From 7b1bad0a622a3045de7938f7b31128f4a53fdf39 Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Tue, 5 Jan 2021 14:22:20 +0200 Subject: [PATCH 1/4] Reordered some code --- app/controllers/general.php | 111 +-------------------------------- app/controllers/shared/api.php | 106 ++++++++++++++++++++++++++++++- app/controllers/shared/web.php | 1 + 3 files changed, 108 insertions(+), 110 deletions(-) diff --git a/app/controllers/general.php b/app/controllers/general.php index d77b3d5607..f577f7459e 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -14,27 +14,19 @@ use Appwrite\Database\Database; use Appwrite\Database\Document; use Appwrite\Database\Validator\Authorization; use Appwrite\Network\Validator\Origin; -use Appwrite\Storage\Device\Local; -use Appwrite\Storage\Storage; use Utopia\CLI\Console; Config::setParam('domainVerification', false); Config::setParam('cookieDomain', 'localhost'); Config::setParam('cookieSamesite', Response::COOKIE_SAMESITE_NONE); -App::init(function ($utopia, $request, $response, $console, $project, $user, $locale, $events, $audits, $usage, $deletes, $clients) { +App::init(function ($utopia, $request, $response, $console, $project, $user, $locale, $clients) { /** @var Utopia\Swoole\Request $request */ /** @var Appwrite\Utopia\Response $response */ /** @var Appwrite\Database\Document $console */ /** @var Appwrite\Database\Document $project */ /** @var Appwrite\Database\Document $user */ /** @var Utopia\Locale\Locale $locale */ - /** @var Appwrite\Event\Event $events */ - /** @var Appwrite\Event\Event $audits */ - /** @var Appwrite\Event\Event $usage */ - /** @var Appwrite\Event\Event $deletes */ - /** @var Appwrite\Event\Event $functions */ - /** @var bool $mode */ /** @var array $clients */ @@ -91,9 +83,6 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo : '.'.$request->getHostname() ); - Storage::setDevice('files', new Local(APP_STORAGE_UPLOADS.'/app-'.$project->getId())); - Storage::setDevice('functions', new Local(APP_STORAGE_FUNCTIONS.'/app-'.$project->getId())); - /* * Security Headers * @@ -110,8 +99,6 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo $response ->addHeader('Server', 'Appwrite') - ->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.\urlencode($request->getURI())) - //->addHeader('X-Frame-Options', ($refDomain == 'http://localhost') ? 'SAMEORIGIN' : 'ALLOW-FROM ' . $refDomain) ->addHeader('X-Content-Type-Options', 'nosniff') ->addHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE') ->addHeader('Access-Control-Allow-Headers', 'Origin, Cookie, Set-Cookie, X-Requested-With, Content-Type, Access-Control-Allow-Origin, Access-Control-Request-Headers, Accept, X-Appwrite-Project, X-Appwrite-Key, X-Appwrite-Locale, X-Appwrite-Mode, X-SDK-Version, Cache-Control, Expires, Pragma') @@ -123,7 +110,7 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo /* * Validate Client Domain - Check to avoid CSRF attack * Adding Appwrite API domains to allow XDOMAIN communication - * Skip this check for non-web platforms which are not requiredto send an origin header + * Skip this check for non-web platforms which are not required to send an origin header */ $origin = $request->getOrigin($request->getReferer('')); $originValidator = new Origin(\array_merge($project->getAttribute('platforms', []), $console->getAttribute('platforms', []))); @@ -219,99 +206,7 @@ App::init(function ($utopia, $request, $response, $console, $project, $user, $lo throw new Exception('Password reset is required', 412); } - /* - * Background Jobs - */ - - $events - ->setParam('projectId', $project->getId()) - ->setParam('userId', $user->getId()) - ->setParam('event', $route->getLabel('event', '')) - ->setParam('payload', []) - ->setParam('functionId', null) - ->setParam('executionId', null) - ->setParam('trigger', 'event') - ; - - $audits - ->setParam('projectId', $project->getId()) - ->setParam('userId', $user->getId()) - ->setParam('event', '') - ->setParam('resource', '') - ->setParam('userAgent', $request->getUserAgent('')) - ->setParam('ip', $request->getIP()) - ->setParam('data', []) - ; - - $usage - ->setParam('projectId', $project->getId()) - ->setParam('httpRequest', 1) - ->setParam('httpUrl', $request->getHostname().