openinfra
/
openstackid-resources
Code Issues Proposed changes

Security Fix 

added user auth per group to sensitive endpoints
like add event, publish event, add video, updated video and so.

Change-Id: If13bb25702e15ebad40cbad3afbc4b3e9e619f67
This commit is contained in:
Sebastian Marcet 2016-10-27 20:35:05 -03:00
parent 34e9a0004c
commit dd9318a29b
4 changed files with 84 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/Http/Kernel.php
View File

@ -53,5 +53,6 @@ class Kernel extends HttpKernel
'etags' => \App\Http\Middleware\ETagsMiddleware::class,
'cache' => \App\Http\Middleware\CacheMiddleware::class,
'ssl' => \App\Http\Middleware\SSLMiddleware::class,
'auth.user' => \App\Http\Middleware\UserAuthEndpoint::class,
];
}

73
app/Http/Middleware/UserAuthEndpoint.php Normal file
View File

@ -0,0 +1,73 @@
<?php namespace App\Http\Middleware;
/**
* Copyright 2016 OpenStack Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
use Closure;
use Illuminate\Support\Facades\Response;
use models\main\IMemberRepository;
use models\oauth2\IResourceServerContext;
/**
* Class UserAuthEndpoint
* @package App\Http\Middleware
*/
final class UserAuthEndpoint
{
/**
* @var IResourceServerContext
*/
private $context;
/**
* @var IMemberRepository
*/
private $member_repository;
public function __construct
(
IResourceServerContext $context,
IMemberRepository $member_repository
)
{
$this->context = $context;
$this->member_repository = $member_repository;
}
public function handle($request, Closure $next, $required_groups)
{
$user_id = $this->context->getCurrentUserId();
if (is_null($user_id)) return $next($request);
$member = $this->member_repository->getById($user_id);
if (is_null($member)){
$http_response = Response::json(['error' => 'member not found'], 403);
return $http_response;
}
$groups = $member->getGroups();
$required_groups = explode('|', $required_groups);
foreach ($required_groups as $required_group) {
foreach ($groups as $member_group){
if ($required_group == $member_group->getCode()) {
return $next($request);
}
}
}
$http_response = Response::json(['error' => 'unauthorized member'], 403);
return $http_response;
}
}

16
app/Http/routes.php
View File

@ -95,15 +95,15 @@ Route::group(array(
Route::get('', 'OAuth2SummitEventsApiController@getEvents');
Route::get('/published', 'OAuth2SummitEventsApiController@getScheduledEvents');
Route::post('', 'OAuth2SummitEventsApiController@addEvent');
Route::post('', [ 'middleware' => 'auth.user:administrators', 'uses' => 'OAuth2SummitEventsApiController@addEvent']);
Route::group(array('prefix' => '{event_id}'), function () {
Route::get('', 'OAuth2SummitEventsApiController@getEvent');
Route::get('/published', 'OAuth2SummitEventsApiController@getScheduledEvent');
Route::put('', 'OAuth2SummitEventsApiController@updateEvent');
Route::delete('', 'OAuth2SummitEventsApiController@deleteEvent');
Route::put('/publish', 'OAuth2SummitEventsApiController@publishEvent');
Route::delete('/publish', 'OAuth2SummitEventsApiController@unPublishEvent');
Route::put('', [ 'middleware' => 'auth.user:administrators', 'uses' => 'OAuth2SummitEventsApiController@updateEvent' ]);
Route::delete('', [ 'middleware' => 'auth.user:administrators', 'uses' => 'OAuth2SummitEventsApiController@deleteEvent' ]);
Route::put('/publish', [ 'middleware' => 'auth.user:administrators', 'uses' => 'OAuth2SummitEventsApiController@publishEvent']);
Route::delete('/publish', [ 'middleware' => 'auth.user:administrators', 'uses' => 'OAuth2SummitEventsApiController@unPublishEvent']);
Route::post('/feedback', 'OAuth2SummitEventsApiController@addEventFeedback');
Route::get('/feedback/{attendee_id?}', 'OAuth2SummitEventsApiController@getEventFeedback')->where('attendee_id', 'me|[0-9]+');
});
@ -116,10 +116,10 @@ Route::group(array(
Route::group(array('prefix' => 'videos'), function () {
Route::get('', 'OAuth2PresentationApiController@getPresentationVideos');
Route::get('{video_id}', 'OAuth2PresentationApiController@getPresentationVideo');
Route::post('', 'OAuth2PresentationApiController@addVideo');
Route::post('', [ 'middleware' => 'auth.user:administrators|video-admins', 'uses' => 'OAuth2PresentationApiController@addVideo' ]);
Route::group(array('prefix' => '{video_id}'), function () {
Route::put('', 'OAuth2PresentationApiController@updateVideo');
Route::delete('', 'OAuth2PresentationApiController@deleteVideo');
Route::put('', [ 'middleware' => 'auth.user:administrators|video-admins', 'uses' => 'OAuth2PresentationApiController@updateVideo' ]);
Route::delete('', [ 'middleware' => 'auth.user:administrators|video-admins', 'uses' => 'OAuth2PresentationApiController@deleteVideo' ]);
});
});
});

3
app/Models/Foundation/Main/Member.php
View File

@ -28,7 +28,7 @@ use Doctrine\ORM\Mapping AS ORM;
class Member extends SilverstripeBaseModel
{
/**
* @return mixed
* @return Group[]
*/
public function getGroups()
{
@ -55,6 +55,7 @@ class Member extends SilverstripeBaseModel
* joinColumns={@ORM\JoinColumn(name="MemberID", referencedColumnName="ID")},
* inverseJoinColumns={@ORM\JoinColumn(name="GroupID", referencedColumnName="ID")}
* )
* @var Group[]
*/
private $groups;