Skip to content
This repository has been archived by the owner on Nov 25, 2020. It is now read-only.

Commit

Permalink
Move bootSequence() to RolesService, move call to AuthMiddleware(s) a…
Browse files Browse the repository at this point in the history 
…nd pass alert via request "flash" attribute.
  • Loading branch information
@cdujeu
cdujeu committed Jun 8, 2016
1 parent e3e2e1f commit b6a8941
Show file tree
Hide file tree
Showing 6 changed files with 171 additions and 134 deletions.
6 changes: 6 additions & 0 deletions core/src/core/src/pydio/Core/Http/Cli/AuthCliMiddleware.php
View file
Expand Up @@ -30,7 +30,9 @@
use Pydio\Core\PluginFramework\PluginsService;
use Pydio\Core\Services\AuthService;
use Pydio\Core\Services\ConfService;
use Pydio\Core\Services\RolesService;
use Pydio\Core\Services\UsersService;
use Pydio\Core\Utils\Utils;
use Zend\Diactoros\Response;

defined('AJXP_EXEC') or die('Access not allowed');
Expand Down Expand Up @@ -152,6 +154,10 @@ public static function handleRequest(ServerRequestInterface $requestInterface, R

$requestInterface = $requestInterface->withAttribute("action", $options["a"]);

if(UsersService::usersEnabled() && Utils::detectApplicationFirstRun()){
RolesService::bootSequence();
}

if ($impersonateUsers !== false && $loggedUser->isAdmin()) {

foreach ($impersonateUsers as $impersonateUser){
Expand Down
17 changes: 16 additions & 1 deletion core/src/core/src/pydio/Core/Http/Middleware/AuthMiddleware.php
View file
Expand Up @@ -26,13 +26,16 @@
use Pydio\Core\Exception\AuthRequiredException;
use Pydio\Core\Exception\NoActiveWorkspaceException;
use Pydio\Core\Exception\PydioException;
use Pydio\Core\Exception\PydioUserAlertException;
use Pydio\Core\Exception\RepositoryLoadException;
use Pydio\Core\Http\Server;
use Pydio\Core\Model\Context;
use Pydio\Core\PluginFramework\PluginsService;
use Pydio\Core\Services\AuthService;
use Pydio\Core\Services\ConfService;
use Pydio\Core\Services\RolesService;
use Pydio\Core\Services\UsersService;
use Pydio\Core\Utils\Utils;
use Zend\Diactoros\Response\EmptyResponse;

defined('AJXP_EXEC') or die('Access not allowed');
Expand Down Expand Up @@ -97,7 +100,7 @@ public static function handleRequest(\Psr\Http\Message\ServerRequestInterface &$

}

protected static function bootSessionServer(ServerRequestInterface $request){
protected static function bootSessionServer(ServerRequestInterface &$request){

$parameters = $request->getParsedBody();
if (isSet($parameters["tmp_repository_id"])) {
Expand All @@ -124,6 +127,18 @@ protected static function bootSessionServer(ServerRequestInterface $request){
if($loggedUser != null && $loggedUser->getPref("lang") != "") ConfService::setLanguage($loggedUser->getPref("lang"));
else if(isSet($request->getCookieParams()["AJXP_lang"])) ConfService::setLanguage($request->getCookieParams()["AJXP_lang"]);

if(UsersService::usersEnabled() && Utils::detectApplicationFirstRun()){
try{
RolesService::bootSequence();
}catch (PydioException $e){
if($request->getAttribute("action") == "get_boot_gui"){
$request = $request->withAttribute("flash", $e->getMessage());
}else{
throw $e;
}
}
}

}

}
7 changes: 7 additions & 0 deletions core/src/core/src/pydio/Core/Http/Rest/RestAuthMiddleware.php
View file
Expand Up @@ -28,6 +28,9 @@
use Pydio\Core\PluginFramework\PluginsService;
use Pydio\Core\Services\AuthService;
use Pydio\Core\Services\ConfService;
use Pydio\Core\Services\RolesService;
use Pydio\Core\Services\UsersService;
use Pydio\Core\Utils\Utils;

defined('AJXP_EXEC') or die('Access not allowed');

