made security checks clearer

2 files changed, 62 insertions, 11 deletions

diff --git a/apptemplate/appinfo/routes.php b/apptemplate/appinfo/routes.php
index 7ebf18389..b051ef19e 100644
--- a/apptemplate/appinfo/routes.php
+++ b/apptemplate/appinfo/routes.php
@@ -32,23 +32,16 @@ require_once \OC_App::getAppPath('apptemplate') . '/appinfo/bootstrap.php';
  *                                stored in the DI container
  * @param string $methodName: the method that you want to call
  * @param array $urlParams: an array with variables extracted from the routes
- * @param bool $disableCSRF: disables the csrf check, defaults to false
  * @param bool $disableAdminCheck: disables the check for adminuser rights
+ * @param bool $disableIsInAdminGroupCheck: disables the check for admin group member
  */
 function callController($controllerName, $methodName, $urlParams, 
-						$disableCSRF=false, $disableAdminCheck=true){
+						$disableAdminCheck=true, $disableIsInAdminGroupCheck=true){
 	$container = createDIContainer();
 	
 	// run security checks
 	$security = $container['Security'];
-	if($disableCSRF){
-		$security->setCSRFCheck(false);	
-	}
-	if($disableAdminCheck){
-		$security->setIsAdminCheck(false);	
-	}
-
-	$security->runChecks();
+	runSecurityChecks($security);
 
 	// call the controller and render the page
 	$controller = $container[$controllerName];
@@ -57,6 +50,31 @@ function callController($controllerName, $methodName, $urlParams,
 }
 
 
+/**
+ * Runs the security checks and exits on error
+ * @param Security $security: the security object
+ * @param bool $isAjax: if true, the ajax checks will be run, otherwise the normal
+ *                      checks
+ * @param bool $disableAdminCheck: disables the check for adminuser rights
+ * @param bool $disableIsInAdminGroupCheck: disables the check for admin group member
+ */
+function runSecurityChecks($security, $isAjax=false, $disableAdminCheck=true, 
+							$disableIsInAdminGroupCheck=true){
+	if($disableAdminCheck){
+		$security->setIsAdminCheck(false);	
+	}
+
+	if($disableIsInAdminGroupCheck){
+		$security->setIsInAdminGroupCheck(false);	
+	}
+
+	if($isAjax){
+		$security->runAJAXChecks();
+	} else {
+		$security->runChecks();
+	}
+}
+
 /*************************
  * Define your routes here
  ************************/
diff --git a/apptemplate/lib/security.php b/apptemplate/lib/security.php
index c7b5363f3..2e54dc357 100644
--- a/apptemplate/lib/security.php
+++ b/apptemplate/lib/security.php
@@ -35,6 +35,7 @@ class Security {
 	private $loggedInCheck;
 	private $appEnabledCheck;
 	private $isAdminCheck;
+	private $isInAdminGroupCheck;
 	private $appName;
 
 	/**
@@ -48,6 +49,7 @@ class Security {
 		$this->loggedInCheck = true;
 		$this->appEnabledCheck = true;
 		$this->isAdminCheck = true;
+		$this->isInAdminGroupCheck = true;
 	}
 
 
@@ -67,12 +69,39 @@ class Security {
 		$this->isAdminCheck = $isAdminCheck;
 	}
 
+	public function setIsInAdminGroupCheck($isInAdminGroupCheck){
+		$this->isInAdminGroupCheck = $isInAdminGroupCheck;
+	}
+
 
 	/**
 	 * Runs all security checks
 	 */
 	public function runChecks() {
 
+		if($this->loggedInCheck){
+			\OCP\JSON::checkLoggedIn();
+		}
+
+		if($this->appEnabledCheck){
+			\OCP\JSON::checkAppEnabled($this->appName);
+		}
+
+		if($this->isAdminCheck){
+			\OCP\JSON::checkAdminUser();
+		}
+
+		if($this->isInAdminGroupCheck){
+			\OCP\JSON::checkSubAdminUser();
+		}
+
+	}
+
+
+	/**
+	 * Runs all the security checks for AJAX requests
+	 */
+	public function runAjaxChecks(){
 		if($this->csrfCheck){
 			\OCP\JSON::callCheck();
 		}
@@ -86,7 +115,11 @@ class Security {
 		}
 
 		if($this->isAdminCheck){
-			\OCP\User::checkAdminUser();
+			\OCP\JSON::checkAdminUser();
+		}
+
+		if($this->isInAdminGroupCheck){
+			\OCP\JSON::checkSubAdminUser();
 		}
 
 	}