harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

disable web browser post inputs if no storage write permission

Browse Source
This commit is contained in:
friendica 2014-01-05 19:25:56 -08:00
parent e10c237386
commit daf5daa2d3
2 changed files with 95 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
include/reddav.php
View File

@ -92,6 +92,8 @@ class RedDirectory extends DAV\Node implements DAV\ICollection {
$this->folder_hash = '';
$this->getDir();
if($this->auth->browser)
$this->auth->browser->set_writeable();
}
@ -657,3 +659,90 @@ dbg(0);
}
class RedBasicAuth extends Sabre\DAV\Auth\Backend\AbstractBasic {
public $channel_name = '';
public $channel_id = 0;
public $channel_hash = '';
public $observer = '';
public $browser;
public $owner_id;
protected function validateUserPass($username, $password) {
require_once('include/auth.php');
$record = account_verify_password($email,$pass);
if($record && $record['account_default_channel']) {
$r = q("select * from channel where channel_account_id = %d and channel_id = %d limit 1",
intval($record['account_id']),
intval($record['account_default_channel'])
);
if($r) {
$this->currentUser = $r[0]['channel_address'];
$this->channel_name = $r[0]['channel_address'];
$this->channel_id = $r[0]['channel_id'];
$this->channel_hash = $this->observer = $r[0]['channel_hash'];
return true;
}
}
$r = q("select * from channel where channel_address = '%s' limit 1",
dbesc($username)
);
if($r) {
$x = q("select * from account where account_id = %d limit 1",
intval($r[0]['channel_account_id'])
);
if($x) {
foreach($x as $record) {
if(($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED)
&& (hash('whirlpool',$record['account_salt'] . $password) === $record['account_password'])) {
logger('(DAV) RedBasicAuth: password verified for ' . $username);
$this->currentUser = $r[0]['channel_address'];
$this->channel_name = $r[0]['channel_address'];
$this->channel_id = $r[0]['channel_id'];
$this->channel_hash = $this->observer = $r[0]['channel_hash'];
return true;
}
}
}
}
logger('(DAV) RedBasicAuth: password failed for ' . $username);
return false;
}
function setCurrentUser($name) {
$this->currentUser = $name;
}
function setBrowserPlugin($browser) {
$this->browser = $browser;
}
}
class RedBrowser extends DAV\Browser\Plugin {
private $auth;
function __construct(&$auth) {
$this->auth = $auth;
}
function set_writeable() {
logger('RedBrowser: ' . print_r($this->auth,true));
if(! $this->auth->owner_id)
$this->enablePost = false;
if(! perm_is_allowed($this->auth->owner_id, get_observer_hash(), 'write_storage'))
$this->enablePost = false;
else
$this->enablePost = true;
}
}

84
mod/cloud.php
View File

@ -1,23 +1,5 @@
<?php
// This module is currently !!!HIGHLY EXPERIMENTAL!!!
// You should think twice before running this on a production server
// as security mechanisms are not yet implemented and those that
// are implemented probably don't work.
// DAV mounts will probably fail if you don't use SSL, because some platforms refuse to send
// basic auth over non-encrypted connections.
// One could use digest auth - but then one has to calculate the A1 digest and store it for
// all acounts. We aren't doing that. We have a stored password already. We don't need another
// one. The login unfortunately is the channel nickname (webbie) as we have no way of passing
// the destination channel to DAV. You should be able to login with your account credentials
// and be directed to your default channel.
// This interface does not yet support Red stored files. Consider any content in your "store"
// directory to be throw-away until advised otherwise.
use Sabre\DAV;
require_once('vendor/autoload.php');
@ -44,69 +26,10 @@
class RedBasicAuth extends Sabre\DAV\Auth\Backend\AbstractBasic {
public $channel_name = '';
public $channel_id = 0;
public $channel_hash = '';
public $observer = '';
public $owner_id;
protected function validateUserPass($username, $password) {
require_once('include/auth.php');
$record = account_verify_password($email,$pass);
if($record && $record['account_default_channel']) {
$r = q("select * from channel where channel_account_id = %d and channel_id = %d limit 1",
intval($record['account_id']),
intval($record['account_default_channel'])
);
if($r) {
$this->currentUser = $r[0]['channel_address'];
$this->channel_name = $r[0]['channel_address'];
$this->channel_id = $r[0]['channel_id'];
$this->channel_hash = $this->observer = $r[0]['channel_hash'];
return true;
}
}
$r = q("select * from channel where channel_address = '%s' limit 1",
dbesc($username)
);
if($r) {
$x = q("select * from account where account_id = %d limit 1",
intval($r[0]['channel_account_id'])
);
if($x) {
foreach($x as $record) {
if(($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED)
&& (hash('whirlpool',$record['account_salt'] . $password) === $record['account_password'])) {
logger('(DAV) RedBasicAuth: password verified for ' . $username);
$this->currentUser = $r[0]['channel_address'];
$this->channel_name = $r[0]['channel_address'];
$this->channel_id = $r[0]['channel_id'];
$this->channel_hash = $this->observer = $r[0]['channel_hash'];
return true;
}
}
}
}
logger('(DAV) RedBasicAuth: password failed for ' . $username);
return false;
}
function setCurrentUser($name) {
$this->currentUser = $name;
}
}
function cloud_init(&$a) {
if(! get_config('system','enable_cloud'))
killme();
require_once('include/reddav.php');
$auth = new RedBasicAuth();
@ -136,7 +59,12 @@ function cloud_init(&$a) {
if(! $auth->observer)
$auth->Authenticate($server,'Red Matrix');
$browser = new DAV\Browser\Plugin();
// $browser = new DAV\Browser\Plugin();
$browser = new RedBrowser($auth);
$auth->setBrowserPlugin($browser);
$server->addPlugin($browser);