Auth: Prevent unauthorized users from using the application #98

Signed-off-by: Michael Mayer <michael@photoprism.app>
2023-03-10 13:20:16 +01:00 · 2023-03-10 13:20:16 +01:00 · a425027a9b
parent 8df444dfd7
commit a425027a9b
2 changed files with 38 additions and 7 deletions
--- a/internal/entity/auth_user.go
+++ b/internal/entity/auth_user.go
@ -390,7 +390,7 @@ func (m *User) UpdateLoginTime() *time.Time {
 func (m *User) CanLogIn() bool {
 	if m == nil {
 		return false
-	} else if m.Deleted() {
+	} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
 		return false
 	} else if !m.CanLogin && !m.SuperAdmin || m.ID <= 0 || m.UserName == "" {
 		return false
@ -403,7 +403,11 @@ func (m *User) CanLogIn() bool {

 // CanUseWebDAV checks whether the user is allowed to use WebDAV to synchronize files.
 func (m *User) CanUseWebDAV() bool {
-	if role := m.AclRole(); m.Disabled() || !m.WebDAV || m.ID <= 0 || m.UserName == "" || role == acl.RoleUnknown {
+	if m == nil {
+		return false
+	} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
+		return false
+	} else if role := m.AclRole(); m.Disabled() || !m.WebDAV || m.ID <= 0 || m.UserName == "" || role == acl.RoleUnknown {
 		return false
 	} else {
 		return acl.Resources.Allow(acl.ResourcePhotos, role, acl.ActionUpload)
@ -412,7 +416,11 @@ func (m *User) CanUseWebDAV() bool {

 // CanUpload checks if the user is allowed to upload files.
 func (m *User) CanUpload() bool {
-	if role := m.AclRole(); m.Disabled() || role == acl.RoleUnknown {
+	if m == nil {
+		return false
+	} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
+		return false
+	} else if role := m.AclRole(); m.Disabled() || role == acl.RoleUnknown {
 		return false
 	} else {
 		return acl.Resources.Allow(acl.ResourcePhotos, role, acl.ActionUpload)
@ -493,6 +501,11 @@ func (m *User) Provider() authn.ProviderType {
 	return authn.ProviderNone
 }

+// HasProvider checks if the user has the given auth provider.
+func (m *User) HasProvider(t authn.ProviderType) bool {
+	return t.String() == m.Provider().String()
+}
+
 // SetProvider set the authentication provider.
 func (m *User) SetProvider(t authn.ProviderType) *User {
 	if m == nil {
--- a/internal/entity/auth_user_test.go
+++ b/internal/entity/auth_user_test.go
@ -827,18 +827,36 @@ func TestUser_UpdateLoginTime(t *testing.T) {
 }

 func TestUser_CanLogIn(t *testing.T) {
-	assert.True(t, UserFixtures.Pointer("alice").CanLogIn())
+	alice := UserFixtures.Get("alice")
+	assert.True(t, alice.CanLogIn())
+	alice.SetProvider(authn.ProviderNone)
+	assert.False(t, alice.CanLogIn())
+	alice.SetProvider(authn.ProviderLocal)
+	assert.True(t, alice.CanLogIn())
+
 	assert.False(t, UserFixtures.Pointer("deleted").CanLogIn())
 }

 func TestUser_CanUseWebDAV(t *testing.T) {
-	assert.True(t, UserFixtures.Pointer("alice").CanUseWebDAV())
+	alice := UserFixtures.Get("alice")
+	assert.True(t, alice.CanUseWebDAV())
+	alice.SetProvider(authn.ProviderNone)
+	assert.False(t, alice.CanUseWebDAV())
+	alice.SetProvider(authn.ProviderLocal)
+	assert.True(t, alice.CanUseWebDAV())
+
 	assert.False(t, UserFixtures.Pointer("deleted").CanUseWebDAV())
 	assert.False(t, UserFixtures.Pointer("friend").CanUseWebDAV())
 }

-func TestUser_CanUpdate(t *testing.T) {
-	assert.True(t, UserFixtures.Pointer("alice").CanUpload())
+func TestUser_CanUpload(t *testing.T) {
+	alice := UserFixtures.Get("alice")
+	assert.True(t, alice.CanUpload())
+	alice.SetProvider(authn.ProviderNone)
+	assert.False(t, alice.CanUpload())
+	alice.SetProvider(authn.ProviderLocal)
+	assert.True(t, alice.CanUpload())
+
 	assert.False(t, UserFixtures.Pointer("deleted").CanUpload())
 	assert.True(t, UserFixtures.Pointer("friend").CanUpload())
 }