From 3beb11caeb4ad03ac1bb41b03a142768407467ab Mon Sep 17 00:00:00 2001
From: Maxence Lange <maxence@artificial-owl.com>
Date: Mon, 13 Dec 2021 10:50:48 -0100
Subject: [PATCH] filter allowed type of member

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
---
 lib/FederatedItems/SingleMemberAdd.php | 6 ++++++
 lib/Model/Member.php                   | 2 ++
 lib/Service/ConfigService.php          | 3 +++
 lib/StatusCode.php                     | 3 ++-
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/FederatedItems/SingleMemberAdd.php b/lib/FederatedItems/SingleMemberAdd.php
index a690aab74..ccfc62cc4 100644
--- a/lib/FederatedItems/SingleMemberAdd.php
+++ b/lib/FederatedItems/SingleMemberAdd.php
@@ -351,6 +351,12 @@ protected function generateMember(FederatedEvent $event, Circle $circle, Member
 			throw new FederatedItemBadRequestException(StatusCode::$MEMBER_ADD[120], 120);
 		}
 
+		$allowedTypes = $this->configService->getAppValueInt(ConfigService::ALLOWED_TYPES);
+		if ($federatedUser->getUserType() < Member::TYPE_APP
+			&& ($allowedTypes & $federatedUser->getUserType()) === 0) {
+			throw new FederatedItemBadRequestException(StatusCode::$MEMBER_ADD[132], 132);
+		}
+
 		if ($federatedUser->getBasedOn()->isConfig(Circle::CFG_ROOT)) {
 			throw new FederatedItemBadRequestException(StatusCode::$MEMBER_ADD[125], 125);
 		}
diff --git a/lib/Model/Member.php b/lib/Model/Member.php
index 7f3961903..4abccfb85 100644
--- a/lib/Model/Member.php
+++ b/lib/Model/Member.php
@@ -77,6 +77,8 @@ class Member extends ManagedModel implements
 	public const TYPE_CIRCLE = 16;
 	public const TYPE_APP = 10000;
 
+	public const ALLOWING_ALL_TYPES = 31;
+
 	public const APP_CIRCLES = 10001;
 	public const APP_OCC = 10002;
 
diff --git a/lib/Service/ConfigService.php b/lib/Service/ConfigService.php
index 60b1163fb..6897e7413 100644
--- a/lib/Service/ConfigService.php
+++ b/lib/Service/ConfigService.php
@@ -103,6 +103,7 @@ class ConfigService {
 	public const SELF_SIGNED_CERT = 'self_signed_cert';
 	public const MEMBERS_LIMIT = 'members_limit';
 	public const ACTIVITY_ON_NEW_CIRCLE = 'creation_activity';
+	public const ALLOWED_TYPES = 'allowed_types';
 
 	public const MIGRATION_BYPASS = 'migration_bypass';
 	public const MIGRATION_22 = 'migration_22';
@@ -176,6 +177,8 @@ class ConfigService {
 		self::SELF_SIGNED_CERT => '0',
 		self::MEMBERS_LIMIT => '-1',
 		self::ACTIVITY_ON_NEW_CIRCLE => '1',
+		self::ALLOWED_TYPES => Member::ALLOWING_ALL_TYPES,
+
 		self::MIGRATION_BYPASS => '0',
 		self::MIGRATION_22 => '0',
 		self::MIGRATION_22_1 => '0',
diff --git a/lib/StatusCode.php b/lib/StatusCode.php
index 4ffa5e9e7..c846ce98b 100644
--- a/lib/StatusCode.php
+++ b/lib/StatusCode.php
@@ -68,7 +68,8 @@ class StatusCode {
 		128 => 'Cannot add Circle as its own Member',
 		129 => 'Member does not contains a patron',
 		130 => 'Member is invited by an entity that does not belongs to the instance at the origin of the request',
-		131 => 'Member is a non-local Circle'
+		131 => 'Member is a non-local Circle',
+		132 => 'Member type not allowed'
 	];
 
 	public static $MEMBER_LEVEL = [