Permalink
Browse files

A lot of work has been done on the authorization level support

  • Loading branch information...
1 parent ff7bb9c commit 062ffad712b0b20cab2a014a6fdf573439651e84 @hugowetterberg hugowetterberg committed Mar 31, 2009
Showing with 288 additions and 28 deletions.
  1. +122 −11 services_oauth.admin.inc
  2. +4 −0 services_oauth.css
  3. +19 −0 services_oauth.inc
  4. +15 −5 services_oauth.install
  5. +29 −1 services_oauth.module
  6. +99 −11 services_oauth.pages.inc
View
@@ -5,21 +5,55 @@ function _services_oauth_admin_authorization() {
$form = array();
$levels = services_oauth_authorization_levels();
- foreach ($levels as $key => $title) {
+ foreach ($levels as $name => $level) {
$set = array(
'#type' => 'fieldset',
- '#title' => $key . ' - ' . $title,
+ '#title' => $name . ' - ' . $level->title,
'#tree' => TRUE,
'title' => array(
'#type' => 'textfield',
- '#maxlength' => 255,
+ '#maxlength' => 100,
'#title' => t('Title'),
- '#value' => $title,
+ '#default_value' => $level->title,
+ ),
+ 'description' => array(
+ '#type' => 'textarea',
+ '#maxlength' => 255,
+ '#title' => t('Description'),
+ '#default_value' => $level->description,
+ ),
+ 'delete' => array(
+ '#type' => 'item',
+ '#value' => l('Delete', 'admin/build/services/authorization/' . $name . '/delete'),
),
);
- $form[$key] = $set;
+ $form[$name] = $set;
}
+ $form['add_level'] = array(
+ '#type' => 'fieldset',
+ '#tree' => TRUE,
+ '#title' => t('Add a authorization level'),
+ 'name' => array(
+ '#type' => 'textfield',
+ '#maxlength' => 32,
+ '#title' => t('Name'),
+ '#default_value' => '',
+ ),
+ 'title' => array(
+ '#type' => 'textfield',
+ '#maxlength' => 100,
+ '#title' => t('Title'),
+ '#default_value' => '',
+ ),
+ 'description' => array(
+ '#type' => 'textarea',
+ '#maxlength' => 255,
+ '#title' => t('Description'),
+ '#default_value' => '',
+ ),
+ );
+
$form['submit'] = array(
'#type' => 'submit',
'#value' => t('Save'),
@@ -28,30 +62,104 @@ function _services_oauth_admin_authorization() {
return $form;
}
+function _services_oauth_admin_authorization_submit($form, $form_state) {
+ $values = $form_state['values'];
+ $levels = services_oauth_authorization_levels();
+
+ // Update titles and descriptions
+ foreach ($levels as $name => $level) {
+ services_oauth_write_authorization_level($name, $values[$name]['title'], $values[$name]['description']);
+ }
+
+ // Add a authorization level if the name and title fields have been filled
+ $add = $values['add_level'];
+ if (!empty($add['name']) && !empty($add['title'])) {
+ services_oauth_write_authorization_level($add['name'], $add['title'], $add['description']);
+ }
+
+ // Clear the services cache so that methods are updated
+ cache_clear_all('services:', 'cache', TRUE);
+}
+
+function _services_oauth_admin_authorization_delete($form_state, $authorization) {
+ $levels = services_oauth_authorization_levels();
+
+ drupal_set_title(t('Deleting "!title"', array(
+ '!title' => $levels[$authorization]->title,
+ )));
+
+ $form = array(
+ 'authorization' => array(
+ '#type' => 'value',
+ '#value' => $authorization,
+ ),
+ );
+
+ $form['description'] = array(
+ '#type' => 'item',
+ '#value' => t('Are you sure that you want to delete the authorization level "!title" (!name). Operations that have been set to require this authorization level will be set to require full access. This could be a <em>very bad thing</em> on a production site, and <em>will</em> break applications that integrate with your site (if they have been granted this authorization level and depend on it). Only do this if you <em>really</em> know what you\'re doing.', array(
+ '!title' => $levels[$authorization]->title,
+ '!name' => $authorization,
+ )),
+ );
+
+ $form['confirm'] = array(
+ '#type' => 'checkbox',
+ '#title' => t('I\'ve really read and understood the above warning. Delete the authorization level please!'),
+ '#required' => TRUE,
+ );
+
+ $form['submit'] = array(
+ '#type' => 'submit',
+ '#value' => t('Delete'),
+ );
+
+ return $form;
+}
+
