git.gnu.io has moved to IP address 209.51.188.249 -- please double check where you are logging in.

Commit 1525acdc authored by Evan Prodromou's avatar Evan Prodromou

Extend authorization framework to cover login and API use

I've extended the rights framework (centering on the Right class and Profile::hasRight()) to cover
Web login and API use. This will make it possible to prevent login and API use by users.

I added two new Right constants to the Right class: WEBLOGIN and API. I check these rights using
Profile::hasRight() when initializing users. If the rights check fails, I throw an exception.

I created a new AuthorizationException class for this particular
exception, in order to allow a different UI for these kinds of exceptions (or whatever).
parent 6a1b0e23
......@@ -865,6 +865,12 @@ class Profile extends Memcached_DataObject
case Right::EMAILONFAVE:
$result = !$this->isSandboxed();
break;
case Right::WEBLOGIN:
$result = !$this->isSilenced();
break;
case Right::API:
$result = !$this->isSilenced();
break;
case Right::BACKUPACCOUNT:
$result = common_config('profile', 'backup');
break;
......
......@@ -196,7 +196,13 @@ class ApiAuthAction extends ApiAction
// Set the auth user
if (Event::handle('StartSetApiUser', array(&$user))) {
$this->auth_user = User::staticGet('id', $appUser->profile_id);
$user = User::staticGet('id', $appUser->profile_id);
if (!empty($user)) {
if (!$user->hasRight(Right::API)) {
throw new AuthorizationException(_('Not allowed to use API.'));
}
}
$this->auth_user = $user;
Event::handle('EndSetApiUser', array($user));
}
......@@ -274,6 +280,9 @@ class ApiAuthAction extends ApiAction
if (Event::handle('StartSetApiUser', array(&$user))) {
if (!empty($user)) {
if (!$user->hasRight(Right::API)) {
throw new AuthorizationException(_('Not allowed to use API.'));
}
$this->auth_user = $user;
}
......
<?php
/**
* StatusNet - the distributed open-source microblogging tool
* Copyright (C) 2011, StatusNet, Inc.
*
* An exception for authorization errors
*
* PHP version 5
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Exception
* @package StatusNet
* @author Evan Prodromou <evan@status.net>
* @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/
*/
if (!defined('STATUSNET')) {
// This check helps protect against security problems;
// your code file can't be executed directly from the web.
exit(1);
}
/**
* An exception for authorization issues
*
* @category Exception
* @package StatusNet
* @author Evan Prodromou <evan@status.net>
* @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
* @link http://status.net/
*/
class AuthorizationException extends ClientException
{
/**
* Constructor
*
* @param string $message Message for the exception
*/
public function __construct($message=null)
{
parent::__construct($message, 403);
}
}
......@@ -66,5 +66,7 @@ class Right
const DELETEACCOUNT = 'deleteaccount';
const MOVEACCOUNT = 'moveaccount';
const CREATEGROUP = 'creategroup';
const WEBLOGIN = 'weblogin';
const API = 'api';
}
......@@ -300,7 +300,10 @@ function common_set_user($user)
if ($user) {
if (Event::handle('StartSetUser', array(&$user))) {
if($user){
if (!empty($user)) {
if (!$user->hasRight(Right::WEBLOGIN)) {
throw new AuthorizationException(_('Not allowed to log in.'));
}
common_ensure_session();
$_SESSION['userid'] = $user->id;
$_cur = $user;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment