openinfra/openstackid-resources
Code Issues Proposed changes
openstackid-resources/app/Http/Middleware/UserAuthEndpoint.php
Sebastian Marcet dd9318a29b Security Fix 
added user auth per group to sensitive endpoints
like add event, publish event, add video, updated video and so.

Change-Id: If13bb25702e15ebad40cbad3afbc4b3e9e619f67
2016-10-27 20:35:05 -03:00

73 lines
2.1 KiB
PHP
Raw Blame History

<?php namespace App\Http\Middleware;
/**
* Copyright 2016 OpenStack Foundation
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* http://www.apache.org/licenses/LICENSE-2.0
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/
use Closure;
use Illuminate\Support\Facades\Response;
use models\main\IMemberRepository;
use models\oauth2\IResourceServerContext;
/**
* Class UserAuthEndpoint
* @package App\Http\Middleware
*/
final class UserAuthEndpoint
{
/**
* @var IResourceServerContext
*/
private $context;
/**
* @var IMemberRepository
*/
private $member_repository;
public function __construct
(
IResourceServerContext $context,
IMemberRepository $member_repository
)
{
$this->context = $context;
$this->member_repository = $member_repository;
}
public function handle($request, Closure $next, $required_groups)
{
$user_id = $this->context->getCurrentUserId();
if (is_null($user_id)) return $next($request);
$member = $this->member_repository->getById($user_id);
if (is_null($member)){
$http_response = Response::json(['error' => 'member not found'], 403);
return $http_response;
}
$groups = $member->getGroups();
$required_groups = explode('|', $required_groups);
foreach ($required_groups as $required_group) {
foreach ($groups as $member_group){
if ($required_group == $member_group->getCode()) {
return $next($request);
}
}
}
$http_response = Response::json(['error' => 'unauthorized member'], 403);
return $http_response;
}
}
View Git Blame Copy Permalink