+function _services_oauth_admin_authorization_delete_submit($form, $form_state) {
+ $authorization = $form_state['values']['authorization'];
+ $levels = services_oauth_authorization_levels();
+ services_oauth_delete_authorization_level($authorization);
+ drupal_set_message(t('The authorization level "!title" has been deleted', array('!title' => $levels[$authorization]->title)));
+ drupal_goto('admin/build/services/authorization');
+}
+
function _services_oauth_admin_authentication() {
$form = array();
- $form['intro'] = array('#value' => '<p>' . t('You can change the lowest required OAuth authentication level for resources and methods here. This doesn\'t affect the access checks, so the security of your site <em>should</em> not be affected by changing the authentication requirements.') . '</p>');
+ drupal_add_css(drupal_get_path('module', 'services_oauth') . '/services_oauth.css');
+
+ $form['intro'] = array('#value' => '<p>' . t('You can change the lowest required OAuth authentication level and the authorization level for resources and methods here. This doesn\'t affect the access checks, so the security of your site <em>should</em> not be affected by changing the authentication requirements.') . '</p>');
$methods = services_get_all(FALSE);
$resources = services_get_all_resources(FALSE);
- $auth_levels = array_merge(array('*' => t('Full access')), services_oauth_authorization_levels());
+ $auth_levels = array('*' => t('Full access'));
+ foreach (services_oauth_authorization_levels() as $name => $level) {
+ $auth_levels[$name] = t($level->title);
+ }
foreach ($resources as $name => $resource) {
$ra = array($name => $resource);
$res_set = array(
'#type' => 'fieldset',
'#title' => t('!name resource', array('!name' => $name)),
+ '#collapsible' => TRUE,
+ '#collapsed' => TRUE,
);
$controllers = array();
services_process_resources($ra, $controllers);
foreach ($controllers as $path => $controller) {
+ list($res, $con) = preg_split('/\//', $path, 2);
$c = array(
'#type' => 'fieldset',
- '#title' => $path,
+ '#title' => $con,
'#collapsible' => TRUE,
'#collapsed' => TRUE,
'#tree' => TRUE,
+ '#attributes' => array(
+ 'class' => 'auth-authorization',
+ ),
);
$cred = $controller['#auth'] ? 'token' : ($controller['#key'] ? ($controller['#verify_key'] ? 'consumer' : 'unsigned_consumer') : 'none');
@@ -68,10 +176,10 @@ function _services_oauth_admin_authentication() {
);
$c['authorization'] = array(
- '#type' => 'checkboxes',
+ '#type' => 'radios',
'#title' => t('Required authorization'),
'#options' => $auth_levels,
- '#default_value' => $controller['#default_auth_level'] ? $controller['#default_auth_level'] : array('*'),
+ '#default_value' => $controller['#authorization level'],
);
$res_set[$path] = $c;
@@ -93,12 +201,15 @@ function _services_oauth_admin_authentication_submit($form, $form_state) {
$resources = services_get_all_resources(FALSE);
$controllers = array();
$authentication = array();
+ $authorization = array();
services_process_resources($resources, $controllers);
foreach ($controllers as $path => $controller) {
$authentication[$path] = $values[$path]['credentials'];
+ $authorization[$path] = $values[$path]['authorization'];
}
variable_set('services_oauth_authentication_levels', $authentication);
-
+ variable_set('services_oauth_authorization_settings', $authorization);
+
// Clear the services cache so that methods are updated
cache_clear_all('services:', 'cache', TRUE);
View
@@ -0,0 +1,4 @@
+.auth-authorization > .fieldset-wrapper > .form-item {
+ float: left;
+ margin-right: 20px;
+}
View
@@ -23,6 +23,10 @@ function _services_oauth_authenticate_call($method, $args) {
throw new OAuthException('Missing access token');
}
+ if (!in_array($method['#authorization level'], $token->services)) {
+ throw new OAuthException('The consumer is not authorized to access this service');
+ }
+
if ($token->uid) {
global $user;
$user = user_load($token->uid);
@@ -43,6 +47,8 @@ function _services_oauth_security_settings_submit() {
function _services_oauth_alter_methods(&$methods) {
