Enhance privacy of refresh roster command

nextcloud · Sep 16, 2017 · cddfd17 · cddfd17
1 parent be8faaa
commit cddfd17
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 18 deletions.
diff --git a/appinfo/application.php b/appinfo/application.php
@@ -226,7 +226,8 @@ public function __construct(array $urlParams=array()){
 				$c->query('ServerContainer')->getUserSession(),
 				$c->query('Host'),
 				$c->query('IQRosterPushMapper'),
-				$c->query('ServerContainer')->getDatabaseConnection()
+				$c->query('ServerContainer')->getDatabaseConnection(),
+				$c->query('UserProvider')
 			);
 		});
 
@@ -244,7 +245,9 @@ public function __construct(array $urlParams=array()){
 			$version = \OCP\Util::getVersion();
 			if (($version[0] == 12 && $version[2] >= 2) || ($version[0] >= 13)) {
 				return new ContactsStoreUserProvider(
-					$c->query('OCP\Contacts\ContactsMenu\IContactsStore')
+					$c->query('OCP\Contacts\ContactsMenu\IContactsStore'),
+					$c->query('ServerContainer')->getUserSession(),
+					$c->query('ServerContainer')->getUserManager()
 				);
 			} else {
 				return new UserManagerUserProvider(

diff --git a/lib/ContactsStoreUserProvider.php b/lib/ContactsStoreUserProvider.php
@@ -2,6 +2,9 @@
 
 namespace OCA\OJSXC;
 
+use OCP\IUserManager;
+use OCP\IUserSession;
+
 class ContactsStoreUserProvider implements IUserProvider {
 
 	/**
@@ -14,14 +17,26 @@ class ContactsStoreUserProvider implements IUserProvider {
 	 */
 	private static $cache = null;
 
-	public function __construct($contactsStore) {
+	/**
+	 * @var IUserSession
+	 */
+	private $userSession;
+
+	/**
+	 * @var IUserManager
+	 */
+	private $userManager;
+
+	public function __construct($contactsStore, IUserSession $userSession, IUserManager $userManager) {
 		$this->contactsStore = $contactsStore;
+		$this->userSession = $userSession;
+		$this->userManager = $userManager;
 	}
 
 	public function getAllUsers() {
 		if (is_null(self::$cache)) {
 			$result = [];
-			$contacts = $this->contactsStore->getContacts(\OC::$server->getUserSession()->getUser(), '');
+			$contacts = $this->contactsStore->getContacts($this->userSession->getUser(), '');
 			foreach ($contacts as $contact) {
 				if ($contact->getProperty('isLocalSystemBook')) {
 					$result[] = new User($contact->getProperty('UID'), $contact->getFullName(), $contact);
@@ -35,15 +50,34 @@ public function getAllUsers() {
 	}
 
 	public function hasUser(User $user) {
-		return !is_null($this->contactsStore->findOne(\OC::$server->getUserSession()->getUser(), 0, $user->getUid()));
+		return !is_null($this->contactsStore->findOne($this->userSession->getUser(), 0, $user->getUid()));
 	}
 
-	/**
-	 * @brief Checks if the current user can interact with the provided user identified by it's UID.
-	 * @param string $uid the uid of the user
-	 * @return bool
-	 */
 	public function hasUserByUID($uid) {
-		return !is_null($this->contactsStore->findOne(\OC::$server->getUserSession()->getUser(), 0, $uid));
+		return !is_null($this->contactsStore->findOne($this->userSession->getUser(), 0, $uid));
+	}
+
+	public function getAllUsersForUser(User $user) {
+		return $this->getAllUsersForUserByUID($user->getUid());
+	}
+
+	public function getAllUsersForUserByUID($uid) {
+		$result = [];
+		$contacts = $this->contactsStore->getContacts($this->userManager->get($uid), '');
+		foreach ($contacts as $contact) {
+			if ($contact->getProperty('isLocalSystemBook')) {
+				$result[] = new User($contact->getProperty('UID'), $contact->getFullName(), $contact);
+			}
+		}
+		return $result;
 	}
+
+	public function hasUserForUser(User $user1, User $user2) {
+		return !is_null($this->contactsStore->findOne($this->userManager->get($user1->getUid()), 0, $user2->getUid()));
+	}
+
+	public function hasUserForUserByUID($uid1, $uid2) {
+		return !is_null($this->contactsStore->findOne($this->userManager->get($uid1), 0, $uid2));
+	}
+
 }
diff --git a/lib/IUserProvider.php b/lib/IUserProvider.php
@@ -14,6 +14,20 @@ interface IUserProvider {
 	 */
 	public function getAllUsers();
 
