CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-06-03 11:24:48 +12:00
Code Issues Projects Releases Wiki Activity

Merge pull request #823 from appwrite/feat-new-public-permissions

Browse source 
Feat new public permissions
This commit is contained in:
Eldad A. Fux 2021-01-14 14:19:17 +02:00 committed by GitHub
parent 5fb533ed6a 00ee2735c4
commit 32c316deee
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 127 additions and 129 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGES.md
View file

@ -37,6 +37,7 @@
- Added new environment variables for ClamAV hostname and port ([#780](https://github.com/appwrite/appwrite/pull/780))
- New OAuth adapter for Box.com (@armino-dev - [#420](https://github.com/appwrite/appwrite/issues/410))
- New OAuth adapter for PayPal sandbox (@armino-dev - [#420](https://github.com/appwrite/appwrite/issues/410))
- Introducing new permssion types: role:guest, role:member, role:app.
### User Interface
- Updated grid for OAuth2 providers list in the console ([#413](https://github.com/appwrite/appwrite/issues/413))

21
app/config/roles.php
View file

@ -1,13 +1,6 @@
<?php
const ROLE_GUEST = 0;
const ROLE_MEMBER = 1;
const ROLE_ADMIN = 2;
const ROLE_DEVELOPER = 3;
const ROLE_OWNER = 4;
const ROLE_APP = 5;
const ROLE_SYSTEM = 6;
const ROLE_ALL = '*';
use Appwrite\Auth\Auth;
$logged = [
'public',
@ -57,7 +50,7 @@ $admins = [
];
return [
ROLE_GUEST => [
Auth::USER_ROLE_GUEST => [
'label' => 'Guest',
'scopes' => [
'public',
@ -71,23 +64,23 @@ return [
'execution.write',
],
],
ROLE_MEMBER => [
Auth::USER_ROLE_MEMBER => [
'label' => 'Member',
'scopes' => \array_merge($logged, []),
],
ROLE_ADMIN => [
Auth::USER_ROLE_ADMIN => [
'label' => 'Admin',
'scopes' => \array_merge($admins, []),
],
ROLE_DEVELOPER => [
Auth::USER_ROLE_DEVELOPER => [
'label' => 'Developer',
'scopes' => \array_merge($admins, []),
],
ROLE_OWNER => [
Auth::USER_ROLE_OWNER => [
'label' => 'Owner',
'scopes' => \array_merge($logged, $admins, []),
],
ROLE_APP => [
Auth::USER_ROLE_APP => [
'label' => 'Application',
'scopes' => ['health.read'],
],