$auth = variable_get('services_oauth_authentication_levels', array());
+ $authorization = variable_get('services_oauth_authorization_settings', array());
+ $autho_levels = services_oauth_authorization_levels();
foreach ($methods as $key => &$method) {
if (!isset($method[$key]['#auth'])) {
@@ -57,6 +63,19 @@ function _services_oauth_alter_methods(&$methods) {
$method['#verify_key'] = TRUE;
}
+ // Apply custom authorization level settings
+ if (isset($authorization[$key])) {
+ if (isset($autho_levels[$authorization[$key]])) {
+ $method['#authorization level'] = $authorization[$key];
+ }
+ else {
+ $method['#authorization level'] = '*';
+ }
+ }
+ if (!isset($method['#authorization level'])) {
+ $method['#authorization level'] = '*';
+ }
+
// Check if we got custom settings for the method's authentication
if (isset($auth[$key])) {
switch ($auth[$key]) {
View
@@ -3,13 +3,17 @@
function services_oauth_install() {
drupal_install_schema('services_oauth');
-
+
// Create default authorization levels
$insert = "INSERT INTO {services_oauth_authorization_levels}(name, title) VALUES('%s','%s')";
- db_query($insert, array(':name' => 'read', ':title' => 'Read access'));
- db_query($insert, array(':name' => 'update', ':title' => 'Update access'));
- db_query($insert, array(':name' => 'create', ':title' => 'Create access'));
- db_query($insert, array(':name' => 'delete', ':title' => 'Delete access'));
+ db_query($insert, array(':name' => 'read', ':title' => 'Read access',
+ ':description' => 'This will allow !appname to fetch content that you have access to on !sitename.'));
+ db_query($insert, array(':name' => 'update', ':title' => 'Update access',
+ ':description' => 'This will allow !appname to update content that you have permissions to edit.'));
+ db_query($insert, array(':name' => 'create', ':title' => 'Create access',
+ ':description' => 'This will allow !appname to create new content on !sitename.'));
+ db_query($insert, array(':name' => 'delete', ':title' => 'Delete access',
+ ':description' => 'This will allow !appname to delete content from !sitename.'));
}
function services_oauth_uninstall() {
@@ -31,6 +35,12 @@ function services_oauth_schema() {
'title' => array(
'description' => t('The localizable title of the authorization level.'),
'type' => 'varchar',
+ 'length' => 100,
+ 'not null' => TRUE,
+ ),
+ 'description' => array(
+ 'description' => t('The localizable description of the authorization level.'),
+ 'type' => 'varchar',
'length' => 255,
'not null' => TRUE,
),
View
@@ -99,6 +99,15 @@ function services_oauth_menu() {
'type' => MENU_LOCAL_TASK,
);
+ $menu['admin/build/services/authorization/%/delete'] = array(
+ 'title' => 'Delete authorization level',
+ 'page callback' => 'drupal_get_form',
+ 'page arguments' => array('_services_oauth_admin_authorization_delete', 4),
+ 'access arguments' => array('administer services'),
+ 'file' => 'services_oauth.admin.inc',
+ 'type' => MENU_LOCAL_TASK,
+ );
+
return $menu;
}
@@ -108,7 +117,7 @@ function services_oauth_authorization_levels() {
$levels = array();
$res = db_query("SELECT * FROM {services_oauth_authorization_levels}");
while ($level = db_fetch_object($res)) {
- $levels[$level->name] = $level->title;
+ $levels[$level->name] = $level;
}
}
return $levels;
@@ -122,6 +131,25 @@ function _services_oauth_always_true() {
return TRUE;
}
+function services_oauth_write_authorization_level($name, $title, $description) {
+ $levels = services_oauth_authorization_levels();
+ $update = NULL;
+ if (isset($levels[$name])) {
+ $update = array('name');
+ }
+ drupal_write_record('services_oauth_authorization_levels', $values = array(
+ 'name' => $name,
+ 'title' => $title,
+ 'description' => $description,
+ ), $update);
+}
+
+function services_oauth_delete_authorization_level($name) {
+ db_query("DELETE FROM {services_oauth_authorization_levels} WHERE name='%s'", array(
+ ':name' => $name,
+ ));
+}
+
/**
* Implementation of hook_xrds().
*/
Oops, something went wrong.

0 comments on commit 062ffad

Please sign in to comment.