|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* Gallery |
|
4
|
|
|
* |
|
5
|
|
|
* This file is licensed under the Affero General Public License version 3 or |
|
6
|
|
|
* later. See the COPYING file. |
|
7
|
|
|
* |
|
8
|
|
|
* @author Olivier Paroz <[email protected]> |
|
9
|
|
|
* @author Bernhard Posselt <[email protected]> |
|
10
|
|
|
* @author Authors of \OCA\Files_Sharing\Helper |
|
11
|
|
|
* |
|
12
|
|
|
* @copyright Olivier Paroz 2014-2016 |
|
13
|
|
|
* @copyright Bernhard Posselt 2012-2015 |
|
14
|
|
|
* @copyright Authors of \OCA\Files_Sharing\Helper 2014-2016 |
|
15
|
|
|
*/ |
|
16
|
|
|
|
|
17
|
|
|
namespace OCA\Gallery\Middleware; |
|
18
|
|
|
|
|
19
|
|
|
use OCP\IRequest; |
|
20
|
|
|
use OCP\IURLGenerator; |
|
21
|
|
|
use OCP\ISession; |
|
22
|
|
|
use OCP\ILogger; |
|
23
|
|
|
use OCP\Share; |
|
24
|
|
|
use OCP\Share\IShare; |
|
25
|
|
|
use OCP\Share\Exceptions\ShareNotFound; |
|
26
|
|
|
use OCP\Security\IHasher; |
|
27
|
|
|
|
|
28
|
|
|
use OCP\AppFramework\Http; |
|
29
|
|
|
use OCP\AppFramework\Utility\IControllerMethodReflector; |
|
30
|
|
|
|
|
31
|
|
|
use OCA\Gallery\Environment\Environment; |
|
32
|
|
|
use OCP\Share\IManager; |
|
33
|
|
|
|
|
34
|
|
|
/** |
|
35
|
|
|
* Checks that we have a valid token linked to a valid resource and that the |
|
36
|
|
|
* user is authorised to access it |
|
37
|
|
|
* |
|
38
|
|
|
* Once all checks have been passed, the environment is ready to use |
|
39
|
|
|
* |
|
40
|
|
|
* @package OCA\Gallery\Middleware |
|
41
|
|
|
*/ |
|
42
|
|
|
class EnvCheckMiddleware extends CheckMiddleware { |
|
43
|
|
|
|
|
44
|
|
|
/** @var IHasher */ |
|
45
|
|
|
private $hasher; |
|
46
|
|
|
/** @var ISession */ |
|
47
|
|
|
private $session; |
|
48
|
|
|
/** @var Environment */ |
|
49
|
|
|
private $environment; |
|
50
|
|
|
/** @var IControllerMethodReflector */ |
|
51
|
|
|
protected $reflector; |
|
52
|
|
|
/** @var IManager */ |
|
53
|
|
|
protected $shareManager; |
|
54
|
|
|
|
|
55
|
|
|
/*** |
|
56
|
|
|
* Constructor |
|
57
|
|
|
* |
|
58
|
|
|
* @param string $appName |
|
59
|
|
|
* @param IRequest $request |
|
60
|
|
|
* @param IHasher $hasher |
|
61
|
|
|
* @param ISession $session |
|
62
|
|
|
* @param Environment $environment |
|
63
|
|
|
* @param IControllerMethodReflector $reflector |
|
64
|
|
|
* @param IURLGenerator $urlGenerator |
|
65
|
|
|
* @param ILogger $logger |
|
66
|
|
|
* @param IManager $shareManager |
|
67
|
|
|
*/ |
|
68
|
|
|
public function __construct( |
|
69
|
|
|
$appName, |
|
70
|
|
|
IRequest $request, |
|
71
|
|
|
IHasher $hasher, |
|
72
|
|
|
ISession $session, |
|
73
|
|
|
Environment $environment, |
|
74
|
|
|
IControllerMethodReflector $reflector, |
|
75
|
|
|
IURLGenerator $urlGenerator, |
|
76
|
|
|
IManager $shareManager, |
|
77
|
|
|
ILogger $logger |
|
78
|
|
|
) { |
|
79
|
|
|
parent::__construct( |
|
80
|
|
|
$appName, |
|
81
|
|
|
$request, |
|
82
|
|
|
$urlGenerator, |
|
83
|
|
|
$logger |
|
84
|
|
|
