ZP-462 #comment implemented admin webservice access. This has to be enabled in...

ZP-462 #comment implemented admin webservice access. This has to be enabled in the config, the auth user must be an admin and the public folder must be available on the system. git-svn-id: https://z-push.org/svn/z-push/trunk@1791 b7dd7b3b-3a3c-0410-9da9-bee62a6cc5b5

ZP-462 #comment implemented admin webservice access. This has to be enabled in...
ZP-462 #comment implemented admin webservice access. This has to be enabled in the config, the auth user must be an admin and the public folder must be available on the system. git-svn-id: https://z-push.org/svn/z-push/trunk@1791 b7dd7b3b-3a3c-0410-9da9-bee62a6cc5b5
7f7790d1 · skummer · 15c0573d · 7f7790d1 · 7f7790d1 · 7f7790d1
Commit 7f7790d1 authored Feb 14, 2014 by skummer
6 changed files
--- a/src/config.php
+++ b/src/config.php
@@ -185,6 +185,13 @@
    // default: 49152 - 48 KB default max photo size in bytes
    define('SYNC_CONTACTS_MAXPICTURESIZE', 49152);
+    // Over the WebserviceUsers command it is possible to retrieve a list of all
+    // known devices and users on this Z-Push system. The authenticated user needs to have
+    // admin rights and a public folder must exist.
+    // In multicompany environments this enable an admin user of any company to retrieve
+    // this full list, so this feature is disabled by default. Enable with care.
+    define('ALLOW_WEBSERVICE_USERS_ACCESS', false);
 /**********************************************************************************
 *  Backend settings
 */

--- a/src/lib/core/zpush.php
+++ b/src/lib/core/zpush.php
@@ -96,6 +96,7 @@ class ZPush {
    // Webservice commands
    const COMMAND_WEBSERVICE_DEVICE = -100;
+    const COMMAND_WEBSERVICE_USERS = -101;
    // Latest supported State version
    const STATE_VERSION = IStateMachine::STATEVERSION_02;
@@ -146,7 +147,8 @@ class ZPush {
                    self::COMMAND_SETTINGS          => array(self::ASV_12, self::REQUESTHANDLER => "Settings"),
                    self::COMMAND_WEBSERVICE_DEVICE => array(self::REQUESTHANDLER => "Webservice", self::PLAININPUT, self::NOACTIVESYNCCOMMAND, self::WEBSERVICECOMMAND),
-                );
+                    self::COMMAND_WEBSERVICE_USERS  => array(self::REQUESTHANDLER => "Webservice", self::PLAININPUT, self::NOACTIVESYNCCOMMAND, self::WEBSERVICECOMMAND),
+            );

--- a/src/lib/default/diffbackend/diffbackend.php
+++ b/src/lib/default/diffbackend/diffbackend.php
@@ -85,6 +85,11 @@ abstract class BackendDiff extends Backend {
    public function Setup($store, $checkACLonly = false, $folderid = false) {
        $this->store = $store;
+        // we don't know if and how diff backends implement the "admin" check, but this will disable it for the webservice
+        // backends which want to implement this, need to overwrite this method explicitely. For more info see https://jira.zarafa.com/browse/ZP-462
+        if ($store == "SYSTEM" && $checkACLonly == true)
+            return false;
        return true;
    }

--- a/src/lib/utils/utils.php
+++ b/src/lib/utils/utils.php
@@ -645,6 +645,7 @@ class Utils {
            // Webservice commands
            case ZPush::COMMAND_WEBSERVICE_DEVICE:    return 'WebserviceDevice';
+            case ZPush::COMMAND_WEBSERVICE_USERS:    return 'WebserviceUsers';
        }
        return false;
    }
@@ -688,6 +689,7 @@ class Utils {
            // Webservice commands
            case 'WebserviceDevice':     return ZPush::COMMAND_WEBSERVICE_DEVICE;
+            case 'WebserviceUsers':      return ZPush::COMMAND_WEBSERVICE_USERS;
        }
        return false;
    }

