Extend authorization framework to cover login and API use

I've extended the rights framework (centering on the Right class and Profile::hasRight()) to cover Web login and API use. This will make it possible to prevent login and API use by users. I added two new Right constants to the Right class: WEBLOGIN and API. I check these rights using Profile::hasRight() when initializing users. If the rights check fails, I throw an exception. I created a new AuthorizationException class for this particular exception, in order to allow a different UI for these kinds of exceptions (or whatever).
2011-02-21 10:20:42 -05:00 · 2011-02-21 10:20:42 -05:00 · 1525acdca1
commit 1525acdca1
parent 6a1b0e2375
5 changed files with 81 additions and 2 deletions
--- a/classes/Profile.php
+++ b/classes/Profile.php
@ -865,6 +865,12 @@ class Profile extends Memcached_DataObject
            case Right::EMAILONFAVE:
                $result = !$this->isSandboxed();
                break;
+            case Right::WEBLOGIN:
+                $result = !$this->isSilenced();
+                break;
+            case Right::API:
+                $result = !$this->isSilenced();
+                break;
            case Right::BACKUPACCOUNT:
                $result = common_config('profile', 'backup');
                break;
--- a/lib/apiauth.php
+++ b/lib/apiauth.php
@ -196,7 +196,13 @@ class ApiAuthAction extends ApiAction

                    // Set the auth user
                    if (Event::handle('StartSetApiUser', array(&$user))) {
-                        $this->auth_user = User::staticGet('id', $appUser->profile_id);
+                        $user = User::staticGet('id', $appUser->profile_id);
+                        if (!empty($user)) {
+                            if (!$user->hasRight(Right::API)) {
+                                throw new AuthorizationException(_('Not allowed to use API.'));
+                            }
+                        }
+                        $this->auth_user = $user;
                        Event::handle('EndSetApiUser', array($user));
                    }

@ -274,6 +280,9 @@ class ApiAuthAction extends ApiAction
            if (Event::handle('StartSetApiUser', array(&$user))) {

                if (!empty($user)) {
+                    if (!$user->hasRight(Right::API)) {
+                        throw new AuthorizationException(_('Not allowed to use API.'));
+                    }
                    $this->auth_user = $user;
                }

--- a/lib/authorizationexception.php
+++ b/lib/authorizationexception.php
@ -0,0 +1,59 @@
+<?php
+/**
+ * StatusNet - the distributed open-source microblogging tool
+ * Copyright (C) 2011, StatusNet, Inc.
+ *
+ * An exception for authorization errors
+ * 
+ * PHP version 5
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @category  Exception
+ * @package   StatusNet
+ * @author    Evan Prodromou <evan@status.net>
+ * @copyright 2011 StatusNet, Inc.
+ * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
+ * @link      http://status.net/
+ */
+
+if (!defined('STATUSNET')) {
+    // This check helps protect against security problems;
+    // your code file can't be executed directly from the web.
+    exit(1);
+}
+
+/**
+ * An exception for authorization issues
+ *
+ * @category  Exception
+ * @package   StatusNet
+ * @author    Evan Prodromou <evan@status.net>
+ * @copyright 2011 StatusNet, Inc.
+ * @license   http://www.fsf.org/licensing/licenses/agpl-3.0.html AGPL 3.0
+ * @link      http://status.net/
+ */
+
+class AuthorizationException extends ClientException
+{
+    /**
+     * Constructor
+     *
+     * @param string $message Message for the exception
+     */
+    public function __construct($message=null)
+    {
+        parent::__construct($message, 403);
+    }
+}
--- a/lib/right.php
+++ b/lib/right.php
@ -66,5 +66,7 @@ class Right
    const DELETEACCOUNT      = 'deleteaccount';
    const MOVEACCOUNT        = 'moveaccount';
    const CREATEGROUP        = 'creategroup';
+    const WEBLOGIN           = 'weblogin';
+    const API                = 'api';
 }

--- a/lib/util.php
+++ b/lib/util.php
@ -300,7 +300,10 @@ function common_set_user($user)

    if ($user) {
        if (Event::handle('StartSetUser', array(&$user))) {
-            if($user){
+            if (!empty($user)) {
+                if (!$user->hasRight(Right::WEBLOGIN)) {
+                    throw new AuthorizationException(_('Not allowed to log in.'));
+                }
                common_ensure_session();
                $_SESSION['userid'] = $user->id;
                $_cur = $user;