|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* @author Lukas Reschke <[email protected]> |
|
4
|
|
|
* @author Morris Jobke <[email protected]> |
|
5
|
|
|
* @author Roeland Jago Douma <[email protected]> |
|
6
|
|
|
* @author Thomas Müller <[email protected]> |
|
7
|
|
|
* |
|
8
|
|
|
* @copyright Copyright (c) 2017, ownCloud GmbH |
|
9
|
|
|
* @license AGPL-3.0 |
|
10
|
|
|
* |
|
11
|
|
|
* This code is free software: you can redistribute it and/or modify |
|
12
|
|
|
* it under the terms of the GNU Affero General Public License, version 3, |
|
13
|
|
|
* as published by the Free Software Foundation. |
|
14
|
|
|
* |
|
15
|
|
|
* This program is distributed in the hope that it will be useful, |
|
16
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
17
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
18
|
|
|
* GNU Affero General Public License for more details. |
|
19
|
|
|
* |
|
20
|
|
|
* You should have received a copy of the GNU Affero General Public License, version 3, |
|
21
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/> |
|
22
|
|
|
* |
|
23
|
|
|
*/ |
|
24
|
|
|
|
|
25
|
|
|
namespace OC\Settings\Middleware; |
|
26
|
|
|
|
|
27
|
|
|
use OC\AppFramework\Http; |
|
28
|
|
|
use OC\AppFramework\Middleware\Security\Exceptions\NotAdminException; |
|
29
|
|
|
use OC\AppFramework\Utility\ControllerMethodReflector; |
|
30
|
|
|
use OCP\AppFramework\Http\TemplateResponse; |
|
31
|
|
|
use OCP\AppFramework\Middleware; |
|
32
|
|
|
use OCP\IGroupManager; |
|
33
|
|
|
use OCP\IUserSession; |
|
34
|
|
|
|
|
35
|
|
|
/** |
|
36
|
|
|
* Verifies whether an user has at least subadmin rights. |
|
37
|
|
|
* To bypass use the `@NoSubadminRequired` annotation |
|
38
|
|
|
* |
|
39
|
|
|
* @package OC\Settings\Middleware |
|
40
|
|
|
*/ |
|
41
|
|
|
class SubadminMiddleware extends Middleware { |
|
42
|
|
|
/** @var IUserSession */ |
|
43
|
|
|
private $userSession; |
|
44
|
|
|
/** @var IGroupManager */ |
|
45
|
|
|
private $groupManager; |
|
46
|
|
|
/** @var ControllerMethodReflector */ |
|
47
|
|
|
protected $reflector; |
|
48
|
|
|
|
|
49
|
|
|
/** |
|
50
|
|
|
* @param ControllerMethodReflector $reflector |
|
51
|
|
|
* @param IGroupManager $groupManager |
|
52
|
|
|
* @param IUserSession $userSession |
|
53
|
|
|
*/ |
|
54
|
|
|
public function __construct(ControllerMethodReflector $reflector, |
|
55
|
|
|
IGroupManager $groupManager, |
|
56
|
|
|
IUserSession $userSession) { |
|
57
|
|
|
$this->reflector = $reflector; |
|
58
|
|
|
$this->groupManager = $groupManager; |
|
59
|
|
|
$this->userSession = $userSession; |
|
60
|
|
|
} |
|
61
|
|
|
|
|
62
|
|
|
/** |
|
63
|
|
|
* Check if sharing is enabled before the controllers is executed |
|
64
|
|
|
* @param \OCP\AppFramework\Controller $controller |
|
65
|
|
|
* @param string $methodName |
|
66
|
|
|
* @throws \Exception |
|
67
|
|
|
*/ |
|
68
|
|
|
public function beforeController($controller, $methodName) { |
|
69
|
|
|
if(!$this->reflector->hasAnnotation('NoSubadminRequired')) { |
|
70
|
|
|
// Check if current user (active and not in incognito mode) |
|
71
|
|
|
// can manage users |
|
72
|
|
|
$hasUserManagementPrivileges = false; |
|
73
|
|
|
$activeUser = $this->userSession->getUser(); |
|
74
|
|
|
if($activeUser !== null) { |
|
75
|
|
|
//Admin and SubAdmins are allowed to access user management |
|
76
|
|
|
$hasUserManagementPrivileges = $this->groupManager->isAdmin($activeUser->getUID()) |
|
77
|
|
|
|| $this->groupManager->getSubAdmin()->isSubAdmin($activeUser); |
|
78
|
|
|
} |
|
79
|
|
|
|
|
80
|
|
|
if(!$hasUserManagementPrivileges) { |
|
81
|
|
|
throw new NotAdminException('Logged in user must be a subadmin'); |
|
|
|
|
|
|
82
|
|
|
} |
|
83
|
|
|
} |
|
84
|
|
|
} |
|
85
|
|
|
|
|
86
|
|
|
/** |
|
87
|
|
|
* Return 403 page in case of an exception |
|
88
|
|
|
* @param \OCP\AppFramework\Controller $controller |
|
89
|
|
|
* @param string $methodName |
|
90
|
|
|
* @param \Exception $exception |
|
91
|
|
|
* @return TemplateResponse |
|
92
|
|
|
* @throws \Exception |
|
93
|
|
|
*/ |
|
94
|
|
|
public function afterException($controller, $methodName, \Exception $exception) { |
|
95
|
|
|
if($exception instanceof NotAdminException) { |
|
96
|
|
|
$response = new TemplateResponse('core', '403', [], 'guest'); |
|
97
|
|
|
$response->setStatus(Http::STATUS_FORBIDDEN); |
|
98
|
|
|
return $response; |
|
99
|
|
|
} |
|
100
|
|
|
|
|
101
|
|
|
throw $exception; |
|
102
|
|
|
} |
|
103
|
|
|
|
|
104
|
|
|
} |
|
105
|
|
|
|
owncloud /
core
This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue.
If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress.
In this case you can add the
@ignorePhpDoc annotation to the duplicate definition and it will be ignored.