Expand Down Expand Up @@ -78,6 +81,10 @@ public static function handleRequest(\Psr\Http\Message\ServerRequestInterface &$
$context = Context::contextWithObjects(AuthService::getLoggedUser(), $repo);
$requestInterface = $requestInterface->withAttribute("ctx", $context);

if(UsersService::usersEnabled() && Utils::detectApplicationFirstRun()){
RolesService::bootSequence();
}

return RestServer::callNextMiddleWare($requestInterface, $responseInterface, $next);

}
Expand Down
131 changes: 1 addition & 130 deletions core/src/core/src/pydio/Core/Services/AuthService.php
View file
Expand Up @@ -21,13 +21,11 @@
namespace Pydio\Core\Services;
use Pydio\Auth\Core\AJXP_Safe;
use Pydio\Conf\Core\AbstractAjxpUser;
use Pydio\Conf\Core\AJXP_Role;
use Pydio\Core\Controller\Controller;
use Pydio\Core\Utils\BruteForceHelper;
use Pydio\Core\Utils\CookiesHelper;
use Pydio\Core\Utils\Utils;
use Pydio\Core\Controller\XMLWriter;
use Pydio\Core\PluginFramework\PluginsService;
use Pydio\Log\Core\AJXP_Logger;

defined('AJXP_EXEC') or die( 'Access not allowed');
Expand Down Expand Up @@ -217,132 +215,5 @@ public static function disconnect()
}
}

/**
* Specific operations to perform at boot time
* @static
* @param array $START_PARAMETERS A HashTable of parameters to send back to the client
* @return void
*/
public static function bootSequence(&$START_PARAMETERS)
{
if(Utils::detectApplicationFirstRun()) return;
if(file_exists(AJXP_CACHE_DIR."/admin_counted")) return;
$rootRole = RolesService::getRole("AJXP_GRP_/");
if ($rootRole === false) {
$rootRole = new AJXP_Role("AJXP_GRP_/");
$rootRole->setLabel("Root Group");
//$rootRole->setAutoApplies(array("standard", "admin"));
//$dashId = "";
$allRepos = ConfService::getRepositoriesList("all", false);
foreach ($allRepos as $repositoryId => $repoObject) {
if($repoObject->isTemplate) continue;
//if($repoObject->getAccessType() == "ajxp_user") $dashId = $repositoryId;
$gp = $repoObject->getGroupPath();
if (empty($gp) || $gp == "/") {
if ($repoObject->getDefaultRight() != "") {
$rootRole->setAcl($repositoryId, $repoObject->getDefaultRight());
}
}
}
//if(!empty($dashId)) $rootRole->setParameterValue("core.conf", "DEFAULT_START_REPOSITORY", $dashId);
$paramNodes = PluginsService::getInstance()->searchAllManifests("//server_settings/param[@scope]", "node", false, false, true);
if (is_array($paramNodes) && count($paramNodes)) {
foreach ($paramNodes as $xmlNode) {
$default = $xmlNode->getAttribute("default");
if(empty($default)) continue;
$parentNode = $xmlNode->parentNode->parentNode;
$pluginId = $parentNode->getAttribute("id");
if (empty($pluginId)) {
$pluginId = $parentNode->nodeName.".".$parentNode->getAttribute("name");
}
$rootRole->setParameterValue($pluginId, $xmlNode->getAttribute("name"), $default);
}
}
RolesService::updateRole($rootRole);
}
$miniRole = RolesService::getRole("MINISITE");
if ($miniRole === false) {
$rootRole = new AJXP_Role("MINISITE");