); |
|
85
|
|
|
|
|
86
|
|
|
$this->hasher = $hasher; |
|
87
|
|
|
$this->session = $session; |
|
88
|
|
|
$this->environment = $environment; |
|
89
|
|
|
$this->reflector = $reflector; |
|
90
|
|
|
$this->shareManager = $shareManager; |
|
91
|
|
|
} |
|
92
|
|
|
|
|
93
|
|
|
/** |
|
94
|
|
|
* Checks that we have a valid token linked to a valid resource and that the |
|
95
|
|
|
* user is authorised to access it |
|
96
|
|
|
* |
|
97
|
|
|
* Inspects the controller method annotations and if PublicPage is found |
|
98
|
|
|
* it checks that we have a token and an optional password giving access to a valid resource. |
|
99
|
|
|
* Once that's done, the environment is setup so that our services can find the resources they |
|
100
|
|
|
* need. |
|
101
|
|
|
* |
|
102
|
|
|
* The checks are not performed on "guest" pages and the environment is not setup. Typical |
|
103
|
|
|
* guest pages are anonymous error ages |
|
104
|
|
|
* |
|
105
|
|
|
* @inheritDoc |
|
106
|
|
|
*/ |
|
107
|
|
|
public function beforeController($controller, $methodName) { |
|
108
|
|
|
if ($this->reflector->hasAnnotation('Guest')) { |
|
109
|
|
|
return; |
|
110
|
|
|
} |
|
111
|
|
|
$isPublicPage = $this->reflector->hasAnnotation('PublicPage'); |
|
112
|
|
|
if ($isPublicPage) { |
|
113
|
|
|
$this->validateAndSetTokenBasedEnv(); |
|
114
|
|
|
} else { |
|
115
|
|
|
$this->environment->setStandardEnv(); |
|
116
|
|
|
} |
|
117
|
|
|
} |
|
118
|
|
|
|
|
119
|
|
|
/** |
|
120
|
|
|
* Checks that we have a token and an optional password giving access to a |
|
121
|
|
|
* valid resource. Sets the token based environment after that |
|
122
|
|
|
* |
|
123
|
|
|
* @throws CheckException |
|
124
|
|
|
*/ |
|
125
|
|
|
private function validateAndSetTokenBasedEnv() { |
|
126
|
|
|
$token = $this->request->getParam('token'); |
|
127
|
|
|
if (!$token) { |
|
128
|
|
|
throw new CheckException( |
|
129
|
|
|
"Can't access a public resource without a token", Http::STATUS_NOT_FOUND |
|
130
|
|
|
); |
|
131
|
|
|
} else { |
|
132
|
|
|
$share = $this->getShare($token); |
|
133
|
|
|
$password = $this->request->getParam('password'); |
|
134
|
|
|
// Let's see if the user needs to provide a password |
|
135
|
|
|
$this->checkAuthorisation($share, $password); |
|
136
|
|
|
|
|
137
|
|
|
$this->environment->setTokenBasedEnv($share); |
|
138
|
|
|
} |
|
139
|
|
|
} |
|
140
|
|
|
|
|
141
|
|
|
/** |
|
142
|
|
|
* Validates a token to make sure its linked to a valid resource |
|
143
|
|
|
* |
|
144
|
|
|
* Uses Share 2.0 |
|
145
|
|
|
* |
|
146
|
|
|
* @fixme setIncognitoMode in 8.1 https://github.com/owncloud/core/pull/12912 |
|
147
|
|
|
* |
|
148
|
|
|
* @param string $token |
|
149
|
|
|
* |
|
150
|
|
|
* @throws CheckException |
|
151
|
|
|
* @return IShare |
|
152
|
|
|
*/ |
|
153
|
|
|
private function getShare($token) { |
|
154
|
|
|
// Allows a logged in user to access public links |
|
155
|
|
|
\OC_User::setIncognitoMode(true); |
|
156
|
|
|
|
|
157
|
|
