From 31581ae65df05ea64031ac24c8b8f817414f1379 Mon Sep 17 00:00:00 2001 From: Frederic Massart Date: Mon, 4 Feb 2013 14:58:46 +0800 Subject: [PATCH] MDL-36426 repository: Prevent login_as() users to access private repositories --- lang/en/repository.php | 2 +- repository/coursefiles/lib.php | 9 ++++ repository/equella/lib.php | 9 ++++ repository/filesystem/lib.php | 9 ++++ repository/flickr_public/lib.php | 9 ++++ repository/lib.php | 90 ++++++++++++++++++++++++++++---- repository/local/lib.php | 9 ++++ repository/merlot/lib.php | 9 ++++ repository/recent/lib.php | 9 ++++ repository/s3/lib.php | 9 ++++ repository/upgrade.txt | 5 ++ repository/upload/lib.php | 9 ++++ repository/url/lib.php | 9 ++++ repository/user/lib.php | 9 ++++ repository/webdav/lib.php | 10 ++++ repository/wikimedia/lib.php | 9 ++++ repository/youtube/lib.php | 9 ++++ 17 files changed, 212 insertions(+), 12 deletions(-) diff --git a/lang/en/repository.php b/lang/en/repository.php index 25713bed4aa..5ee707f6e48 100644 --- a/lang/en/repository.php +++ b/lang/en/repository.php @@ -158,7 +158,7 @@ $string['nofilesattached'] = 'No files attached'; $string['nofilesavailable'] = 'No files available'; $string['nomorefiles'] = 'No more attachments allowed'; $string['nopathselected'] = 'No destination path select yet (double click tree node to select)'; -$string['nopermissiontoaccess'] = 'No permission to access this repository'; +$string['nopermissiontoaccess'] = 'No permission to access this repository.'; $string['noresult'] = 'No search result'; $string['norepositoriesavailable'] = 'Sorry, none of your current repositories can return files in the required format.'; $string['norepositoriesexternalavailable'] = 'Sorry, none of your current repositories can return external files.'; diff --git a/repository/coursefiles/lib.php b/repository/coursefiles/lib.php index 959f34e344a..cee6d858f2d 100644 --- a/repository/coursefiles/lib.php +++ b/repository/coursefiles/lib.php @@ -216,4 +216,13 @@ class repository_coursefiles extends repository { // this should be realtime return 0; } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/equella/lib.php b/repository/equella/lib.php index d29378e01d7..b54806b4a3f 100644 --- a/repository/equella/lib.php +++ b/repository/equella/lib.php @@ -437,4 +437,13 @@ class repository_equella extends repository { return get_string('lostsource', 'repository', ''); } } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/filesystem/lib.php b/repository/filesystem/lib.php index 432e79d4374..c856371954a 100644 --- a/repository/filesystem/lib.php +++ b/repository/filesystem/lib.php @@ -333,4 +333,13 @@ class repository_filesystem extends repository { send_file_not_found(); } } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/flickr_public/lib.php b/repository/flickr_public/lib.php index 6b11cfc5ac5..04d1f07d783 100644 --- a/repository/flickr_public/lib.php +++ b/repository/flickr_public/lib.php @@ -550,4 +550,13 @@ class repository_flickr_public extends repository { public function get_file_source_info($photoid) { return $this->build_photo_url($photoid); } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/lib.php b/repository/lib.php index f28a2d7e755..0a2bf47ee0e 100644 --- a/repository/lib.php +++ b/repository/lib.php @@ -487,6 +487,9 @@ abstract class repository { public $returntypes; /** @var stdClass repository instance database record */ public $instance; + /** @var string Type of repository (webdav, google_docs, dropbox, ...). Read from $this->get_typename(). */ + protected $typename; + /** * Constructor * @@ -558,6 +561,24 @@ abstract class repository { } } + /** + * Returns the type name of the repository. + * + * @return string type name of the repository. + * @since 2.5 + */ + public function get_typename() { + if (empty($this->typename)) { + $matches = array(); + if (!preg_match("/^repository_(.*)$/", get_class($this), $matches)) { + throw new coding_exception('The class name of a repository should be repository_, '. + 'e.g. repository_dropbox'); + } + $this->typename = $matches[1]; + } + return $this->typename; + } + /** * Get a repository type object by a given type name. * @@ -620,19 +641,43 @@ abstract class repository { } /** - * Checks if user has a capability to view the current repository in current context + * Checks if user has a capability to view the current repository. * - * @return bool + * @return bool true when the user can, otherwise throws an exception. + * @throws repository_exception when the user does not meet the requirements. */ public final function check_capability() { - $capability = false; - if (preg_match("/^repository_(.*)$/", get_class($this), $matches)) { - $type = $matches[1]; - $capability = has_capability('repository/'.$type.':view', $this->context); + global $USER; + + // Ensure that the user can view the repository in the current context. + $can = has_capability('repository/'.$this->get_typename().':view', $this->context); + + // Context in which the repository has been created. + $repocontext = context::instance_by_id($this->instance->contextid); + + // Prevent access to private repositories when logged in as. + if ($can && session_is_loggedinas()) { + if ($this->contains_private_data() || $repocontext->contextlevel == CONTEXT_USER) { + $can = false; + } } - if (!$capability) { - throw new repository_exception('nopermissiontoaccess', 'repository'); + + // Ensure that the user can view the repository in the context of the repository. + // We need to perform the check when already disallowed. + if ($can) { + if ($repocontext->contextlevel == CONTEXT_USER && $repocontext->instanceid != $USER->id) { + // Prevent URL hijack to access someone else's repository. + $can = false; + } else { + $can = has_capability('repository/'.$this->get_typename().':view', $repocontext); + } } + + if ($can) { + return true; + } + + throw new repository_exception('nopermissiontoaccess', 'repository'); } /** @@ -1767,13 +1812,36 @@ abstract class repository { */ public function get_name() { global $DB; - if ( $name = $this->instance->name ) { + if ($name = $this->instance->name) { return $name; } else { - return get_string('pluginname', 'repository_' . $this->options['type']); + return get_string('pluginname', 'repository_' . $this->get_typename()); } } + /** + * Is this repository accessing private data? + * + * This function should return true for the repositories which access external private + * data from a user. This is the case for repositories such as Dropbox, Google Docs or Box.net + * which authenticate the user and then store the auth token. + * + * Of course, many repositories store 'private data', but we only want to set + * contains_private_data() to repositories which are external to Moodle and shouldn't be accessed + * to by the users having the capability to 'login as' someone else. For instance, the repository + * 'Private files' is not considered as private because it's part of Moodle. + * + * You should not set contains_private_data() to true on repositories which allow different types + * of instances as the levels other than 'user' are, by definition, not private. Also + * the user instances will be protected when they need to. + * + * @return boolean True when the repository accesses private external data. + * @since 2.5 + */ + public function contains_private_data() { + return true; + } + /** * What kind of files will be in this repository? * @@ -1806,7 +1874,7 @@ abstract class repository { $meta = new stdClass(); $meta->id = $this->id; $meta->name = format_string($this->get_name()); - $meta->type = $this->options['type']; + $meta->type = $this->get_typename(); $meta->icon = $OUTPUT->pix_url('icon', 'repository_'.$meta->type)->out(false); $meta->supported_types = file_get_typegroup('extension', $this->supported_filetypes()); $meta->return_types = $this->supported_returntypes(); diff --git a/repository/local/lib.php b/repository/local/lib.php index 5798ad6f560..93bdd2062ec 100644 --- a/repository/local/lib.php +++ b/repository/local/lib.php @@ -262,4 +262,13 @@ class repository_local extends repository { 'name' => $fileinfo->get_visible_name() ); } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/merlot/lib.php b/repository/merlot/lib.php index 0ad1418419b..187eef58053 100644 --- a/repository/merlot/lib.php +++ b/repository/merlot/lib.php @@ -161,5 +161,14 @@ class repository_merlot extends repository { public function supported_filetypes() { return array('link'); } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/recent/lib.php b/repository/recent/lib.php index 76cdb69e2a8..a370a33ba0e 100644 --- a/repository/recent/lib.php +++ b/repository/recent/lib.php @@ -203,4 +203,13 @@ class repository_recent extends repository { public function has_moodle_files() { return true; } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/s3/lib.php b/repository/s3/lib.php index 596fc09cbe3..346f7715656 100644 --- a/repository/s3/lib.php +++ b/repository/s3/lib.php @@ -249,4 +249,13 @@ class repository_s3 extends repository { public function supported_returntypes() { return FILE_INTERNAL; } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/upgrade.txt b/repository/upgrade.txt index 4f420d634f4..4728b1f7bfb 100644 --- a/repository/upgrade.txt +++ b/repository/upgrade.txt @@ -8,6 +8,11 @@ http://docs.moodle.org/dev/Repository_API * repository::append_suffix() has been deprecated, use repository::get_unused_filename() if you need to get a file name which has not yet been used in the draft area. +* contains_private_data() is a new method to determine if a user 'logged in as' another user + can access the content of the repository. The default is to return True (no access). + +* get_typename() returns the type of repository: dropbox, googledocs, etc... + === 2.4 === * copy_to_area() can receive a new parameter called $areamaxbytes which controls the maximum diff --git a/repository/upload/lib.php b/repository/upload/lib.php index eed039eb1ac..1cfcf289da2 100644 --- a/repository/upload/lib.php +++ b/repository/upload/lib.php @@ -288,4 +288,13 @@ class repository_upload extends repository { public function supported_returntypes() { return FILE_INTERNAL; } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/url/lib.php b/repository/url/lib.php index 1255570d5d9..45a5b3fb948 100644 --- a/repository/url/lib.php +++ b/repository/url/lib.php @@ -237,4 +237,13 @@ EOD; public function supported_filetypes() { return array('web_image'); } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/user/lib.php b/repository/user/lib.php index 2b8412fc007..4e536d56ab6 100644 --- a/repository/user/lib.php +++ b/repository/user/lib.php @@ -169,4 +169,13 @@ class repository_user extends repository { // this should be realtime return 0; } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/webdav/lib.php b/repository/webdav/lib.php index e2d39bf315d..5a19cb36053 100644 --- a/repository/webdav/lib.php +++ b/repository/webdav/lib.php @@ -185,4 +185,14 @@ class repository_webdav extends repository { public function supported_returntypes() { return (FILE_INTERNAL | FILE_EXTERNAL); } + + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/wikimedia/lib.php b/repository/wikimedia/lib.php index 09a00fb924a..490c6d556b1 100644 --- a/repository/wikimedia/lib.php +++ b/repository/wikimedia/lib.php @@ -189,4 +189,13 @@ EOD; public function get_file_source_info($url) { return $url; } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } } diff --git a/repository/youtube/lib.php b/repository/youtube/lib.php index bc2f30461c3..e3f39ab1ce2 100644 --- a/repository/youtube/lib.php +++ b/repository/youtube/lib.php @@ -202,4 +202,13 @@ class repository_youtube extends repository { public function supported_returntypes() { return FILE_EXTERNAL; } + + /** + * Is this repository accessing private data? + * + * @return bool + */ + public function contains_private_data() { + return false; + } }