+	/**
+	 * @brief Search all users for which the provided user has access to.
+	 * @param User $user
+	 * @return User[]
+	 */
+	public function getAllUsersForUser(User $user);
+
+	/**
+	 * @brief Search all users for which the provided user has access to.
+	 * @param string $uid
+	 * @return User[]
+	 */
+	public function getAllUsersForUserByUID($uid);
+
 	/**
 	 * @brief Checks if the current user can interact with the provided user
 	 * @param User $user
@@ -28,4 +42,20 @@ public function hasUser(User $user);
 	 */
 	public function hasUserByUID($uid);
 
+	/**
+	 * @brief Checks if user1 can interact with user2
+	 * @param User $user1
+	 * @param User $user2
+	 * @return bool
+	 */
+	public function hasUserForUser(User $user1, User $user2);
+
+	/**
+	 * @brief Checks if user1 can interact with the user2 identified by it's UID.
+	 * @param string $uid1
+	 * @param string $uid2
+	 * @return bool
+	 */
+	public function hasUserForUserByUID($uid1, $uid2);
+
 }
diff --git a/lib/UserManagerUserProvider.php b/lib/UserManagerUserProvider.php
@@ -37,12 +37,28 @@ public function hasUser(User $user) {
 
 	}
 
-	/**
-	 * @brief Checks if the current user can interact with the provided user identified by it's UID.
-	 * @param string $uid the uid of the user
-	 * @return bool
-	 */
 	public function hasUserByUID($uid) {
 		return !is_null($this->userManager->get($uid));
 	}
+
+	public function getAllUsersForUser(User $user) {
+		// since we don't have access to the ContactsStore, we don't apply the enhancement privacy rules.
+		return $this->getAllUsers();
+	}
+
+	public function getAllUsersForUserByUID($uid) {
+		// since we don't have access to the ContactsStore, we don't apply the enhancement privacy rules.
+		return $this->getAllUsers();
+	}
+
+	public function hasUserForUser(User $user1, User $user2) {
+		// since we don't have access to the ContactsStore, we don't apply the enhancement privacy rules.
+		$this->hasUser($user2);
+	}
+
+	public function hasUserForUserByUID($uid1, $uid2) {
+		// since we don't have access to the ContactsStore, we don't apply the enhancement privacy rules.
+		$this->hasUserByUID($uid2);
+	}
+
 }
diff --git a/lib/rosterpush.php b/lib/rosterpush.php
@@ -10,6 +10,8 @@
 use OCP\IUser;
 use OCP\IUserSession;
 
+// TODO listen for changes to groups
+
 class RosterPush
 {
 
@@ -35,18 +37,35 @@ class RosterPush
 	 */
 	private $db;
 
+	/**
+	 * @var IUserProvider
+	 */
+	private $userProvider;
+
+	/**
+	 * RosterPush constructor.
+	 *
+	 * @param IUserManager $userManager
+	 * @param IUserSession $userSession
+	 * @param string $host
+	 * @param IQRosterPushMapper $iqRosterPushMapper
+	 * @param IDBConnection $db
+	 * @param IUserProvider $userProvider
+	 */
 	public function __construct(
 		IUserManager $userManager,
 								IUserSession $userSession,
 		$host,
 								IQRosterPushMapper $iqRosterPushMapper,
-								IDbConnection $db
+								IDbConnection $db,
+								IUserProvider $userProvider
 	) {
 		$this->userManager = $userManager;
 		$this->userSession = $userSession;
 		$this->host = $host;
 		$this->iqRosterPushMapper = $iqRosterPushMapper;
 		$this->db = $db;
+		$this->userProvider = $userProvider;
 	}
 
 	/**
@@ -62,7 +81,7 @@ public function createOrUpdateRosterItem(IUser $user)
 		$iq->setFrom('');
 
 
-		foreach ($this->userManager->search('') as $recipient) {
+		foreach ($this->userProvider->getAllUsersForUserByUID($user->getUID()) as $recipient) {
 			if ($recipient->getUID() !== $user->getUID()) {
 				$iq->setTo($recipient->getUID());
 				$this->iqRosterPushMapper->insert($iq);