|
try { |
|
158
|
|
|
$share = $this->shareManager->getShareByToken($token); |
|
159
|
|
|
} catch (ShareNotFound $e) { |
|
|
|
|
|
|
160
|
|
|
throw new CheckException($e->getMessage(), Http::STATUS_NOT_FOUND); |
|
161
|
|
|
} |
|
162
|
|
|
|
|
163
|
|
|
$this->checkShareIsValid($share, $token); |
|
164
|
|
|
$this->checkItemType($share); |
|
165
|
|
|
|
|
166
|
|
|
return $share; |
|
167
|
|
|
} |
|
168
|
|
|
|
|
169
|
|
|
/** |
|
170
|
|
|
* Makes sure that the token contains all the information that we need |
|
171
|
|
|
* |
|
172
|
|
|
* @param IShare $share |
|
173
|
|
|
* @param string $token |
|
174
|
|
|
* |
|
175
|
|
|
* @throws CheckException |
|
176
|
|
|
*/ |
|
177
|
|
|
private function checkShareIsValid($share, $token) { |
|
178
|
|
|
if ($share->getShareOwner() === null |
|
179
|
|
|
|| $share->getTarget() === null |
|
180
|
|
|
) { |
|
181
|
|
|
$message = |
|
182
|
|
|
'Passed token seems to be valid, but it does not contain all necessary information . ("' |
|
183
|
|
|
. $token . '")'; |
|
184
|
|
|
throw new CheckException($message, Http::STATUS_NOT_FOUND); |
|
185
|
|
|
} |
|
186
|
|
|
} |
|
187
|
|
|
|
|
188
|
|
|
/** |
|
189
|
|
|
* Makes sure an item type was set for that token |
|
190
|
|
|
* |
|
191
|
|
|
* @param IShare $share |
|
192
|
|
|
* |
|
193
|
|
|
* @throws CheckException |
|
194
|
|
|
*/ |
|
195
|
|
|
private function checkItemType($share) { |
|
196
|
|
|
if ($share->getNodeType() === null) { |
|
197
|
|
|
$message = 'No item type set for share id: ' . $share->getId(); |
|
198
|
|
|
throw new CheckException($message, Http::STATUS_NOT_FOUND); |
|
199
|
|
|
} |
|
200
|
|
|
} |
|
201
|
|
|
|
|
202
|
|
|
/** |
|
203
|
|
|
* Checks if a password is required or if the one supplied is working |
|
204
|
|
|
* |
|
205
|
|
|
* @param IShare $share |
|
206
|
|
|
* @param string|null $password optional password |
|
207
|
|
|
* |
|
208
|
|
|
* @throws CheckException |
|
209
|
|
|
*/ |
|
210
|
|
|
private function checkAuthorisation($share, $password) { |
|
211
|
|
|
$passwordRequired = $share->getPassword(); |
|
212
|
|
|
|
|
213
|
|
|
if (isset($passwordRequired)) { |
|
214
|
|
|
if ($password !== null) { |
|
215
|
|
|
$this->authenticate($share, $password); |
|
216
|
|
|
} else { |
|
217
|
|
|
$this->checkSession($share); |
|
218
|
|
|
} |
|
219
|
|
|
} |
|
220
|
|
|
} |
|
221
|
|
|
|
|
222
|
|
|
/** |
|
223
|
|
|
* Authenticate link item with the given password |
|
224
|
|
|
* or with the session if no password was given. |
|
225
|
|
|
* |
|
226
|
|
|
* @param IShare $share |
|
227
|
|
|
* @param string $password |
|
228
|
|
|
* |
|
229
|
|
|
* @return bool true if authorized, an exception is raised otherwise |
|
230
|
|
|
* |
|
231
|
|
|
* @throws CheckException |
|
232
|
|
|
*/ |
|
233
|
|
|
private function authenticate($share, $password) { |
|
234
|
|
|
if ((int)$share->getShareType() === Share::SHARE_TYPE_LINK) { |
|
235
|
|
|
$this->checkPassword($share, $password); |
|
236
|
|
|
