Commit 1525acdc authored by Evan Prodromou's avatar Evan Prodromou

Extend authorization framework to cover login and API use

I've extended the rights framework (centering on the Right class and Profile::hasRight()) to cover
Web login and API use. This will make it possible to prevent login and API use by users.

I added two new Right constants to the Right class: WEBLOGIN and API. I check these rights using
Profile::hasRight() when initializing users. If the rights check fails, I throw an exception.

I created a new AuthorizationException class for this particular
exception, in order to allow a different UI for these kinds of exceptions (or whatever).
parent 6a1b0e23
......@@ -865,6 +865,12 @@ class Profile extends Memcached_DataObject
case Right::EMAILONFAVE:
$result = !$this->isSandboxed();
break;
case Right::WEBLOGIN:
$result = !$this->isSilenced();
break;
case Right::API:
$result = !$this->isSilenced();
break;
case Right::BACKUPACCOUNT:
$result = common_config('profile', 'backup');
break;
......
......@@ -196,7 +196,13 @@ class ApiAuthAction extends ApiAction
// Set the auth user
if (Event::handle('StartSetApiUser', array(&$user))) {
$this->auth_user = User::staticGet('id', $appUser->profile_id);
$user = User::staticGet('id', $appUser->profile_id);
if (!empty($user)) {
if (!$user->hasRight(Right::API)) {
throw new AuthorizationException(_('Not allowed to use API.'));
}
}
$this->auth_user = $user;
Event::handle('EndSetApiUser', array($user));
}
......@@ -274,6 +280,9 @@ class ApiAuthAction extends ApiAction
if (Event::handle('StartSetApiUser', array(&$user))) {
if (!empty($user)) {
if (!$user->hasRight(Right::API)) {
throw new AuthorizationException(_('Not allowed to use API.'));
}
$this->auth_user = $user;
}
......
<?php
/**
* StatusNet - the distributed open-source microblogging tool
* Copyright (C) 2011, StatusNet, Inc.
*
* An exception for authorization errors
*
* PHP version 5
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Exception
* @package StatusNet
* @author Evan Prodromou <evan@status.net>
* @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/
*/
if (!defined('STATUSNET')) {
// This check helps protect against security problems;
// your code file can't be executed directly from the web.
exit(1);
}
/**
* An exception for authorization issues
*
* @category Exception
* @package StatusNet
* @author Evan Prodromou <evan@status.net>
* @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/
*/
class AuthorizationException extends ClientException
{
/**
* Constructor
*
* @param string $message Message for the exception
*/
public function __construct($message=null)
{
parent::__construct($message, 403);
}
}
......@@ -66,5 +66,7 @@ class Right
const DELETEACCOUNT = 'deleteaccount';
const MOVEACCOUNT = 'moveaccount';
const CREATEGROUP = 'creategroup';
const WEBLOGIN = 'weblogin';
const API = 'api';
}
......@@ -300,7 +300,10 @@ function common_set_user($user)
if ($user) {
if (Event::handle('StartSetUser', array(&$user))) {
if($user){
if (!empty($user)) {
if (!$user->hasRight(Right::WEBLOGIN)) {
throw new AuthorizationException(_('Not allowed to log in.'));
}
common_ensure_session();
$_SESSION['userid'] = $user->id;
$_cur = $user;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment