Only allow access if user is not authed
Fixes https://github.com/nextcloud/user_saml/issues/15
This commit is contained in:
Lukas Reschke
parent
d57c221ada
commit
53b182990c
|
|
@ -24,6 +24,7 @@ namespace OCA\User_SAML\AppInfo;
|
|||
use OCA\User_SAML\Controller\AuthSettingsController;
|
||||
use OCA\User_SAML\Controller\SAMLController;
|
||||
use OCA\User_SAML\Controller\SettingsController;
|
||||
use OCA\User_SAML\MiddleWare\OnlyLoggedInMiddleware;
|
||||
use OCA\User_SAML\SAMLSettings;
|
||||
use OCA\User_SAML\UserBackend;
|
||||
use OCP\AppFramework\App;
|
||||
|
|
@ -76,5 +77,16 @@ class Application extends App {
|
|||
)
|
||||
);
|
||||
});
|
||||
|
||||
/**
|
||||
* Middleware
|
||||
*/
|
||||
$container->registerService('OnlyLoggedInMiddleware', function(IAppContainer $c){
|
||||
return new OnlyLoggedInMiddleware(
|
||||
$c->query('ControllerMethodReflector'),
|
||||
$c->query('ServerContainer')->getUserSession()
|
||||
);
|
||||
});
|
||||
$container->registerMiddleware('OnlyLoggedInMiddleware');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -63,6 +63,7 @@ class SAMLController extends Controller {
|
|||
/**
|
||||
* @PublicPage
|
||||
* @UseSession
|
||||
* @OnlyUnauthenticatedUsers
|
||||
*/
|
||||
public function login() {
|
||||
$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
|
||||
|
|
@ -93,6 +94,7 @@ class SAMLController extends Controller {
|
|||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
* @UseSession
|
||||
* @OnlyUnauthenticatedUsers
|
||||
*/
|
||||
public function assertionConsumerService() {
|
||||
$AuthNRequestID = $this->session->get('user_saml.AuthNRequestID');
|
||||
|
|
@ -142,7 +144,7 @@ class SAMLController extends Controller {
|
|||
}
|
||||
|
||||
/**
|
||||
* @PublicPage
|
||||
* @NoAdminRequired
|
||||
*/
|
||||
public function singleLogoutService() {
|
||||
$auth = new \OneLogin_Saml2_Auth($this->SAMLSettings->getOneLoginSettingsArray());
|
||||
|
|
@ -157,6 +159,7 @@ class SAMLController extends Controller {
|
|||
/**
|
||||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
* @OnlyUnauthenticatedUsers
|
||||
*/
|
||||
public function notProvisioned() {
|
||||
return new Http\TemplateResponse($this->appName, 'notProvisioned', [], 'guest');
|
||||
|
|
|
|||
|
|
@ -0,0 +1,66 @@
|
|||
<?php
|
||||
/**
|
||||
* @copyright Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OCA\User_SAML\MiddleWare;
|
||||
|
||||
use OCP\AppFramework\Http\JSONResponse;
|
||||
use OCP\AppFramework\Http\NotFoundResponse;
|
||||
use \OCP\AppFramework\Middleware;
|
||||
use \OCP\AppFramework\Utility\IControllerMethodReflector;
|
||||
use OCP\IUserSession;
|
||||
|
||||
/**
|
||||
* Class OnlyLoggedInMiddleware prevents access to a controller method if the user
|
||||
* is already logged-in.
|
||||
*
|
||||
* @package OCA\User_SAML\MiddleWare
|
||||
*/
|
||||
class OnlyLoggedInMiddleware extends Middleware {
|
||||
private $reflector;
|
||||
private $userSession;
|
||||
|
||||
public function __construct(IControllerMethodReflector $reflector,
|
||||
IUserSession $userSession) {
|
||||
$this->reflector = $reflector;
|
||||
$this->userSession = $userSession;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \OCP\AppFramework\Controller $controller
|
||||
* @param string $methodName
|
||||
* @throws \Exception
|
||||
*/
|
||||
public function beforeController($controller, $methodName){
|
||||
if($this->reflector->hasAnnotation('OnlyUnauthenticatedUsers') && $this->userSession->isLoggedIn()) {
|
||||
throw new \Exception('User is already logged-in');
|
||||
}
|
||||
}
|
||||
|
||||
public function afterException($controller, $methodName, \Exception $exception) {
|
||||
if($exception->getMessage() === 'User is already logged-in') {
|
||||
return new JSONResponse('User is already logged-in', 403);
|
||||
}
|
||||
|
||||
throw $exception;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue