Fix authenticated role permissions, now it also has all anonymous permissions.

Added permissions on basic auth, to have more control on who can authenticate with basic auth. Use webapi version of basic auth filter. For webapi, when authenticated /api/user/ is the same as /api/user/{uid} where uid is the id of current logged in user.
2017-09-21 12:49:17 +02:00
parent 9d7d43073d
commit bc561b1a48
10 changed files with 135 additions and 61 deletions
--- a/modules/basic_auth/cms_basic_auth_module.e
+++ b/modules/basic_auth/cms_basic_auth_module.e
@@ -16,7 +16,9 @@ inherit
 		redefine
 			make,
 			filters,
-			setup_hooks
+			setup_hooks,
+			install,
+			permissions
 		end

 	CMS_WITH_WEBAPI
@@ -35,6 +37,17 @@ feature {NONE} -- Initialization
 			description := "Service to manage basic authentication"
 		end

+feature {CMS_API} -- Module management
+
+	install (a_api: CMS_API)
+		do
+			Precursor (a_api)
+			if attached a_api.user_api.anonymous_user_role as ano then
+				ano.add_permission (perm_use_basic_auth)
+				a_api.user_api.save_user_role (ano)
+			end
+		end
+
 feature {CMS_EXECUTION} -- Administration

 	webapi: CMS_BASIC_AUTH_MODULE_WEBAPI
@@ -46,6 +59,15 @@ feature -- Access

 	name: STRING = "basic_auth"

+	permissions: LIST [READABLE_STRING_8]
+			-- List of permission ids, used by this module, and declared.
+		do
+			Result := Precursor
+			Result.force ("use basic_auth")
+		end
+
+	perm_use_basic_auth: STRING = "use basic_auth"
+
 feature -- Access: auth strategy	

 	login_title: STRING = "Basic Auth"
--- a/modules/basic_auth/cms_basic_auth_module_webapi.e
+++ b/modules/basic_auth/cms_basic_auth_module_webapi.e
@@ -28,7 +28,7 @@ feature -- Access: filter
 			-- Possibly list of Filter's module.
 		do
 			create {ARRAYED_LIST [WSF_FILTER]} Result.make (1)
-			Result.extend (create {CMS_BASIC_AUTH_FILTER}.make (a_api))
+			Result.extend (create {CMS_BASIC_WEBAPI_AUTH_FILTER}.make (a_api))
 		end
 note
 	copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Eiffel Software and others"
--- a/modules/basic_auth/filter/cms_basic_auth_filter.e
+++ b/modules/basic_auth/filter/cms_basic_auth_filter.e
@@ -38,12 +38,14 @@ feature -- Basic operations
 					api.user_api.is_valid_credential (l_auth_login, l_auth_password) and then
 					attached api.user_api.user_by_name (l_auth_login) as l_user
 				then
-					debug ("refactor_fixme")
-						fixme ("Maybe we need to store in the credentials in a shared context SECURITY_CONTEXT")
-						-- req.set_execution_variable ("security_content", create SECURITY_CONTEXT.make (l_user))
-						-- other authentication filters (OpenID, etc) should implement the same approach.
+					if api.user_has_permission (l_user, {CMS_BASIC_AUTH_MODULE}.perm_use_basic_auth) then
+						debug ("refactor_fixme")
+							fixme ("Maybe we need to store in the credentials in a shared context SECURITY_CONTEXT")
+							-- req.set_execution_variable ("security_content", create SECURITY_CONTEXT.make (l_user))
+							-- other authentication filters (OpenID, etc) should implement the same approach.
+						end
+						set_current_user (l_user)
 					end
-					set_current_user (l_user)
 				else
 					api.logger.put_error (generator + ".execute login_valid failed for: " + l_auth_login, Void)
 				end
--- a/modules/basic_auth/filter/cms_basic_webapi_auth_filter.e
+++ b/modules/basic_auth/filter/cms_basic_webapi_auth_filter.e
@@ -0,0 +1,45 @@
+note
+	description: "Summary description for {CMS_BASIC_WEBAPI_AUTH_FILTER}."
+	date: "$Date$"
+	revision: "$Revision$"
+
+class
+	CMS_BASIC_WEBAPI_AUTH_FILTER
+
+inherit
+	CMS_WEBAPI_AUTH_FILTER
+
+create
+	make
+
+feature -- Basic operations
+
+	execute (req: WSF_REQUEST; res: WSF_RESPONSE)
+			-- Execute the filter.
+		local
+			l_auth: HTTP_AUTHORIZATION
+		do
+			create l_auth.make (req.http_authorization)
+			if
+				l_auth.is_basic and then
+				attached l_auth.login as l_auth_login and then
+				attached l_auth.password as l_auth_password
+			then
+				if
+					api.user_api.is_valid_credential (l_auth_login, l_auth_password) and then
+					attached api.user_api.user_by_name (l_auth_login) as l_user
+				then
+					if api.user_has_permission (l_user, {CMS_BASIC_AUTH_MODULE}.perm_use_basic_auth) then
+						api.set_user (l_user)
+					end
+				else
+					-- not authenticated due to bad login or password.
+				end
+			end
+			execute_next (req, res)
+		end
+
+note
+	copyright: "2011-2017, Jocelyn Fiat, Javier Velilla, Eiffel Software and others"
+	license: "Eiffel Forum License v2 (see http://www.eiffel.com/licensing/forum.txt)"
+end