$rootRole->setLabel("Minisite Users");
$actions = array(
"access.fs" => array("ajxp_link", "chmod", "purge"),
"meta.watch" => array("toggle_watch"),
"conf.serial"=> array("get_bookmarks"),
"conf.sql"=> array("get_bookmarks"),
"index.lucene" => array("index"),
"action.share" => array("share", "share-edit-shared", "share-folder-workspace", "share-file-minisite", "share-selection-minisite", "share-folder-minisite-public"),
"gui.ajax" => array("bookmark"),
"auth.serial" => array("pass_change"),
"auth.sql" => array("pass_change"),
);
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_SHARED, false);
}
}
RolesService::updateRole($rootRole);
}
$miniRole = RolesService::getRole("MINISITE_NODOWNLOAD");
if ($miniRole === false) {
$rootRole = new AJXP_Role("MINISITE_NODOWNLOAD");
$rootRole->setLabel("Minisite Users - No Download");
$actions = array(
"access.fs" => array("download", "download_chunk", "prepare_chunk_dl", "download_all")
);
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_SHARED, false);
}
}
RolesService::updateRole($rootRole);
}
$miniRole = RolesService::getRole("GUEST");
if ($miniRole === false) {
$rootRole = new AJXP_Role("GUEST");
$rootRole->setLabel("Guest user role");
$actions = array(
"access.fs" => array("purge"),
"meta.watch" => array("toggle_watch"),
"index.lucene" => array("index"),
);
$rootRole->setAutoApplies(array("guest"));
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_ALL);
}
}
RolesService::updateRole($rootRole);
}
$adminCount = UsersService::countAdminUsers();
if ($adminCount == 0) {
$authDriver = ConfService::getAuthDriverImpl();
$adminPass = ADMIN_PASSWORD;
if (!$authDriver->getOptionAsBool("TRANSMIT_CLEAR_PASS")) {
$adminPass = md5(ADMIN_PASSWORD);
}
UsersService::createUser("admin", $adminPass, true);
if (ADMIN_PASSWORD == INITIAL_ADMIN_PASSWORD) {
$userObject = ConfService::getConfStorageImpl()->createUserObject("admin");
$userObject->setAdmin(true);
RolesService::updateAdminRights($userObject);
if (UsersService::changePasswordEnabled()) {
$userObject->setLock("pass_change");
}
$userObject->save("superuser");
$START_PARAMETERS["ALERT"] .= "Warning! User 'admin' was created with the initial password '". INITIAL_ADMIN_PASSWORD ."'. \\nPlease log in as admin and change the password now!";
self::updateUser($userObject);
}
} else if ($adminCount == -1) {
// Here we may come from a previous version! Check the "admin" user and set its right as admin.
$confStorage = ConfService::getConfStorageImpl();
$adminUser = $confStorage->createUserObject("admin");
$adminUser->setAdmin(true);
$adminUser->save("superuser");
$START_PARAMETERS["ALERT"] .= "There is an admin user, but without admin right. Now any user can have the administration rights, \\n your 'admin' user was set with the admin rights. Please check that this suits your security configuration.";
}
file_put_contents(AJXP_CACHE_DIR."/admin_counted", "true");

