Robert Vogel has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/394252 )
Change subject: Added basic security features
......................................................................
Added basic security features
* Every query gets implicitly extended by a namespace-whitelist expression
* Result sets are being trimmed before output
Change-Id: I3b42b8987fd37b9d3c3ad23ac46608e81d652bed
---
M composer.json
M extension.json
A src/Hook/SMWStoreAfterQueryResultLookupComplete.php
A src/Hook/SMWStoreAfterQueryResultLookupComplete/ApplySecurityTrimming.php
A src/Hook/SMWStoreBeforeQueryResultLookupComplete.php
A
src/Hook/SMWStoreBeforeQueryResultLookupComplete/AddPermissionBasedNamespaceFilters.php
6 files changed, 229 insertions(+), 2 deletions(-)
git pull
ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/BlueSpiceSMWConnector
refs/changes/52/394252/1
diff --git a/composer.json b/composer.json
index bdc8627..6be15e1 100644
--- a/composer.json
+++ b/composer.json
@@ -32,7 +32,11 @@
"autoload": {
"files": [
"BlueSpiceSMWConnector.php"
- ]
+ ],
+ "psr-4": {
+ "BlueSpice\\SMWConnector\\Tests\\": "tests/phpunit",
+ "BlueSpice\\SMWConnector\\": "src"
+ }
},
"require-dev": {
"jakub-onderka/php-parallel-lint": "0.9.2",
diff --git a/extension.json b/extension.json
index 150d386..89bcf73 100644
--- a/extension.json
+++ b/extension.json
@@ -32,7 +32,9 @@
"NamespaceManager::editNamespace":
"BSSMWCNamespaceManager::onEditNamespace",
"NamespaceManager::writeNamespaceConfiguration":
"BSSMWCNamespaceManager::onWriteNamespaceConfiguration",
"BSPageTemplatesBeforeRender":
"BSSMWCPageTemplates::onBSPageTemplatesBeforeRender",
- "PageContentSaveComplete":
"BSSMWConnectorHooks::onPageContentSaveComplete"
+ "PageContentSaveComplete":
"BSSMWConnectorHooks::onPageContentSaveComplete",
+ "SMW::Store::AfterQueryResultLookupComplete":
"BlueSpice\\SMWConnector\\Hook\\SMWStoreAfterQueryResultLookupComplete\\ApplySecurityTrimming::callback",
+ "SMW::Store::BeforeQueryResultLookupComplete":
"BlueSpice\\SMWConnector\\Hook\\SMWStoreBeforeQueryResultLookupComplete\\AddPermissionBasedNamespaceFilters::callback"
},
"ResourceFileModulePaths": {
"localBasePath": "resources",
diff --git a/src/Hook/SMWStoreAfterQueryResultLookupComplete.php
b/src/Hook/SMWStoreAfterQueryResultLookupComplete.php
new file mode 100644
index 0000000..946c88d
--- /dev/null
+++ b/src/Hook/SMWStoreAfterQueryResultLookupComplete.php
@@ -0,0 +1,44 @@
+<?php
+
+namespace BlueSpice\SMWConnector\Hook;
+
+use BlueSpice\Hook;
+
+abstract class SMWStoreAfterQueryResultLookupComplete extends Hook {
+
+ /**
+ *
+ * @var \SMW\Store
+ */
+ protected $store = null;
+
+ /**
+ * @var \SMWQueryResult
+ */
+ protected $result = null;
+
+ /**
+ *
+ * @param \IContextSource $context
+ * @param \Config $config
+ * @param \SMW\Store $store
+ * @param \SMWQueryResult $result
+ */
+ public function __construct( $context, $config, $store, &$result ) {
+ parent::__construct( $context, $config );
+
+ $this->store = $store;
+ $this->result =& $result;
+ }
+
+ public static function callback( $store, &$result ) {
+ $className = static::class;
+ $hookHandler = new $className(
+ null,
+ null,
+ $store,
+ $result
+ );
+ return $hookHandler->process();
+ }
+}
\ No newline at end of file
diff --git
a/src/Hook/SMWStoreAfterQueryResultLookupComplete/ApplySecurityTrimming.php
b/src/Hook/SMWStoreAfterQueryResultLookupComplete/ApplySecurityTrimming.php
new file mode 100644
index 0000000..b9816a3
--- /dev/null
+++ b/src/Hook/SMWStoreAfterQueryResultLookupComplete/ApplySecurityTrimming.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace BlueSpice\SMWConnector\Hook\SMWStoreAfterQueryResultLookupComplete;
+
+use BlueSpice\SMWConnector\Hook\SMWStoreAfterQueryResultLookupComplete;
+
+class AddPermissionBasedNamespaceFilters extends
SMWStoreAfterQueryResultLookupComplete {
+
+ /**
+ *
+ * @var \SMW\DIWikiPage[]
+ */
+ protected $resultItems = [];
+
+ protected function doProcess() {
+ $this->resultItems = $this->result->getResults();
+ $filteredItems = [];
+ foreach( $this->resultItems as $wikiPageItem ) {
+ $title = $wikiPageItem->getTitle();
+ if( $title === null ) {
+ $filteredItems[] = $wikiPageItem; //Leave it in
result set
+ continue;
+ }
+ if( !$title->userCan( 'read' )) {
+ continue;
+ }
+
+ $filteredItems[] = $wikiPageItem;
+ }
+
+ if( count( $filteredItems ) !== count( $this->resultItems ) ) {
+ $this->result = new SMWQueryResult(
+ $this->result->getPrintRequests(),
+ $this->result->getQuery(),
+ $filteredItems,
+ $this->result->getStore(),
+ $this->result->hasFurtherResults()
+ );
+ }
+
+ return true;
+ }
+}
\ No newline at end of file
diff --git a/src/Hook/SMWStoreBeforeQueryResultLookupComplete.php
b/src/Hook/SMWStoreBeforeQueryResultLookupComplete.php
new file mode 100644
index 0000000..6fa11f3
--- /dev/null
+++ b/src/Hook/SMWStoreBeforeQueryResultLookupComplete.php
@@ -0,0 +1,72 @@
+<?php
+
+namespace BlueSpice\SMWConnector\Hook;
+
+use BlueSpice\Hook;
+
+abstract class SMWStoreBeforeQueryResultLookupComplete extends Hook {
+
+ /**
+ *
+ * @var \SMW\Store
+ */
+ protected $store = null;
+
+ /**
+ *
+ * @var \SMWQuery
+ */
+ protected $query = null;
+
+ /**
+ * ATTENTION: THE PARAMETER IS NULL DURING THE HOOK CALL, BUT IF
RETURNING
+ * FALSE THIS MUST BE SET TO \SMWQueryResult
+ */
+ protected $result = null;
+
+ /**
+ *
+ * @var \SMW\QueryEngine
+ */
+ protected $slaveQueryEngine = null;
+
+
+ /**
+ *
+ * @param \IContextSource $context
+ * @param \Config $config
+ * @param \SMW\Store $store
+ * @param \SMWQuery $query
+ * @param null $result
+ * @param \SMW\QueryEngine $slaveQueryEngine
+ */
+ public function __construct( $context, $config, $store, $query,
&$result, $slaveQueryEngine ) {
+ parent::__construct( $context, $config );
+
+ $this->store = $store;
+ $this->query = $query;
+ $this->result =& $result;
+ $this->slaveQueryEngine = $slaveQueryEngine;
+ }
+
+ /**
+ *
+ * @param \SMW\Store $store
+ * @param \SMWQuery $query
+ * @param \SMWQueryResult $result
+ * @param \SMW\SQLStore\QueryEngine\QueryEngine $slaveQueryEngine
+ * @return boolean
+ */
+ public static function callback( $store, $query, &$result,
$slaveQueryEngine ) {
+ $className = static::class;
+ $hookHandler = new $className(
+ null,
+ null,
+ $store,
+ $query,
+ $result,
+ $slaveQueryEngine
+ );
+ return $hookHandler->process();
+ }
+}
\ No newline at end of file
diff --git
a/src/Hook/SMWStoreBeforeQueryResultLookupComplete/AddPermissionBasedNamespaceFilters.php
b/src/Hook/SMWStoreBeforeQueryResultLookupComplete/AddPermissionBasedNamespaceFilters.php
new file mode 100644
index 0000000..8d6a819
--- /dev/null
+++
b/src/Hook/SMWStoreBeforeQueryResultLookupComplete/AddPermissionBasedNamespaceFilters.php
@@ -0,0 +1,62 @@
+<?php
+
+namespace BlueSpice\SMWConnector\Hook\SMWStoreBeforeQueryResultLookupComplete;
+
+use BlueSpice\SMWConnector\Hook\SMWStoreBeforeQueryResultLookupComplete;
+use SMW\Query\Language\Disjunction;
+use SMW\Query\Language\Conjunction;
+use SMW\Query\Language\NamespaceDescription;
+
+class AddPermissionBasedNamespaceFilters extends
SMWStoreBeforeQueryResultLookupComplete {
+
+ /**
+ *
+ * @var \SMW\Query\Language\Description
+ */
+ protected $originalDescription = null;
+
+ protected function doProcess() {
+ $namespaceFilterDisjunction =
$this->makeNamespaceFilterDisjunction();
+ $this->originalDescription = $this->query->getDescription();
+
+ //The user is not allowed to read in any namespace!?
+ if( $namespaceFilterDisjunction instanceof Disjunction ===
false ) {
+ $this->result = new \SMWQueryResult(
+ $this->originalDescription->getPrintRequests(),
+ $this->query,
+ [],
+ $this->store
+ );
+ return false;
+ }
+
+ $newDescription = new Conjunction( [
+ $this->originalDescription,
+ $namespaceFilterDisjunction
+ ] );
+
+ $this->query->setDescription( $newDescription );
+
+ return true;
+ }
+
+ /**
+ * @return Disjunction|null
+ */
+ protected function makeNamespaceFilterDisjunction() {
+ $readableNamespaceDescriptions = [];
+ $namespaceIds =
$this->getContext()->getLanguage()->getNamespaceIds();
+ foreach( $namespaceIds as $nmspText => $namespaceId ) {
+ $dummyTitle = \Title::makeTitle( $namespaceId, 'X' );
+ if( $dummyTitle->userCan( 'read' ) ) {
+ $readableNamespaceDescriptions[] = new
NamespaceDescription( $namespaceId );
+ }
+ }
+
+ if( empty( $readableNamespaceDescriptions ) ) {
+ return null;
+ }
+
+ return new Disjunction( $readableNamespaceDescriptions );
+ }
+}
\ No newline at end of file
--
To view, visit https://gerrit.wikimedia.org/r/394252
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3b42b8987fd37b9d3c3ad23ac46608e81d652bed
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/BlueSpiceSMWConnector
Gerrit-Branch: master
Gerrit-Owner: Robert Vogel <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
