Extend authorization framework to cover login and API use

I've extended the rights framework (centering on the Right class and Profile::hasRight()) to cover Web login and API use. This will make it possible to prevent login and API use by users. I added two new Right constants to the Right class: WEBLOGIN and API. I check these rights using Profile::hasRight() when initializing users. If the rights check fails, I throw an exception. I created a new AuthorizationException class for this particular exception, in order to allow a different UI for these kinds of exceptions (or whatever).
2011-02-21 10:20:42 -05:00 · 2011-02-21 10:20:42 -05:00 · 1525acdca1
commit 1525acdca1
parent 6a1b0e2375
5 changed files with 81 additions and 2 deletions
--- a/classes/Profile.php
+++ b/classes/Profile.php
@ -865,6 +865,12 @@ class Profile extends Memcached_DataObject
            case Right::EMAILONFAVE:
                $result = !$this->isSandboxed();
                break;
            case Right::WEBLOGIN:
                $result = !$this->isSilenced();
                break;
            case Right::API:
                $result = !$this->isSilenced();
                break;
            case Right::BACKUPACCOUNT:
                $result = common_config('profile', 'backup');
                break;
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@ -196,7 +196,13 @@ class ApiAuthAction extends ApiAction
                    // Set the auth user
                    if (Event::handle('StartSetApiUser', array(&$user))) {
-                        $this->auth_user = User::staticGet('id', $appUser->profile_id);
+                        $user = User::staticGet('id', $appUser->profile_id);
                        if (!empty($user)) {
                            if (!$user->hasRight(Right::API)) {
                                throw new AuthorizationException(_('Not allowed to use API.'));
                            }
                        }
                        $this->auth_user = $user;
                        Event::handle('EndSetApiUser', array($user));
                    }
@ -274,6 +280,9 @@ class ApiAuthAction extends ApiAction
            if (Event::handle('StartSetApiUser', array(&$user))) {
                if (!empty($user)) {
                    if (!$user->hasRight(Right::API)) {
                        throw new AuthorizationException(_('Not allowed to use API.'));
                    }
                    $this->auth_user = $user;
                }
--- a/lib/authorizationexception.php
+++ b/lib/authorizationexception.php
@ -0,0 +1,59 @@
 <?php
 /**
 * StatusNet - the distributed open-source microblogging tool
 * Copyright (C) 2011, StatusNet, Inc.
 *
 * An exception for authorization errors
 * 
 * PHP version 5
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * @category  Exception
 * @package   StatusNet
 * @author    Evan Prodromou <evan@status.net>
 * @copyright 2011 StatusNet, Inc.
 * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
 * @link      http://status.net/
 */
 if (!defined('STATUSNET')) {
    // This check helps protect against security problems;
    // your code file can't be executed directly from the web.
    exit(1);
 }
 /**
 * An exception for authorization issues
 *
 * @category  Exception
 * @package   StatusNet
 * @author    Evan Prodromou <evan@status.net>
 * @copyright 2011 StatusNet, Inc.
 * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
 * @link      http://status.net/
 */
 class AuthorizationException extends ClientException
 {
    /**
     * Constructor
     *
     * @param string $message Message for the exception
     */
    public function __construct($message=null)
    {
        parent::__construct($message, 403);
    }
 }
--- a/lib/right.php
+++ b/lib/right.php
@ -66,5 +66,7 @@ class Right
    const DELETEACCOUNT      = 'deleteaccount';
    const MOVEACCOUNT        = 'moveaccount';
    const CREATEGROUP        = 'creategroup';
    const WEBLOGIN           = 'weblogin';
    const API                = 'api';
 }
--- a/lib/util.php
+++ b/lib/util.php
@ -300,7 +300,10 @@ function common_set_user($user)
    if ($user) {
        if (Event::handle('StartSetUser', array(&$user))) {
-            if($user){
+            if (!empty($user)) {
                if (!$user->hasRight(Right::WEBLOGIN)) {
                    throw new AuthorizationException(_('Not allowed to log in.'));
                }
                common_ensure_session();
                $_SESSION['userid'] = $user->id;
                $_cur = $user;