}


}
}
136 changes: 136 additions & 0 deletions core/src/core/src/pydio/Core/Services/RolesService.php
View file
Expand Up @@ -22,6 +22,7 @@

use Pydio\Conf\Core\AJXP_Role;
use Pydio\Conf\Core\AjxpRole;
use Pydio\Core\Exception\PydioException;
use Pydio\Core\Model\UserInterface;
use Pydio\Core\PluginFramework\PluginsService;

Expand Down Expand Up @@ -243,4 +244,139 @@ public static function getRolesList($roleIds = array(), $excludeReserved = false
}
return $roles;
}

/**
* Specific operations to perform at boot time
* @static
* @throws PydioException
* @throws \Exception
*/
public static function bootSequence()
{
if (file_exists(AJXP_CACHE_DIR . "/admin_counted")) return;
$rootRole = RolesService::getRole("AJXP_GRP_/");
if ($rootRole === false) {
$rootRole = new AJXP_Role("AJXP_GRP_/");
$rootRole->setLabel("Root Group");
//$rootRole->setAutoApplies(array("standard", "admin"));
//$dashId = "";
$allRepos = ConfService::getRepositoriesList("all", false);
foreach ($allRepos as $repositoryId => $repoObject) {
if ($repoObject->isTemplate) continue;
//if($repoObject->getAccessType() == "ajxp_user") $dashId = $repositoryId;
$gp = $repoObject->getGroupPath();
if (empty($gp) || $gp == "/") {
if ($repoObject->getDefaultRight() != "") {
$rootRole->setAcl($repositoryId, $repoObject->getDefaultRight());
}
}
}
//if(!empty($dashId)) $rootRole->setParameterValue("core.conf", "DEFAULT_START_REPOSITORY", $dashId);
$parameters = PluginsService::searchManifestsWithCache("//server_settings/param[@scope]", function ($paramNodes) {
$result = [];
/** @var \DOMElement $xmlNode */
foreach ($paramNodes as $xmlNode) {
$default = $xmlNode->getAttribute("default");
if (empty($default)) continue;
$parentNode = $xmlNode->parentNode->parentNode;
$pluginId = $parentNode->getAttribute("id");
if (empty($pluginId)) {
$pluginId = $parentNode->nodeName . "." . $parentNode->getAttribute("name");
}
$result[] = ["pluginId" => $pluginId, "name" => $xmlNode->getAttribute("name"), "default" => $default];
}
return $result;
});
foreach ($parameters as $parameter) {
$rootRole->setParameterValue($parameter["pluginId"], $parameter["name"], $parameter["default"]);
}
RolesService::updateRole($rootRole);
}
$miniRole = RolesService::getRole("MINISITE");
if ($miniRole === false) {
$rootRole = new AJXP_Role("MINISITE");
$rootRole->setLabel("Minisite Users");
$actions = array(
"access.fs" => array("ajxp_link", "chmod", "purge"),
"meta.watch" => array("toggle_watch"),
"conf.serial" => array("get_bookmarks"),
"conf.sql" => array("get_bookmarks"),
"index.lucene" => array("index"),
"action.share" => array("share", "share-edit-shared", "share-folder-workspace", "share-file-minisite", "share-selection-minisite", "share-folder-minisite-public"),
"gui.ajax" => array("bookmark"),
"auth.serial" => array("pass_change"),
"auth.sql" => array("pass_change"),
);
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_SHARED, false);
}
}
RolesService::updateRole($rootRole);
}
$miniRole = RolesService::getRole("MINISITE_NODOWNLOAD");
if ($miniRole === false) {
$rootRole = new AJXP_Role("MINISITE_NODOWNLOAD");
$rootRole->setLabel("Minisite Users - No Download");
$actions = array(
"access.fs" => array("download", "download_chunk", "prepare_chunk_dl", "download_all")
);
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_SHARED, false);
}
}
RolesService::updateRole($rootRole);
}
$miniRole = RolesService::getRole("GUEST");
if ($miniRole === false) {
$rootRole = new AJXP_Role("GUEST");
$rootRole->setLabel("Guest user role");
$actions = array(
"access.fs" => array("purge"),
"meta.watch" => array("toggle_watch"),
"index.lucene" => array("index"),
);
$rootRole->setAutoApplies(array("guest"));
foreach ($actions as $pluginId => $acts) {
foreach ($acts as $act) {
$rootRole->setActionState($pluginId, $act, AJXP_REPO_SCOPE_ALL);
}
}
RolesService::updateRole($rootRole);
}

// Legacy, should never happen
$adminCount = UsersService::countAdminUsers();
if ($adminCount == 0) {
$authDriver = ConfService::getAuthDriverImpl();
$adminPass = ADMIN_PASSWORD;
if (!$authDriver->getOptionAsBool("TRANSMIT_CLEAR_PASS")) {
$adminPass = md5(ADMIN_PASSWORD);
}
UsersService::createUser("admin", $adminPass, true);
if (ADMIN_PASSWORD == INITIAL_ADMIN_PASSWORD) {
$userObject = ConfService::getConfStorageImpl()->createUserObject("admin");
$userObject->setAdmin(true);
RolesService::updateAdminRights($userObject);
if (UsersService::changePasswordEnabled()) {
$userObject->setLock("pass_change");
}
$userObject->save("superuser");
AuthService::updateUser($userObject);
file_put_contents(AJXP_CACHE_DIR . "/admin_counted", "true");
throw new PydioException("Warning! User 'admin' was created with the initial password '" . INITIAL_ADMIN_PASSWORD . "'. \\nPlease log in as admin and change the password now!");
}
} else if ($adminCount == -1) {
// Here we may come from a previous version! Check the "admin" user and set its right as admin.
$confStorage = ConfService::getConfStorageImpl();
$adminUser = $confStorage->createUserObject("admin");
$adminUser->setAdmin(true);
$adminUser->save("superuser");
file_put_contents(AJXP_CACHE_DIR . "/admin_counted", "true");
throw new PydioException("There is an admin user, but without admin right. Now any user can have the administration rights, \\n your 'admin' user was set with the admin rights. Please check that this suits your security configuration.");
}
file_put_contents(AJXP_CACHE_DIR . "/admin_counted", "true");

}
}

0 comments on commit b6a8941

Please sign in to comment.