Revert "only admins have sftp access"

This reverts commit ecc9415679. We want to support the workflow where normal users can have SFTP access without being cloudron admins. The reason it is admin only is because it is possible to upload/modify app code via SFTP to then get cloudron admin credentials. For this reason, we will fixup the apps as follows: * Unmanaged WP - remove LDAP integration * LAMP - remove LDAP. We will make a new major version that informs the user NOT to update the app if they use LDAP. In 4.1, we will expose the LDAP server, so they can use the public LDAP server for any integration. * Managed WP - Remove SFTP. This is contential but if people want to really build/develop plugins then they can use Unmanaged WP for the dev environment. * Surfer - no change. Can have SFTP and LDAP since code is not modifiable In general, should also be careful then about adding SFTP access to random apps (like say nextcloud), since this would allow normal user to access other people's data.
2019-05-22 14:20:52 -07:00
parent 5b5303ba7f
commit 2e02a3c71e
2 changed files with 17 additions and 15 deletions
@@ -520,22 +520,25 @@ function userSearchSftp(req, res, next) {
        users.getByUsername(username, function (error, user) {
            if (error) return next(new ldap.OperationsError(error.toString()));

-            if (!user.admin) return next(new ldap.InsufficientAccessRightsError('Not authorized'));
+            apps.hasAccessTo(app, user, function (error, hasAccess) {
+                if (error) return next(new ldap.OperationsError(error.toString()));
+                if (!hasAccess) return next(new ldap.InsufficientAccessRightsError('Not authorized'));

-            var obj = {
-                dn: ldap.parseDN(`cn=${username}@${appFqdn},ou=sftp,dc=cloudron`).toString(),
-                attributes: {
-                    homeDirectory: path.join('/app/data', app.id, 'data'),
-                    objectclass: ['user'],
-                    objectcategory: 'person',
-                    cn: user.id,
-                    uid: `${username}@${appFqdn}`,  // for bind after search
-                    uidNumber: uidNumber,           // unix uid for ftp access
-                    gidNumber: uidNumber            // unix gid for ftp access
-                }
-            };
+                var obj = {
+                    dn: ldap.parseDN(`cn=${username}@${appFqdn},ou=sftp,dc=cloudron`).toString(),
+                    attributes: {
+                        homeDirectory: path.join('/app/data', app.id, 'data'),
+                        objectclass: ['user'],
+                        objectcategory: 'person',
+                        cn: user.id,
+                        uid: `${username}@${appFqdn}`,  // for bind after search
+                        uidNumber: uidNumber,           // unix uid for ftp access
+                        gidNumber: uidNumber            // unix gid for ftp access
+                    }
+                };

-            finalSend([ obj ], req, res, next);
+                finalSend([ obj ], req, res, next);
+            });
        });
    });
 }