mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
Fix legacy/new permissions
This commit is contained in:
Kay0u
parent
12412cc6c8
commit
02b4ecec8c
1 changed files with 26 additions and 67 deletions
93
helpers.lua
93
helpers.lua
|
|
@ -267,96 +267,55 @@ end
|
||||||
function has_access(user)
|
function has_access(user)
|
||||||
user = user or authUser
|
user = user or authUser
|
||||||
|
|
||||||
if not conf["users"][user] then
|
-- Get the longest url permission
|
||||||
conf = config.get_config()
|
longest_permission_match = longest_url_path(permission_matches()) or ""
|
||||||
end
|
|
||||||
|
|
||||||
-- If there are no `users` directive, or if the user has no ACL set, he can
|
logger.debug("Longest permission match : "..longest_permission_match)
|
||||||
-- access the URL by default
|
|
||||||
if not conf["users"] or not conf["users"][user] then
|
-- If no permission matches, it means that there is no
|
||||||
logger.debug("No access rules defined for user "..user..", assuming it can access..")
|
-- permission defined for this url, a logged-in user can access it.
|
||||||
|
if longest_permission_match == "" then
|
||||||
|
logger.debug("No access rules defined for user "..user..", assuming it can access.")
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
-- Loop through user's ACLs and return if the URL is authorized.
|
-- All user in this permission
|
||||||
allowed_url_matches = {}
|
allowed_users = conf["permissions"][longest_permission_match]
|
||||||
for url, app in pairs(conf["users"][user]) do
|
|
||||||
|
|
||||||
-- Replace the original domain by a local one if you are connected from
|
-- The user has permission to access the content if he is in the list of this one
|
||||||
-- a non-global domain name.
|
if allowed_users then
|
||||||
if ngx.var.host == conf["local_portal_domain"] then
|
for _, u in pairs(allowed_users) do
|
||||||
url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
|
if u == user then
|
||||||
end
|
logger.debug("User "..user.." can access "..ngx.var.uri)
|
||||||
|
log_access(user, longest_permission_match)
|
||||||
if string.ends(url, "/") then
|
return true
|
||||||
url = string.sub(url, 1, -1)
|
end
|
||||||
end
|
|
||||||
|
|
||||||
if string.starts(ngx.var.host..ngx.var.uri, url) then
|
|
||||||
logger.debug("User is allowed to access this match : "..url)
|
|
||||||
table.insert(allowed_url_matches,url)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
-- Keep only the longest match and compare it to the longest protected
|
logger.debug("User "..user.." cannot access "..ngx.var.uri)
|
||||||
-- match e.g. we don't want to allow the user to access /foo/admin if
|
return false
|
||||||
-- /foo/admin is protected, but this user is only allowed to access /foo
|
|
||||||
local longest_allowed_match = longest_url_path(allowed_url_matches) or ""
|
|
||||||
local longest_protected_match = longest_url_path(protected_matches()) or ""
|
|
||||||
|
|
||||||
logger.debug("Longest allowed match : "..longest_allowed_match)
|
|
||||||
logger.debug("Longest protected match : "..longest_protected_match)
|
|
||||||
|
|
||||||
-- For the user to be able to access the content, at least one rule should
|
|
||||||
-- exist and it should be the longest match
|
|
||||||
if longest_allowed_match ~= ""
|
|
||||||
and string.len(longest_allowed_match) >= string.len(longest_protected_match) then
|
|
||||||
logger.debug("Logged-in user can access "..ngx.var.uri)
|
|
||||||
log_access(user, longest_allowed_match)
|
|
||||||
return true
|
|
||||||
else
|
|
||||||
logger.debug("Logged-in user cannot access "..ngx.var.uri)
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
function permission_matches()
|
||||||
function protected_matches()
|
if not conf["permissions"] then
|
||||||
if not conf["protected_urls"] then
|
conf["permissions"] = {}
|
||||||
conf["protected_urls"] = {}
|
|
||||||
end
|
|
||||||
if not conf["protected_regex"] then
|
|
||||||
conf["protected_regex"] = {}
|
|
||||||
end
|
end
|
||||||
|
|
||||||
local url_matches = {}
|
local url_matches = {}
|
||||||
|
|
||||||
for _, url in ipairs(conf["protected_urls"]) do
|
for url, permission in pairs(conf["permissions"]) do
|
||||||
if string.starts(ngx.var.host..ngx.var.uri..uri_args_string(), url)
|
if string.starts(ngx.var.host..ngx.var.uri..uri_args_string(), url)
|
||||||
or string.starts(ngx.var.uri..uri_args_string(), url) then
|
or string.starts(ngx.var.uri..uri_args_string(), url) then
|
||||||
logger.debug("protected_url match current uri : "..url)
|
logger.debug("Url permission match current uri : "..url)
|
||||||
|
|
||||||
table.insert(url_matches, url)
|
table.insert(url_matches, url)
|
||||||
else
|
|
||||||
logger.debug("no match from "..url.." to "..ngx.var.uri)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
for _, regex in ipairs(conf["protected_regex"]) do
|
|
||||||
local m1 = match(ngx.var.host..ngx.var.uri..uri_args_string(), regex)
|
|
||||||
local m2 = match(ngx.var.uri..uri_args_string(), regex)
|
|
||||||
if m1 then
|
|
||||||
logger.debug("protected_regex match current uri : "..regex.." with "..m1)
|
|
||||||
table.insert(url_matches, m1)
|
|
||||||
end
|
|
||||||
if m2 then
|
|
||||||
logger.debug("protected_regex match current uri : "..regex.." with "..m2)
|
|
||||||
table.insert(url_matches, m2)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
return url_matches
|
return url_matches
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
function longest_url_path(urls)
|
function longest_url_path(urls)
|
||||||
local longest = nil
|
local longest = nil
|
||||||
for _, url in ipairs(urls) do
|
for _, url in ipairs(urls) do
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue