Merge branch 'master' into stable

pydio · Aug 3, 2018 · 9456245 · 9456245
2 parents 3cff862 + 86321ec
commit 9456245
Show file tree

Hide file tree

Showing 7 changed files with 64 additions and 6 deletions.
diff --git a/common/auth/mapping-rule.go b/common/auth/mapping-rule.go
@@ -80,9 +80,7 @@ func (m MappingRule) RemoveLdapEscape(strs []string) []string {
 		str := []string{}
 		for _, s := range strs {
 			replacer := strings.NewReplacer(`\=`, "=", `\+`, "=", `\<`, "<", `\>`, ">", `\#`, "#", `\;`, ";")
-			replacer2 := strings.NewReplacer(`\,`, "[U0001]")
-			replacer3 := strings.NewReplacer("[U0001]", `\,`, ",", `\,`)
-			str = append(str, replacer3.Replace(replacer2.Replace(replacer.Replace(s))))
+			str = append(str, replacer.Replace(s))
 		}
 		return str
 	}

diff --git a/common/utils/idm.go b/common/utils/idm.go
@@ -310,7 +310,7 @@ func FindUserNameInContext(ctx context.Context) (string, claim.Claims) {
 	var userName string
 	var claims claim.Claims
 	if ctx.Value(claim.ContextKey) != nil {
-		claims := ctx.Value(claim.ContextKey).(claim.Claims)
+		claims = ctx.Value(claim.ContextKey).(claim.Claims)
 		userName = claims.Name
 	} else if ctx.Value(common.PYDIO_CONTEXT_USER_KEY) != nil {
 		userName = ctx.Value(common.PYDIO_CONTEXT_USER_KEY).(string)

diff --git a/idm/policy/defaults.go b/idm/policy/defaults.go
@@ -160,6 +160,16 @@ var (
 					Actions: []string{"GET", "POST", "DELETE", "PUT", "PATCH"},
 					Effect:  ladon.AllowAccess,
 				}),
+				LadonToProtoPolicy(&ladon.DefaultPolicy{
+					ID:          "shares-default-policy",
+					Description: "PolicyGroup.LoggedUsers.Rule3",
+					Subjects:    []string{"profile:standard", "profile:shared"},
+					Resources: []string{
+						"rest:/docstore/share/<.+>",
+					},
+					Actions: []string{"GET", "PUT"},
+					Effect:  ladon.AllowAccess,
+				}),
 			},
 		},
 

diff --git a/idm/policy/grpc/plugins.go b/idm/policy/grpc/plugins.go
@@ -29,6 +29,7 @@ import (
 	"github.com/micro/go-micro"
 	"go.uber.org/zap"
 
+	"github.com/ory/ladon"
 	"github.com/pydio/cells/common"
 	"github.com/pydio/cells/common/config"
 	"github.com/pydio/cells/common/log"
@@ -53,6 +54,10 @@ func init() {
 				TargetVersion: service.ValidVersion("1.0.1"),
 				Up:            Upgrade101,
 			},
+			{
+				TargetVersion: service.ValidVersion("1.0.3"),
+				Up:            Upgrade103,
+			},
 		}),
 		service.WithMicro(func(m micro.Service) error {
 			handler := new(Handler)
@@ -132,3 +137,32 @@ func Upgrade101(ctx context.Context) error {
 	}
 	return nil
 }
+
+func Upgrade103(ctx context.Context) error {
+	dao := servicecontext.GetDAO(ctx).(policy.DAO)
+	if dao == nil {
+		return fmt.Errorf("cannot find DAO for policies initialization")
+	}
+	groups, e := dao.ListPolicyGroups(ctx)
+	if e != nil {
+		return e
+	}
+	for _, group := range groups {
+		if group.Uuid == "rest-apis-default-accesses" {
+			group.Policies = append(group.Policies, policy.LadonToProtoPolicy(&ladon.DefaultPolicy{
+				ID:          "shares-default-policy",
+				Description: "PolicyGroup.LoggedUsers.Rule3",
+				Subjects:    []string{"profile:standard", "profile:shared"},
+				Resources:   []string{"rest:/docstore/share/<.+>"},
+				Actions:     []string{"GET", "PUT"},
+				Effect:      ladon.AllowAccess,
+			}))
+			if _, er := dao.StorePolicyGroup(ctx, group); er != nil {
+				log.Logger(ctx).Error("Could not update policy group "+group.Uuid, zap.Error(er))
+			} else {
+				log.Logger(ctx).Info("Updating policy group " + group.Uuid)
+			}
+		}
+	}
+	return nil
+}
diff --git a/idm/policy/lang/box/en-us.all.json b/idm/policy/lang/box/en-us.all.json
@@ -48,7 +48,7 @@
     "other": "Default REST accesses for a logged user"
   },
   "PolicyGroup.LoggedUsers.Rule3": {
-    "other": "Default REST accesses for a logged user"
+    "other": "REST accesses for incrementing shares downloads"
   },
 
   "PolicyGroup.OIDC.Title": {

diff --git a/idm/policy/lang/box/fr-fr.all.json b/idm/policy/lang/box/fr-fr.all.json
@@ -48,7 +48,7 @@
     "other": "Accès par défaut pour les utilisateurs loggés"
   },
   "PolicyGroup.LoggedUsers.Rule3": {
-    "other": "Désactivation de l'accès pour /policy"
+    "other": "Accès pour incrémenter les téléchargements des liens partagés"
   },
 
   "PolicyGroup.OIDC.Title": {

diff --git a/idm/user/rest/rest.go b/idm/user/rest/rest.go
@@ -43,6 +43,13 @@ import (
 	"github.com/pydio/cells/common/utils"
 )
 
+var profilesLevel = map[string]int{
+	common.PYDIO_PROFILE_ANON:     0,
+	common.PYDIO_PROFILE_SHARED:   1,
+	common.PYDIO_PROFILE_STANDARD: 2,
+	common.PYDIO_PROFILE_ADMIN:    3,
+}
+
 type UserHandler struct {
 	resources.ResourceProviderHandler
 }
@@ -288,6 +295,15 @@ func (s *UserHandler) PutUser(req *restful.Request, rsp *restful.Response) {
 		}
 	}
 
+	// Check profile is not higher than current user profile
+	if !inputUser.IsGroup {
+		_, ctxClaims := utils.FindUserNameInContext(ctx)
+		if profilesLevel[inputUser.Attributes["profile"]] > profilesLevel[ctxClaims.Profile] {
+			service.RestError403(req, rsp, fmt.Errorf("you are not allowed to set a profile (%s) higher than your current profile (%s)", inputUser.Attributes["profile"], ctxClaims.Profile))
+			return
+		}
+	}
+
 	response, er := cli.CreateUser(ctx, &idm.CreateUserRequest{
 		User: &inputUser,
 	})