[Question/Discussion] Add ”auth hooks” for extended permission controls in the virtual file system?

[Boilerplate4u]

• Background and use case:
  I’m looking for a way to add ”auth hooks” for extended permission controls to the virtual file system that could for example be utilized by client certificates to control access on multiple levels.

• Questions that maybe a core developer may know the answer to:
  Is there a conceptual description of the virtual file system (as "core/lib/private/Files/Filesystem.php" and friends) or is it reverse engineering à la "study the source code" that applies?

  Ref: https://github.com/owncloud/core/tree/v9.1.0beta1/lib/private/Files

• Regarding https://github.com/owncloud/core/wiki/ownCloud-9.1-Features that really caught my mind was:

  • Pluggable Auth - Updating the ownCloud server to enable easier implementation / activation of different authentication mechanisms, such as the L2 request for 2 Factor Auth 9.1: Pluggable Auth #23458
  • Internal 2 Factor - After creating a more modular authentication mechanism, this will allow an admin to use email to provide a second factor for ownCloud logins. Note: this has mobile and desktop implications for it to be completed. HTTP 404 error by accesing to ownCloud using mobile apps #1211

  a). Does that mean you can start working on client certificate authentication i.e use certificate attributes in the login process using "Pluggable Auth"?

  b). Btw, does anyone know if the internal virtual filesystem utilizes some kind of general authentication and permission control on the file level (besides add, change and delete). If not, would it be possible to implement a similar "Pluggable Auth" on the virtual file system with a decent amount of work?

Would be very grateful for any kind of pointers regarding this or info about test cases (or apps) that utilize permission control on the file system level...

Regarding: https://github.com/owncloud/core/blob/v9.1.0beta1/lib/private/Files/Node/File.php

    public function fopen($mode) {
        . . .
        . . .
        if ($this->checkPermissions($requiredPermissions)) {
            $this->sendHooks($preHooks);
            $result = $this->view->fopen($this->path, $mode);
            $this->sendHooks($postHooks);
            return $result;
        } else {
            throw new NotPermittedException();
        }

I noticed some "hooks" (preHooks, postHooks) in the code above. Are they available to use as extended permission controls?

[DeepDiver1975]

Is there a conceptual description of the virtual file system (as "core/lib/private/Files/Filesystem.php" and friends)

@icewind1991 has a presentation somewhere

[DeepDiver1975]

is it reverse engineering à la "study the source code" that applies?

always a good practive 😉

[DeepDiver1975]

I’m looking for a way to add ”auth hooks” for extended permission controls to the virtual file system that could for example be utilized by client certificates to control access on multiple levels.

I honestly don't see the use case. A user has a client cert and this cert is used for auth.
So either the user has access to his files or not. What additional level should be applied?

[PVince81]

Closing due to lack of feedback.

[ownclouders]

Hey, this issue has been closed because the label needs info is set and there were no updates for 14 days. Feel free to reopen this issue if you deem it appropriate.

(This is an automated comment from GitMate.io.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.