$request->getURI()) - ->setParam('httpMethod', $request->getMethod()) - ->setParam('networkRequestSize', 0) - ->setParam('networkResponseSize', 0) - ->setParam('storage', 0) - ; - - $deletes - ->setParam('projectId', $project->getId()) - ; - -}, ['utopia', 'request', 'response', 'console', 'project', 'user', 'locale', 'events', 'audits', 'usage', 'deletes', 'clients']); - -App::shutdown(function ($utopia, $request, $response, $project, $events, $audits, $usage, $deletes, $mode) { - /** @var Utopia\App $utopia */ - /** @var Utopia\Swoole\Request $request */ - /** @var Appwrite\Utopia\Response $response */ - /** @var Appwrite\Database\Document $project */ - /** @var Appwrite\Event\Event $events */ - /** @var Appwrite\Event\Event $audits */ - /** @var Appwrite\Event\Event $usage */ - /** @var Appwrite\Event\Event $deletes */ - /** @var Appwrite\Event\Event $functions */ - /** @var bool $mode */ - - if (!empty($events->getParam('event'))) { - if(empty($events->getParam('payload'))) { - $events->setParam('payload', $response->getPayload()); - } - - $webhooks = clone $events; - $functions = clone $events; - - $webhooks - ->setQueue('v1-webhooks') - ->setClass('WebhooksV1') - ->trigger(); - - $functions - ->setQueue('v1-functions') - ->setClass('FunctionsV1') - ->trigger(); - } - - if (!empty($audits->getParam('event'))) { - $audits->trigger(); - } - - if (!empty($deletes->getParam('type')) && !empty($deletes->getParam('document'))) { - $deletes->trigger(); - } - - $route = $utopia->match($request); - - if ($project->getId() - && $mode !== APP_MODE_ADMIN //TODO: add check to make sure user is admin - && !empty($route->getLabel('sdk.namespace', null))) { // Don't calculate console usage on admin mode - - $usage - ->setParam('networkRequestSize', $request->getSize() + $usage->getParam('storage')) - ->setParam('networkResponseSize', $response->getSize()) - ->trigger() - ; - } - -}, ['utopia', 'request', 'response', 'project', 'events', 'audits', 'usage', 'deletes', 'mode']); +}, ['utopia', 'request', 'response', 'console', 'project', 'user', 'locale', 'clients']); App::options(function ($request, $response) { /** @var Utopia\Swoole\Request $request */ diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index d64c46a2cd..0dcd3bc414 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -4,14 +4,24 @@ use Utopia\App; use Utopia\Exception; use Utopia\Abuse\Abuse; use Utopia\Abuse\Adapters\TimeLimit; +use Appwrite\Storage\Device\Local; +use Appwrite\Storage\Storage; -App::init(function ($utopia, $request, $response, $project, $user, $register) { +App::init(function ($utopia, $request, $response, $project, $user, $register, $events, $audits, $usage, $deletes) { /** @var Utopia\App $utopia */ /** @var Utopia\Swoole\Request $request */ /** @var Appwrite\Utopia\Response $response */ /** @var Appwrite\Database\Document $project */ /** @var Appwrite\Database\Document $user */ /** @var Utopia\Registry\Registry $register */ + /** @var Appwrite\Event\Event $events */ + /** @var Appwrite\Event\Event $audits */ + /** @var Appwrite\Event\Event $usage */ + /** @var Appwrite\Event\Event $deletes */ + /** @var Appwrite\Event\Event $functions */ + + Storage::setDevice('files', new Local(APP_STORAGE_UPLOADS.'/app-'.$project->getId())); + Storage::setDevice('functions', new Local(APP_STORAGE_FUNCTIONS.'/app-'.$project->getId())); $route = $utopia->match($request); @@ -52,4 +62,96 @@ App::init(function ($utopia, $request, $response, $project, $user, $register) { if ($abuse->check() && App::getEnv('_APP_OPTIONS_ABUSE', 'enabled') !== 'disabled') { throw new Exception('Too many requests', 429); } -}, ['utopia', 'request', 'response', 'project', 'user', 'register'], 'api'); \ No newline at end of file + + /* + * Background Jobs + */ + $events + ->setParam('projectId', $project->getId()) + ->setParam('userId', $user->getId()) + ->setParam('event', $route->getLabel('event', '')) + ->setParam('payload', []) + ->setParam('functionId', null) + ->setParam('executionId', null) + ->setParam('trigger', 'event') + ; + + $audits + ->setParam('projectId', $project->getId()) + ->setParam('userId', $user->getId()) + ->setParam('event', '') + ->setParam('resource', '') + ->setParam('userAgent', $request->getUserAgent('')) + ->setParam('ip', $request->getIP()) + ->setParam('data', []) + ; + + $usage + ->setParam('projectId', $project->getId()) + ->setParam('httpRequest', 1) + ->setParam('httpUrl', $request->getHostname().$request->getURI()) + ->setParam('httpMethod', $request->getMethod()) + ->setParam('networkRequestSize', 0) + ->setParam('networkResponseSize', 0) + ->setParam('storage', 0) + ; + + $deletes + ->setParam('projectId', $project->getId()) + ; + +}, ['utopia', 'request', 'response', 'project', 'user', 'register', 'events', 'audits', 'usage', 'deletes'], 'api'); + +App::shutdown(function ($utopia, $request, $response, $project, $events, $audits, $usage, $deletes, $mode) { + /** @var Utopia\App $utopia */ + /** @var Utopia\Swoole\Request $request */ + /** @var Appwrite\Utopia\Response $response */ + /** @var Appwrite\Database\Document $project */ + /** @var Appwrite\Event\Event $events */ + /** @var Appwrite\Event\Event $audits */ + /** @var Appwrite\Event\Event $usage */ + /** @var Appwrite\Event\Event $deletes */ + /** @var Appwrite\Event\Event $functions */ + /** @var bool $mode */ + + if (!empty($events->getParam('event'))) { + if(empty($events->getParam('payload'))) { + $events->setParam('payload', $response->getPayload()); + } + + $webhooks = clone $events; + $functions = clone $events; + + $webhooks + ->setQueue('v1-webhooks') + ->setClass('WebhooksV1') + ->trigger(); + + $functions + ->setQueue('v1-functions') + ->setClass('FunctionsV1') + ->trigger(); + } + + if (!empty($audits->getParam('event'))) { + $audits->trigger(); + } + + if (!empty($deletes->getParam('type')) && !empty($deletes->getParam('document'))) { + $deletes->trigger(); + } + + $route = $utopia->match($request); + + if ($project->getId() + && $mode !== APP_MODE_ADMIN //TODO: add check to make sure user is admin + && !empty($route->getLabel('sdk.namespace', null))) { // Don't calculate console usage on admin mode + + $usage + ->setParam('networkRequestSize', $request->getSize() + $usage->getParam('storage')) + ->setParam('networkResponseSize', $response->getSize()) + ->trigger() + ; + } + +}, ['utopia', 'request', 'response', 'project', 'events', 'audits', 'usage', 'deletes', 'mode'], 'api'); diff --git a/app/controllers/shared/web.php b/app/controllers/shared/web.php index 42d2a18c55..43eaf74d09 100644 --- a/app/controllers/shared/web.php +++ b/app/controllers/shared/web.php @@ -37,6 +37,7 @@ App::init(function ($utopia, $request, $response, $layout) { ->addHeader('Cache-Control', 'public, max-age='.$time) ->addHeader('Expires', \date('D, d M Y H:i:s', \time() + $time).' GMT') // 45 days cache ->addHeader('X-Frame-Options', 'SAMEORIGIN') // Avoid console and homepage from showing in iframes + ->addHeader('X-XSS-Protection', '1; mode=block; report=/v1/xss?url='.\urlencode($request->getURI())) ->addHeader('X-UA-Compatible', 'IE=Edge') // Deny IE browsers from going into quirks mode ; From 3d9060bdab47248b9bf97083a319ac1d051aa14a Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Tue, 5 Jan 2021 14:58:16 +0200 Subject: [PATCH 2/4] Changed constants --- app/config/roles.php | 21 +++++++-------------- src/Appwrite/Auth/Auth.php | 1 + 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/app/config/roles.php b/app/config/roles.php index 8dfaf78eb4..506b2403c6 100644 --- a/app/config/roles.php +++ b/app/config/roles.php @@ -1,13 +1,6 @@ [ + Auth::USER_ROLE_GUEST => [ 'label' => 'Guest', 'scopes' => [ 'public', @@ -71,23 +64,23 @@ return [ 'execution.write', ], ], - ROLE_MEMBER => [ + Auth::USER_ROLE_MEMBER => [ 'label' => 'Member', 'scopes' => \array_merge($logged, []), ], - ROLE_ADMIN => [ + Auth::USER_ROLE_ADMIN => [ 'label' => 'Admin', 'scopes' => \array_merge($admins, []), ], - ROLE_DEVELOPER => [ + Auth::USER_ROLE_DEVELOPER => [ 'label' => 'Developer', 'scopes' => \array_merge($admins, []), ], - ROLE_OWNER => [ + Auth::USER_ROLE_OWNER => [ 'label' => 'Owner', 'scopes' => \array_merge($logged, $admins, []), ], - ROLE_APP => [ + Auth::USER_ROLE_APP => [ 'label' => 'Application', 'scopes' => ['health.read'], ], diff --git a/src/Appwrite/Auth/Auth.php b/src/Appwrite/Auth/Auth.php index 88eb11299d..e43ab78bff 100644 --- a/src/Appwrite/Auth/Auth.php +++ b/src/Appwrite/Auth/Auth.php @@ -23,6 +23,7 @@ class Auth const USER_ROLE_OWNER = 4; const USER_ROLE_APP = 5; const USER_ROLE_SYSTEM = 6; + const USER_ROLE_ALL = '*'; /** * Token Types. From 5ed2eea208b71fe206338ff69be31b2a16ef8702 Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Wed, 13 Jan 2021 16:11:07 +0200 Subject: [PATCH 3/4] Changed role names --- src/Appwrite/Auth/Auth.php | 14 +++++++------- tests/e2e/Services/Database/DatabaseBase.php | 4 ++-- .../Services/Database/DatabaseCustomServerTest.php | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/Appwrite/Auth/Auth.php b/src/Appwrite/Auth/Auth.php index 88eb11299d..e1a933ee76 100644 --- a/src/Appwrite/Auth/Auth.php +++ b/src/Appwrite/Auth/Auth.php @@ -16,13 +16,13 @@ class Auth /** * User Roles. */ - const USER_ROLE_GUEST = 0; - const USER_ROLE_MEMBER = 1; - const USER_ROLE_ADMIN = 2; - const USER_ROLE_DEVELOPER = 3; - const USER_ROLE_OWNER = 4; - const USER_ROLE_APP = 5; - const USER_ROLE_SYSTEM = 6; + const USER_ROLE_GUEST = 'guest'; + const USER_ROLE_MEMBER = 'member'; + const USER_ROLE_ADMIN = 'admin'; + const USER_ROLE_DEVELOPER = 'developer'; + const USER_ROLE_OWNER = 'owner'; + const USER_ROLE_APP = 'app'; + const USER_ROLE_SYSTEM = 'system'; /** * Token Types. diff --git a/tests/e2e/Services/Database/DatabaseBase.php b/tests/e2e/Services/Database/DatabaseBase.php index f769184827..8285cb2076 100644 --- a/tests/e2e/Services/Database/DatabaseBase.php +++ b/tests/e2e/Services/Database/DatabaseBase.php @@ -18,7 +18,7 @@ trait DatabaseBase ]), [ 'name' => 'Actors', 'read' => ['*'], - 'write' => ['role:1', 'role:2'], + 'write' => ['role:member', 'role:admin'], 'rules' => [ [ 'label' => 'First Name', @@ -55,7 +55,7 @@ trait DatabaseBase ]), [ 'name' => 'Movies', 'read' => ['*'], - 'write' => ['role:1', 'role:2'], + 'write' => ['role:member', 'role:admin'], 'rules' => [ [ 'label' => 'Name', diff --git a/tests/e2e/Services/Database/DatabaseCustomServerTest.php b/tests/e2e/Services/Database/DatabaseCustomServerTest.php index 2f0bdfc766..3bb9c3e82d 100644 --- a/tests/e2e/Services/Database/DatabaseCustomServerTest.php +++ b/tests/e2e/Services/Database/DatabaseCustomServerTest.php @@ -27,7 +27,7 @@ class DatabaseCustomServerTest extends Scope ]), [ 'name' => 'Actors', 'read' => ['*'], - 'write' => ['role:1', 'role:2'], + 'write' => ['role:member', 'role:admin'], 'rules' => [ [ 'label' => 'First Name', From 00ee2735c466460c1611e759c54c405bb571417d Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Thu, 14 Jan 2021 08:09:52 +0200 Subject: [PATCH 4/4] Updated changelog --- CHANGES.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGES.md b/CHANGES.md index d9ec45dd6c..ee147b9cbf 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -37,6 +37,7 @@ - Added new environment variables for ClamAV hostname and port ([#780](https://github.com/appwrite/appwrite/pull/780)) - New OAuth adapter for Box.com (@armino-dev - [#420](https://github.com/appwrite/appwrite/issues/410)) - New OAuth adapter for PayPal sandbox (@armino-dev - [#420](https://github.com/appwrite/appwrite/issues/410)) +- Introducing new permssion types: role:guest, role:member, role:app. ### User Interface - Updated grid for OAuth2 providers list in the console ([#413](https://github.com/appwrite/appwrite/issues/413))