Auth: Prevent unauthorized users from using the application #98
Signed-off-by: Michael Mayer <michael@photoprism.app>
This commit is contained in:
parent
8df444dfd7
commit
a425027a9b
|
@ -390,7 +390,7 @@ func (m *User) UpdateLoginTime() *time.Time {
|
|||
func (m *User) CanLogIn() bool {
|
||||
if m == nil {
|
||||
return false
|
||||
} else if m.Deleted() {
|
||||
} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
|
||||
return false
|
||||
} else if !m.CanLogin && !m.SuperAdmin || m.ID <= 0 || m.UserName == "" {
|
||||
return false
|
||||
|
@ -403,7 +403,11 @@ func (m *User) CanLogIn() bool {
|
|||
|
||||
// CanUseWebDAV checks whether the user is allowed to use WebDAV to synchronize files.
|
||||
func (m *User) CanUseWebDAV() bool {
|
||||
if role := m.AclRole(); m.Disabled() || !m.WebDAV || m.ID <= 0 || m.UserName == "" || role == acl.RoleUnknown {
|
||||
if m == nil {
|
||||
return false
|
||||
} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
|
||||
return false
|
||||
} else if role := m.AclRole(); m.Disabled() || !m.WebDAV || m.ID <= 0 || m.UserName == "" || role == acl.RoleUnknown {
|
||||
return false
|
||||
} else {
|
||||
return acl.Resources.Allow(acl.ResourcePhotos, role, acl.ActionUpload)
|
||||
|
@ -412,7 +416,11 @@ func (m *User) CanUseWebDAV() bool {
|
|||
|
||||
// CanUpload checks if the user is allowed to upload files.
|
||||
func (m *User) CanUpload() bool {
|
||||
if role := m.AclRole(); m.Disabled() || role == acl.RoleUnknown {
|
||||
if m == nil {
|
||||
return false
|
||||
} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
|
||||
return false
|
||||
} else if role := m.AclRole(); m.Disabled() || role == acl.RoleUnknown {
|
||||
return false
|
||||
} else {
|
||||
return acl.Resources.Allow(acl.ResourcePhotos, role, acl.ActionUpload)
|
||||
|
@ -493,6 +501,11 @@ func (m *User) Provider() authn.ProviderType {
|
|||
return authn.ProviderNone
|
||||
}
|
||||
|
||||
// HasProvider checks if the user has the given auth provider.
|
||||
func (m *User) HasProvider(t authn.ProviderType) bool {
|
||||
return t.String() == m.Provider().String()
|
||||
}
|
||||
|
||||
// SetProvider set the authentication provider.
|
||||
func (m *User) SetProvider(t authn.ProviderType) *User {
|
||||
if m == nil {
|
||||
|
|
|
@ -827,18 +827,36 @@ func TestUser_UpdateLoginTime(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestUser_CanLogIn(t *testing.T) {
|
||||
assert.True(t, UserFixtures.Pointer("alice").CanLogIn())
|
||||
alice := UserFixtures.Get("alice")
|
||||
assert.True(t, alice.CanLogIn())
|
||||
alice.SetProvider(authn.ProviderNone)
|
||||
assert.False(t, alice.CanLogIn())
|
||||
alice.SetProvider(authn.ProviderLocal)
|
||||
assert.True(t, alice.CanLogIn())
|
||||
|
||||
assert.False(t, UserFixtures.Pointer("deleted").CanLogIn())
|
||||
}
|
||||
|
||||
func TestUser_CanUseWebDAV(t *testing.T) {
|
||||
assert.True(t, UserFixtures.Pointer("alice").CanUseWebDAV())
|
||||
alice := UserFixtures.Get("alice")
|
||||
assert.True(t, alice.CanUseWebDAV())
|
||||
alice.SetProvider(authn.ProviderNone)
|
||||
assert.False(t, alice.CanUseWebDAV())
|
||||
alice.SetProvider(authn.ProviderLocal)
|
||||
assert.True(t, alice.CanUseWebDAV())
|
||||
|
||||
assert.False(t, UserFixtures.Pointer("deleted").CanUseWebDAV())
|
||||
assert.False(t, UserFixtures.Pointer("friend").CanUseWebDAV())
|
||||
}
|
||||
|
||||
func TestUser_CanUpdate(t *testing.T) {
|
||||
assert.True(t, UserFixtures.Pointer("alice").CanUpload())
|
||||
func TestUser_CanUpload(t *testing.T) {
|
||||
alice := UserFixtures.Get("alice")
|
||||
assert.True(t, alice.CanUpload())
|
||||
alice.SetProvider(authn.ProviderNone)
|
||||
assert.False(t, alice.CanUpload())
|
||||
alice.SetProvider(authn.ProviderLocal)
|
||||
assert.True(t, alice.CanUpload())
|
||||
|
||||
assert.False(t, UserFixtures.Pointer("deleted").CanUpload())
|
||||
assert.True(t, UserFixtures.Pointer("friend").CanUpload())
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue