Support blacklisting per domain groups

2025-03-11 16:13:16 +01:00 · 2020-07-29 08:08:08 +12:00 · 2020-07-29 08:08:08 +12:00 · d5e189422f
commit d5e189422f
parent 94908fd1a7
3 changed files with 46 additions and 7 deletions
--- a/domain-server/src/DomainGatekeeper.cpp
+++ b/domain-server/src/DomainGatekeeper.cpp
@ -169,27 +169,25 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
 #endif
    }

-    // If this user is a known member of an externally-hosted group, give them the implied permissions.
+    // If this user is a known member of a domain group, give them the implied permissions.
    // Do before processing verifiedUsername in case user is logged into the metaverse and is a member of a blacklist group.
    if (!verifiedDomainUserName.isEmpty()) {
        auto userGroups = _domainGroupMemberships[verifiedDomainUserName];
        foreach (QString userGroup, userGroups) {
            // Domain groups may be specified as comma- and/or space-separated lists of group names.
            // For example, "silver gold, platinum".
-            auto domainGroups = _server->_settingsManager.getAllKnownGroupNames()
+            auto domainGroups = _server->_settingsManager.getDomainGroupNames()
                .filter(QRegularExpression("^(.*[\\s,])?" + userGroup + "([\\s,].*)?$", 
                    QRegularExpression::CaseInsensitiveOption));
            foreach(QString domainGroup, domainGroups) {
                userPerms |= _server->_settingsManager.getPermissionsForGroup(domainGroup, QUuid()); // No rank for domain groups.
-// ####### Enable ifdef
-//#ifdef WANT_DEBUG
+#ifdef WANT_DEBUG
                qDebug() << "|  user-permissions: domain user " << verifiedDomainUserName << "is in group:" << domainGroup
                    << "so:" << userPerms;
-//#endif
+#endif
            }
        }

-        userPerms.setVerifiedDomainUserName(verifiedDomainUserName);
    }

    if (verifiedUsername.isEmpty()) {
@ -293,6 +291,26 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
        userPerms.setVerifiedUserName(verifiedUsername);
    }

+    // If this user is a known member of an domain group that is blacklisted, remove the implied permissions.
+    if (!verifiedDomainUserName.isEmpty()) {
+        auto userGroups = _domainGroupMemberships[verifiedDomainUserName];
+        foreach(QString userGroup, userGroups) {
+            // Domain groups may be specified as comma- and/or space-separated lists of group names.
+            // For example, "silver gold, platinum".
+            auto domainGroups = _server->_settingsManager.getDomainBlacklistGroupNames()
+                .filter(QRegularExpression("^(.*[\\s,])?" + userGroup + "([\\s,].*)?$",
+                    QRegularExpression::CaseInsensitiveOption));
+            foreach(QString domainGroup, domainGroups) {
+                userPerms &= ~_server->_settingsManager.getForbiddensForGroup(domainGroup, QUuid());
+#ifdef WANT_DEBUG
+                qDebug() << "|  user-permissions: domain user is in blacklist group:" << domainGroup << "so:" << userPerms;
+#endif
+            }
+        }
+
+        userPerms.setVerifiedDomainUserName(verifiedDomainUserName);
+    }
+
 #ifdef WANT_DEBUG
    qDebug() << "|  user-permissions: final:" << userPerms;
 #endif
@ -1065,7 +1083,7 @@ void DomainGatekeeper::getDomainGroupMemberships(const QString& domainUserName)
    //         a copy of some of the following code can be made there. However, this code is still needed for refreshing groups.

    QStringList wordpressGroupsForUser;
-    wordpressGroupsForUser << "silVER" << "gold";
+    wordpressGroupsForUser << "silVER" << "gold" << "coal";
    _domainGroupMemberships[domainUserName] = wordpressGroupsForUser;
 }

--- a/domain-server/src/DomainServerSettingsManager.cpp
+++ b/domain-server/src/DomainServerSettingsManager.cpp
@ -2185,6 +2185,24 @@ QList<QUuid> DomainServerSettingsManager::getBlacklistGroupIDs() {
    return result.toList();
 }

+QStringList DomainServerSettingsManager::getDomainGroupNames() {
+    // Names as configured in domain server; not necessarily mnetaverse groups.
+    QSet<QString> result;
+    foreach(NodePermissionsKey groupKey, _groupPermissions.keys()) {
+        result += _groupPermissions[groupKey]->getID();
+    }
+    return result.toList();
+}
+
+QStringList DomainServerSettingsManager::getDomainBlacklistGroupNames() {
+    // Names as configured in domain server; not necessarily mnetaverse groups.
+    QSet<QString> result;
+    foreach (NodePermissionsKey groupKey, _groupForbiddens.keys()) {
+        result += _groupForbiddens[groupKey]->getID();
+    }
+    return result.toList();
+}
+
 void DomainServerSettingsManager::debugDumpGroupsState() {
    qDebug() << "--------- GROUPS ---------";

--- a/domain-server/src/DomainServerSettingsManager.h
+++ b/domain-server/src/DomainServerSettingsManager.h
@ -105,6 +105,9 @@ public:
    QList<QUuid> getGroupIDs();
    QList<QUuid> getBlacklistGroupIDs();

+    QStringList getDomainGroupNames();
+    QStringList getDomainBlacklistGroupNames();
+
    // these are used to locally cache the result of calling "api/v1/groups/.../is_member/..." on metaverse's api
    void clearGroupMemberships(const QString& name) { _groupMembership[name.toLower()].clear(); }
    void recordGroupMembership(const QString& name, const QUuid groupID, QUuid rankID);