLastCheck($time);
 	}

+	public function getScope() {
+		return json_decode(parent::getScope(), true);
+	}
+
+	public function setScope($scope) {
+		return parent::setScope(json_encode($scope));
+	}
 }
--- a/lib/private/Authentication/Token/DefaultTokenMapper.php
+++ b/lib/private/Authentication/Token/DefaultTokenMapper.php
@ -72,7 +72,7 @@ class DefaultTokenMapper extends Mapper {
 	public function getToken($token) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
+		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
 			->from('authtoken')
 			->where($qb->expr()->eq('token', $qb->createParameter('token')))
 			->setParameter('token', $token)
@ -98,7 +98,7 @@ class DefaultTokenMapper extends Mapper {
 	public function getTokenByUser(IUser $user) {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check')
+		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
 			->from('authtoken')
 			->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
 			->setMaxResults(1000);
--- a/lib/private/Authentication/Token/IToken.php
+++ b/lib/private/Authentication/Token/IToken.php
@ -72,4 +72,8 @@ interface IToken extends JsonSerializable {
 	 * @param int $time
 	 */
 	public function setLastCheck($time);
+
+	public function getScope();
+
+	public function setScope($scope);
 }
--- a/lib/private/Lockdown/LockdownManager.php
+++ b/lib/private/Lockdown/LockdownManager.php
@ -23,24 +23,36 @@ use OC\Authentication\Token\IToken;
 use OCP\Lockdown\ILockdownManager;

 class LockdownManager implements ILockdownManager {
-	/** @var IToken|null */
-	private $token;
-
 	private $enabled = false;

+	/** @var array|null */
+	private $scope;
+
 	public function enable() {
 		$this->enabled = true;
 	}

 	public function setToken(IToken $token) {
-		$this->token = $token;
+		$this->scope = $token->getScope();
+		$this->enable();
 	}

 	public function canAccessFilesystem() {
-		return true;
+		if (!$this->enabled) {
+			return true;
+		}
+		return !$this->scope || $this->scope['filesystem'];
 	}

 	public function canAccessApp($app) {
-		return $app === 'logreader' || $app === 'files' || $app === 'dav';
+		if (!$this->enabled) {
+			return true;
+		}
+		if ($this->scope && $this->scope['apps']) {
+			return in_array($app, $this->scope['apps']);
+		} else {
+			// no limit
+			return true;
+		}
 	}
 }
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@ -341,12 +341,10 @@ class Session implements IUserSession, Emitter {

 		if ($isTokenPassword) {
 			$this->session->set('app_password', $password);
-			\OC::$server->getLockdownManager()->setToken($this->tokenProvider->getToken($password));
 		} else if($this->supportsCookies($request)) {
 			// Password login, but cookies supported -> create (browser) session token
 			$this->createSessionToken($request, $this->getUser()->getUID(), $user, $password);
 		}
-		\OC::$server->getLockdownManager()->enable();

 		return true;
 	}
@ -527,6 +525,7 @@ class Session implements IUserSession, Emitter {
 		//login
 		$this->setUser($user);
 		$this->setLoginName($dbToken->getLoginName());
+		\OC::$server->getLockdownManager()->setToken($dbToken);
 		$this->manager->emit('\OC\User', 'postLogin', array($user, $password));

 		if ($this->isLoggedIn()) {
--- a/version.php
+++ b/version.php
@ -25,7 +25,7 @@
 // We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades
 // between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
 // when updating major/minor version number.
-$OC_Version = array(11, 0, 0, 0);
+$OC_Version = array(11, 0, 0, 1);

 // The human readable string
 $OC_VersionString = '11.0 alpha';