106
app/controllers/general.php
View file

@ -23,19 +23,13 @@ Config::setParam('domainVerification', false);
Config::setParam('cookieDomain', 'localhost');
Config::setParam('cookieSamesite', Response::COOKIE_SAMESITE_NONE);
App::init(function ($utopia, $request, $response, $console, $project, $user, $locale, $events, $audits, $usage, $deletes, $clients) {
App::init(function ($utopia, $request, $response, $console, $project, $user, $locale, $clients) {
/** @var Utopia\Swoole\Request $request */
/** @var Appwrite\Utopia\Response $response */
/** @var Appwrite\Database\Document $console */
/** @var Appwrite\Database\Document $project */
/** @var Appwrite\Database\Document $user */
/** @var Utopia\Locale\Locale $locale */
/** @var Appwrite\Event\Event $events */
/** @var Appwrite\Event\Event $audits */
/** @var Appwrite\Event\Event $usage */
/** @var Appwrite\Event\Event $deletes */
/** @var Appwrite\Event\Event $functions */
/** @var bool $mode */
/** @var array $clients */
@ -120,8 +114,6 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo
$response
->addHeader('Server', 'Appwrite')
->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.\urlencode($request->getURI()))
//->addHeader('X-Frame-Options', ($refDomain == 'http://localhost') ? 'SAMEORIGIN' : 'ALLOW-FROM ' . $refDomain)
->addHeader('X-Content-Type-Options', 'nosniff')
->addHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE')
->addHeader('Access-Control-Allow-Headers', 'Origin, Cookie, Set-Cookie, X-Requested-With, Content-Type, Access-Control-Allow-Origin, Access-Control-Request-Headers, Accept, X-Appwrite-Project, X-Appwrite-Key, X-Appwrite-Locale, X-Appwrite-Mode, X-SDK-Version, Cache-Control, Expires, Pragma')
@ -133,7 +125,7 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo
/*
* Validate Client Domain - Check to avoid CSRF attack
* Adding Appwrite API domains to allow XDOMAIN communication
* Skip this check for non-web platforms which are not requiredto send an origin header
* Skip this check for non-web platforms which are not required to send an origin header
*/
$origin = $request->getOrigin($request->getReferer(''));
$originValidator = new Origin(\array_merge($project->getAttribute('platforms', []), $console->getAttribute('platforms', [])));
@ -229,99 +221,7 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo
throw new Exception('Password reset is required', 412);
}
/*
* Background Jobs
*/
$events
->setParam('projectId', $project->getId())
->setParam('userId', $user->getId())
->setParam('event', $route->getLabel('event', ''))
->setParam('payload', [])
->setParam('functionId', null)
->setParam('executionId', null)
->setParam('trigger', 'event')
;
$audits
->setParam('projectId', $project->getId())
->setParam('userId', $user->getId())
->setParam('event', '')
->setParam('resource', '')
->setParam('userAgent', $request->getUserAgent(''))
->setParam('ip', $request->getIP())
->setParam('data', [])
;
$usage
->setParam('projectId', $project->getId())
->setParam('httpRequest', 1)
->setParam('httpUrl', $request->getHostname().$request->getURI())
->setParam('httpMethod', $request->getMethod())
->setParam('networkRequestSize', 0)
->setParam('networkResponseSize', 0)
->setParam('storage', 0)
;
$deletes
->setParam('projectId', $project->getId())
;
}, ['utopia', 'request', 'response', 'console', 'project', 'user', 'locale', 'events', 'audits', 'usage', 'deletes', 'clients']);
App::shutdown(function ($utopia, $request, $response, $project, $events, $audits, $usage, $deletes, $mode) {
/** @var Utopia\App $utopia */
/** @var Utopia\Swoole\Request $request */
/** @var Appwrite\Utopia\Response $response */
/** @var Appwrite\Database\Document $project */
/** @var Appwrite\Event\Event $events */
/** @var Appwrite\Event\Event $audits */
/** @var Appwrite\Event\Event $usage */
/** @var Appwrite\Event\Event $deletes */
/** @var Appwrite\Event\Event $functions */
/** @var bool $mode */
if (!empty($events->getParam('event'))) {
if(empty($events->getParam('payload'))) {
$events->setParam('payload', $response->getPayload());
}
$webhooks = clone $events;
$functions = clone $events;
$webhooks
->setQueue('v1-webhooks')
->setClass('WebhooksV1')
->trigger();
$functions
->setQueue('v1-functions')
->setClass('FunctionsV1')
->trigger();
}
if (!empty($audits->getParam('event'))) {
$audits->trigger();
}
if (!empty($deletes->getParam('type')) && !empty($deletes->getParam('document'))) {
$deletes->trigger();
}
$route = $utopia->match($request);
if (App::getEnv('_APP_USAGE_STATS', 'enabled') == 'enabled'
&& $project->getId()
&& $mode !== APP_MODE_ADMIN //TODO: add check to make sure user is admin
&& !empty($route->getLabel('sdk.namespace', null))) { // Don't calculate console usage on admin mode
$usage
->setParam('networkRequestSize', $request->getSize() + $usage->getParam('storage'))
->setParam('networkResponseSize', $response->getSize())
->trigger()
;
}
}, ['utopia', 'request', 'response', 'project', 'events', 'audits', 'usage', 'deletes', 'mode']);
}, ['utopia', 'request', 'response', 'console', 'project', 'user', 'locale', 'clients']);
App::options(function ($request, $response) {
/** @var Utopia\Swoole\Request $request */

