def cboxOpen():
'''Returns a WOPISrc target and an access token to be passed to Microsoft Office online for
accessing a given file for a given user. This is the most sensitive call as it provides direct
access to any user's file, therefore it is protected both by IP and a shared secret. The shared
secret protection is disabled when running in plain http mode for testing purposes.'''
Wopi.refreshconfig()
req = flask.request
# if running in https mode, first check if the shared secret matches ours
if Wopi.useHttps and ('Authorization' not in req.headers or req.headers['Authorization'] != 'Bearer ' + Wopi.ocsecret):
Wopi.log.warning('msg="cboxOpen: unauthorized access attempt, missing authorization token" client="%s"' % req.remote_addr)
return 'Client not authorized', httplib.UNAUTHORIZED
# now validate the user identity and deny root access
try:
ruid = int(req.args['ruid'])
rgid = int(req.args['rgid'])
if ruid == 0 or rgid == 0:
raise ValueError
except ValueError:
Wopi.log.warning('msg="cboxOpen: invalid user/group in request" client="%s" user="%s:%s"' % \
(req.remote_addr, req.args['ruid'], req.args['rgid']))
return 'Client not authorized', httplib.UNAUTHORIZED
# then resolve the client: only our OwnCloud servers shall use this API
allowedclients = Wopi.config.get('general', 'allowedclients').split()
for c in allowedclients:
try:
for ip in socket.getaddrinfo(c, None):
if ip[4][0] == req.remote_addr:
# we got a match, generate the access token
filename = urllib.unquote(req.args['filename'])
canedit = 'canedit' in req.args and req.args['canedit'].lower() == 'true'
username = req.args['username'] if 'username' in req.args else ''
folderurl = urllib.unquote(req.args['folderurl'])
try:
Wopi.log.info('msg="cboxOpen: access granted, generating token" client="%s" user="%d:%d" friendlyname="%s" canedit="%s"' % \
(req.remote_addr, ruid, rgid, username, canedit))
inode, acctok = _generateAccessToken(str(ruid), str(rgid), filename, canedit, username, folderurl)
# return an URL-encoded WOPISrc URL for the Office Online server
return urllib.quote_plus('%s/wopi/files/%s' % (_ourHostName(), inode)) + \
'&access_token=%s' % acctok # no need to URL-encode the JWT token
except IOError:
return 'Remote error or file not found', httplib.NOT_FOUND
except socket.gaierror:
Wopi.log.warning('msg="cboxOpen: %s found in configured allowed clients but unknown by DNS resolution, ignoring"' % c)
# no match found, fail
Wopi.log.warning('msg="cboxOpen: unauthorized access attempt, client IP not whitelisted" client="%s"' % req.remote_addr)
return 'Client not authorized', httplib.UNAUTHORIZED
评论列表
文章目录