--- a/src/lib/webservice/webservice.php
+++ b/src/lib/webservice/webservice.php
@@ -71,6 +71,21 @@ class Webservice {
            include_once('webservicedevice.php');
            $this->server->setClass("WebserviceDevice");
        }
+        // the webservice command is handled by its class
+        if ($commandCode == ZPush::COMMAND_WEBSERVICE_USERS) {
+            if (!defined("ALLOW_WEBSERVICE_USERS_ACCESS") || ALLOW_WEBSERVICE_USERS_ACCESS !== true)
+                throw new HTTPReturnCodeException(sprintf("Access to the WebserviceUsers service is disabled in configuration. Enable setting ALLOW_WEBSERVICE_USERS_ACCESS.", Request::GetAuthUser()), 403);
+            ZLog::Write(LOGLEVEL_DEBUG, sprintf("Webservice::HandleWebservice('%s'): executing WebserviceUsers service", $commandCode));
+            if(ZPush::GetBackend()->Setup("SYSTEM", true) == false)
+                throw new AuthenticationRequiredException(sprintf("User '%s' has no admin privileges", Request::GetAuthUser()));
+            include_once('webserviceusers.php');
+            $this->server->setClass("WebserviceUsers");
+        }
        $this->server->handle();
        ZLog::Write(LOGLEVEL_DEBUG, sprintf("Webservice::HandleWebservice('%s'): sucessfully sent %d bytes", $commandCode, ob_get_length()));

--- a/src/lib/webservice/webserviceusers.php
+++ b/src/lib/webservice/webserviceusers.php
+<?php
+/***********************************************
+* File      :   webserviceusers.php
+* Project   :   Z-Push
+* Descr     :   Device remote administration tasks
+*               used over webservice related to Z-Push users
+*
+* Created   :   14.02.2014
+*
+* Copyright 2007 - 2014 Zarafa Deutschland GmbH
+*
+* This program is free software: you can redistribute it and/or modify
+* it under the terms of the GNU Affero General Public License, version 3,
+* as published by the Free Software Foundation with the following additional
+* term according to sec. 7:
+*
+* According to sec. 7 of the GNU Affero General Public License, version 3,
+* the terms of the AGPL are supplemented with the following terms:
+*
+* "Zarafa" is a registered trademark of Zarafa B.V.
+* "Z-Push" is a registered trademark of Zarafa Deutschland GmbH
+* The licensing of the Program under the AGPL does not imply a trademark license.
+* Therefore any rights, title and interest in our trademarks remain entirely with us.
+*
+* However, if you propagate an unmodified version of the Program you are
+* allowed to use the term "Z-Push" to indicate that you distribute the Program.
+* Furthermore you may use our trademarks where it is necessary to indicate
+* the intended purpose of a product or service provided you use it in accordance
+* with honest practices in industrial or commercial matters.
+* If you want to propagate modified versions of the Program under the name "Z-Push",
+* you may only do so if you have a written permission by Zarafa Deutschland GmbH
+* (to acquire a permission please contact Zarafa at trademark@zarafa.com).
+*
+* This program is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+* GNU Affero General Public License for more details.
+*
+* You should have received a copy of the GNU Affero General Public License
+* along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*
+* Consult LICENSE file for details
+************************************************/
+include ('lib/utils/zpushadmin.php');
+class WebserviceUsers {
+    /**
+     * Returns a list of all known devices
+     *
+     * @access public
+     * @return array
+     */
+    public function ListDevices() {
+        return ZPushAdmin::ListDevices(false);
+    }
+    /**
+     * Returns a list of all known devices of the users
+     *
+     * @access public
+     * @return array
+     */
+    public function ListDevicesAndUsers() {
+        $devices = ZPushAdmin::ListDevices(false);
+        $output = array();
+        ZLog::Write(LOGLEVEL_INFO, sprintf("WebserviceUsers::ListDevicesAndUsers(): found %d devices", count($devices)));
+        ZPush::GetTopCollector()->AnnounceInformation(sprintf("Retrieved details of %d devices and getting users", count($devices)), true);
+        foreach ($devices as $devid)
+            $output[$devid] = ZPushAdmin::ListUsers($devid);
+        return $output;
+    }
+    /**
+     * Returns a list of all known devices with users and when they synchronized for the first time
+     *
+     * @access public
+     * @return array
+     */
+    public function ListDevicesDetails() {
+        $devices = ZPushAdmin::ListDevices(false);
+        $output = array();
+        ZLog::Write(LOGLEVEL_INFO, sprintf("WebserviceUsers::ListLastSync(): found %d devices", count($devices)));
+        ZPush::GetTopCollector()->AnnounceInformation(sprintf("Retrieved details of %d devices and getting users", count($devices)), true);
+        foreach ($devices as $deviceId) {
+            $output[$deviceId] = array();
+            $users = ZPushAdmin::ListUsers($deviceId);
+            foreach ($users as $user) {
+                $output[$deviceId][$user] = ZPushAdmin::GetDeviceDetails($deviceId, $user);
+            }
+        }
+        return $output;
+    }
+}
+?>
\ No newline at end of file