106
app/controllers/shared/api.php
View file

@ -6,14 +6,24 @@ use Utopia\App;
use Utopia\Exception;
use Utopia\Abuse\Abuse;
use Utopia\Abuse\Adapters\TimeLimit;
use Appwrite\Storage\Device\Local;
use Appwrite\Storage\Storage;
App::init(function ($utopia, $request, $response, $project, $user, $register) {
App::init(function ($utopia, $request, $response, $project, $user, $register, $events, $audits, $usage, $deletes) {
/** @var Utopia\App $utopia */
/** @var Utopia\Swoole\Request $request */
/** @var Appwrite\Utopia\Response $response */
/** @var Appwrite\Database\Document $project */
/** @var Appwrite\Database\Document $user */
/** @var Utopia\Registry\Registry $register */
/** @var Appwrite\Event\Event $events */
/** @var Appwrite\Event\Event $audits */
/** @var Appwrite\Event\Event $usage */
/** @var Appwrite\Event\Event $deletes */
/** @var Appwrite\Event\Event $functions */
Storage::setDevice('files', new Local(APP_STORAGE_UPLOADS.'/app-'.$project->getId()));
Storage::setDevice('functions', new Local(APP_STORAGE_FUNCTIONS.'/app-'.$project->getId()));
$route = $utopia->match($request);
@ -60,4 +70,96 @@ App::init(function ($utopia, $request, $response, $project, $user, $register) {
{
throw new Exception('Too many requests', 429);
}
}, ['utopia', 'request', 'response', 'project', 'user', 'register'], 'api');
/*
* Background Jobs
*/
$events
->setParam('projectId', $project->getId())
->setParam('userId', $user->getId())
->setParam('event', $route->getLabel('event', ''))
->setParam('payload', [])
->setParam('functionId', null)
->setParam('executionId', null)
->setParam('trigger', 'event')
;
$audits
->setParam('projectId', $project->getId())
->setParam('userId', $user->getId())
->setParam('event', '')
->setParam('resource', '')
->setParam('userAgent', $request->getUserAgent(''))
->setParam('ip', $request->getIP())
->setParam('data', [])
;
$usage
->setParam('projectId', $project->getId())
->setParam('httpRequest', 1)
->setParam('httpUrl', $request->getHostname().$request->getURI())
->setParam('httpMethod', $request->getMethod())
->setParam('networkRequestSize', 0)
->setParam('networkResponseSize', 0)
->setParam('storage', 0)
;
$deletes
->setParam('projectId', $project->getId())
;
}, ['utopia', 'request', 'response', 'project', 'user', 'register', 'events', 'audits', 'usage', 'deletes'], 'api');
App::shutdown(function ($utopia, $request, $response, $project, $events, $audits, $usage, $deletes, $mode) {
/** @var Utopia\App $utopia */
/** @var Utopia\Swoole\Request $request */
/** @var Appwrite\Utopia\Response $response */
/** @var Appwrite\Database\Document $project */
/** @var Appwrite\Event\Event $events */
/** @var Appwrite\Event\Event $audits */
/** @var Appwrite\Event\Event $usage */
/** @var Appwrite\Event\Event $deletes */
/** @var Appwrite\Event\Event $functions */
/** @var bool $mode */
if (!empty($events->getParam('event'))) {
if(empty($events->getParam('payload'))) {
$events->setParam('payload', $response->getPayload());
}
$webhooks = clone $events;
$functions = clone $events;
$webhooks
->setQueue('v1-webhooks')
->setClass('WebhooksV1')
->trigger();
$functions
->setQueue('v1-functions')
->setClass('FunctionsV1')
->trigger();
}
if (!empty($audits->getParam('event'))) {
$audits->trigger();
}
if (!empty($deletes->getParam('type')) && !empty($deletes->getParam('document'))) {
$deletes->trigger();
}
$route = $utopia->match($request);
if (App::getEnv('_APP_USAGE_STATS', 'enabled') == 'enabled'
&& $project->getId()
&& $mode !== APP_MODE_ADMIN //TODO: add check to make sure user is admin
&& !empty($route->getLabel('sdk.namespace', null))) { // Don't calculate console usage on admin mode
$usage
->setParam('networkRequestSize', $request->getSize() + $usage->getParam('storage'))
->setParam('networkResponseSize', $response->getSize())
->trigger()
;
}
}, ['utopia', 'request', 'response', 'project', 'events', 'audits', 'usage', 'deletes', 'mode'], 'api');

1
app/controllers/shared/web.php
View file

@ -37,6 +37,7 @@ App::init(function ($utopia, $request, $response, $layout) {
->addHeader('Cache-Control', 'public, max-age='.$time)
->addHeader('Expires', \date('D, d M Y H:i:s', \time() + $time).' GMT') // 45 days cache
->addHeader('X-Frame-Options', 'SAMEORIGIN') // Avoid console and homepage from showing in iframes
->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.\urlencode($request->getURI()))
->addHeader('X-UA-Compatible', 'IE=Edge') // Deny IE browsers from going into quirks mode
;

15
src/Appwrite/Auth/Auth.php
View file

@ -16,13 +16,14 @@ class Auth
/**
* User Roles.
*/
const USER_ROLE_GUEST = 0;
const USER_ROLE_MEMBER = 1;
const USER_ROLE_ADMIN = 2;
const USER_ROLE_DEVELOPER = 3;
const USER_ROLE_OWNER = 4;
const USER_ROLE_APP = 5;
const USER_ROLE_SYSTEM = 6;
const USER_ROLE_GUEST = 'guest';
const USER_ROLE_MEMBER = 'member';
const USER_ROLE_ADMIN = 'admin';
const USER_ROLE_DEVELOPER = 'developer';
const USER_ROLE_OWNER = 'owner';
const USER_ROLE_APP = 'app';
const USER_ROLE_SYSTEM = 'system';
const USER_ROLE_ALL = '*';
/**
* Token Types.

4
tests/e2e/Services/Database/DatabaseBase.php
View file

@ -18,7 +18,7 @@ trait DatabaseBase
]), [
'name' => 'Actors',
'read' => ['*'],
'write' => ['role:1', 'role:2'],
'write' => ['role:member', 'role:admin'],
'rules' => [
[
'label' => 'First Name',
@ -55,7 +55,7 @@ trait DatabaseBase
]), [
'name' => 'Movies',
'read' => ['*'],
'write' => ['role:1', 'role:2'],
'write' => ['role:member', 'role:admin'],
'rules' => [
[
'label' => 'Name',

2
tests/e2e/Services/Database/DatabaseCustomServerTest.php
View file

@ -27,7 +27,7 @@ class DatabaseCustomServerTest extends Scope
]), [
'name' => 'Actors',
'read' => ['*'],
'write' => ['role:1', 'role:2'],
'write' => ['role:member', 'role:admin'],
'rules' => [
[
'label' => 'First Name',