diff --git a/common/auth/mapping-rule.go b/common/auth/mapping-rule.go index 8a465ed357..04dceda4ef 100644 --- a/common/auth/mapping-rule.go +++ b/common/auth/mapping-rule.go @@ -80,9 +80,7 @@ func (m MappingRule) RemoveLdapEscape(strs []string) []string { str := []string{} for _, s := range strs { replacer := strings.NewReplacer(`\=`, "=", `\+`, "=", `\<`, "<", `\>`, ">", `\#`, "#", `\;`, ";") - replacer2 := strings.NewReplacer(`\,`, "[U0001]") - replacer3 := strings.NewReplacer("[U0001]", `\,`, ",", `\,`) - str = append(str, replacer3.Replace(replacer2.Replace(replacer.Replace(s)))) + str = append(str, replacer.Replace(s)) } return str } diff --git a/common/utils/idm.go b/common/utils/idm.go index 0e32ca1b44..70c515833b 100644 --- a/common/utils/idm.go +++ b/common/utils/idm.go @@ -310,7 +310,7 @@ func FindUserNameInContext(ctx context.Context) (string, claim.Claims) { var userName string var claims claim.Claims if ctx.Value(claim.ContextKey) != nil { - claims := ctx.Value(claim.ContextKey).(claim.Claims) + claims = ctx.Value(claim.ContextKey).(claim.Claims) userName = claims.Name } else if ctx.Value(common.PYDIO_CONTEXT_USER_KEY) != nil { userName = ctx.Value(common.PYDIO_CONTEXT_USER_KEY).(string) diff --git a/idm/policy/defaults.go b/idm/policy/defaults.go index b9bbebf283..5be45aaa4e 100644 --- a/idm/policy/defaults.go +++ b/idm/policy/defaults.go @@ -160,6 +160,16 @@ var ( Actions: []string{"GET", "POST", "DELETE", "PUT", "PATCH"}, Effect: ladon.AllowAccess, }), + LadonToProtoPolicy(&ladon.DefaultPolicy{ + ID: "shares-default-policy", + Description: "PolicyGroup.LoggedUsers.Rule3", + Subjects: []string{"profile:standard", "profile:shared"}, + Resources: []string{ + "rest:/docstore/share/<.+>", + }, + Actions: []string{"GET", "PUT"}, + Effect: ladon.AllowAccess, + }), }, }, diff --git a/idm/policy/grpc/plugins.go b/idm/policy/grpc/plugins.go index 22841e1981..21f4fa606e 100644 --- a/idm/policy/grpc/plugins.go +++ b/idm/policy/grpc/plugins.go @@ -29,6 +29,7 @@ import ( "github.com/micro/go-micro" "go.uber.org/zap" + "github.com/ory/ladon" "github.com/pydio/cells/common" "github.com/pydio/cells/common/config" "github.com/pydio/cells/common/log" @@ -53,6 +54,10 @@ func init() { TargetVersion: service.ValidVersion("1.0.1"), Up: Upgrade101, }, + { + TargetVersion: service.ValidVersion("1.0.3"), + Up: Upgrade103, + }, }), service.WithMicro(func(m micro.Service) error { handler := new(Handler) @@ -132,3 +137,32 @@ func Upgrade101(ctx context.Context) error { } return nil } + +func Upgrade103(ctx context.Context) error { + dao := servicecontext.GetDAO(ctx).(policy.DAO) + if dao == nil { + return fmt.Errorf("cannot find DAO for policies initialization") + } + groups, e := dao.ListPolicyGroups(ctx) + if e != nil { + return e + } + for _, group := range groups { + if group.Uuid == "rest-apis-default-accesses" { + group.Policies = append(group.Policies, policy.LadonToProtoPolicy(&ladon.DefaultPolicy{ + ID: "shares-default-policy", + Description: "PolicyGroup.LoggedUsers.Rule3", + Subjects: []string{"profile:standard", "profile:shared"}, + Resources: []string{"rest:/docstore/share/<.+>"}, + Actions: []string{"GET", "PUT"}, + Effect: ladon.AllowAccess, + })) + if _, er := dao.StorePolicyGroup(ctx, group); er != nil { + log.Logger(ctx).Error("Could not update policy group "+group.Uuid, zap.Error(er)) + } else { + log.Logger(ctx).Info("Updating policy group " + group.Uuid) + } + } + } + return nil +} diff --git a/idm/policy/lang/box/en-us.all.json b/idm/policy/lang/box/en-us.all.json index 3303c4ce2e..87109f7f4d 100644 --- a/idm/policy/lang/box/en-us.all.json +++ b/idm/policy/lang/box/en-us.all.json @@ -48,7 +48,7 @@ "other": "Default REST accesses for a logged user" }, "PolicyGroup.LoggedUsers.Rule3": { - "other": "Default REST accesses for a logged user" + "other": "REST accesses for incrementing shares downloads" }, "PolicyGroup.OIDC.Title": { diff --git a/idm/policy/lang/box/fr-fr.all.json b/idm/policy/lang/box/fr-fr.all.json index 8562a3bc1f..1fc20edbc6 100644 --- a/idm/policy/lang/box/fr-fr.all.json +++ b/idm/policy/lang/box/fr-fr.all.json @@ -48,7 +48,7 @@ "other": "Accès par défaut pour les utilisateurs loggés" }, "PolicyGroup.LoggedUsers.Rule3": { - "other": "Désactivation de l'accès pour /policy" + "other": "Accès pour incrémenter les téléchargements des liens partagés" }, "PolicyGroup.OIDC.Title": { diff --git a/idm/user/rest/rest.go b/idm/user/rest/rest.go index acf7113410..9c959b98ed 100644 --- a/idm/user/rest/rest.go +++ b/idm/user/rest/rest.go @@ -43,6 +43,13 @@ import ( "github.com/pydio/cells/common/utils" ) +var profilesLevel = map[string]int{ + common.PYDIO_PROFILE_ANON: 0, + common.PYDIO_PROFILE_SHARED: 1, + common.PYDIO_PROFILE_STANDARD: 2, + common.PYDIO_PROFILE_ADMIN: 3, +} + type UserHandler struct { resources.ResourceProviderHandler } @@ -288,6 +295,15 @@ func (s *UserHandler) PutUser(req *restful.Request, rsp *restful.Response) { } } + // Check profile is not higher than current user profile + if !inputUser.IsGroup { + _, ctxClaims := utils.FindUserNameInContext(ctx) + if profilesLevel[inputUser.Attributes["profile"]] > profilesLevel[ctxClaims.Profile] { + service.RestError403(req, rsp, fmt.Errorf("you are not allowed to set a profile (%s) higher than your current profile (%s)", inputUser.Attributes["profile"], ctxClaims.Profile)) + return + } + } + response, er := cli.CreateUser(ctx, &idm.CreateUserRequest{ User: &inputUser, })