r22324: Another step closer to nice listing of user accounts.

[samba.git] / services / json_auth.esp

<%
libinclude("auth.js");

/* Return true to allow access; false otherwise */
function json_authenticate(serviceComponents, method, scriptTransportId, error)
{
    // Don't allow any access via ScriptTransport, for now.  There are serious
    // potential security exploits that will need to be protected against when
    // we do want to allow use of ScriptTransport.  -- djl
    if (scriptTransportId != jsonrpc.Constant.ScriptTransport.NotInUse)
    {
        error.setError(jsonrpc.Constant.ServerError.PermissionDenied,
                       "Permission denied");
        return false;
    }

    // Does the requested method require authentication?
    if (! _authentication_required(serviceComponents, method))
    {
        // Nope.  Let 'em in.
        return true;
    }

    // Did our session expire?
    if (request['SESSION_EXPIRED'] == "True")
    {
        // Yup.
        error.setError(jsonrpc.Constant.ServerError.SessionExpired,
                       "Session expired");
        error.setInfo(getDomainList());
        return false;
    }

    // Are we authenticated?
    if (! session.AUTHENTICATED)
    {
        // Nope.
        error.setError(jsonrpc.Constant.ServerError.NotLoggedIn,
                       "Not logged in");
        error.setInfo(getDomainList());
        return false;
    }

    return true;
}


/*
 * Return true if authentication is required for the specified method;
 * false otherwise.
 */
function _authentication_required(serviceComponents, method)
{
    var m = join(".", serviceComponents) + "." + method;

    // See if this method requires authentication
    if (m == "samba.system.login" ||
        m == "samba.system.logout")
    {
        // Nope.
        return false;
    }

    // Anything not listed above requires authentication
    return true;
}

/*
 * Local Variables:
 * mode: c
 * End:
 */
%>