} else { |
|
237
|
|
|
throw new CheckException( |
|
238
|
|
|
'Unknown share type ' . $share->getShareType() . ' for share id ' |
|
239
|
|
|
. $share->getId(), Http::STATUS_NOT_FOUND |
|
240
|
|
|
); |
|
241
|
|
|
} |
|
242
|
|
|
|
|
243
|
|
|
return true; |
|
244
|
|
|
} |
|
245
|
|
|
|
|
246
|
|
|
/** |
|
247
|
|
|
* Validates the given password |
|
248
|
|
|
* |
|
249
|
|
|
* @fixme @LukasReschke says: Migrate old hashes to new hash format |
|
250
|
|
|
* Due to the fact that there is no reasonable functionality to update the password |
|
251
|
|
|
* of an existing share no migration is yet performed there. |
|
252
|
|
|
* The only possibility is to update the existing share which will result in a new |
|
253
|
|
|
* share ID and is a major hack. |
|
254
|
|
|
* |
|
255
|
|
|
* In the future the migration should be performed once there is a proper method |
|
256
|
|
|
* to update the share's password. (for example `$share->updatePassword($password)` |
|
257
|
|
|
* |
|
258
|
|
|
* @link https://github.com/owncloud/core/issues/10671 |
|
259
|
|
|
* |
|
260
|
|
|
* @param IShare $share |
|
261
|
|
|
* @param string $password |
|
262
|
|
|
* |
|
263
|
|
|
* @throws CheckException |
|
264
|
|
|
*/ |
|
265
|
|
|
private function checkPassword($share, $password) { |
|
266
|
|
|
$newHash = ''; |
|
267
|
|
|
if ($this->shareManager->checkPassword($share, $password)) { |
|
268
|
|
|
// Save item id in session for future requests |
|
269
|
|
|
$this->session->set('public_link_authenticated', (string)$share->getId()); |
|
270
|
|
|
// @codeCoverageIgnoreStart |
|
271
|
|
|
if (!empty($newHash)) { |
|
272
|
|
|
// For future use |
|
273
|
|
|
} |
|
274
|
|
|
// @codeCoverageIgnoreEnd |
|
275
|
|
|
} else { |
|
276
|
|
|
throw new CheckException("Wrong password", Http::STATUS_UNAUTHORIZED); |
|
277
|
|
|
} |
|
278
|
|
|
} |
|
279
|
|
|
|
|
280
|
|
|
/** |
|
281
|
|
|
* Makes sure the user is already properly authenticated when a password is required and none |
|
282
|
|
|
* was provided |
|
283
|
|
|
* |
|
284
|
|
|
* @param IShare $share |
|
285
|
|
|
* |
|
286
|
|
|
* @throws CheckException |
|
287
|
|
|
*/ |
|
288
|
|
|
private function checkSession($share) { |
|
289
|
|
|
// Not authenticated ? |
|
290
|
|
|
if (!$this->session->exists('public_link_authenticated') |
|
291
|
|
|
|| $this->session->get('public_link_authenticated') !== (string)$share->getId() |
|
292
|
|
|
) { |
|
293
|
|
|
throw new CheckException("Missing password", Http::STATUS_UNAUTHORIZED); |
|
294
|
|
|
} |
|
295
|
|
|
} |
|
296
|
|
|
} |
|
297
|
|
|
|
owncloud /
gallery
tahaa karim
Scrutinizer analyzes your
composer.json/composer.lockfile if available to determine the classes, and functions that are defined by your dependencies.It seems like the listed class was neither found in your dependencies, nor was it found in the analyzed files in your repository. If you are using some other form of dependency management, you might want to disable this analysis.