enforce acl on remote method call

1 files changed, 13 insertions, 2 deletions

diff --git a/inc/remote.php b/inc/remote.php
index 94d428e8c..15d2308f8 100644
--- a/inc/remote.php
+++ b/inc/remote.php
@@ -82,7 +82,6 @@ class RemoteAPI {
      * @return mixed result of method call, must be a primitive type.
      */
     public function call($method, $args = array()) {
-        $this->forceAccess();
         list($type, $pluginName, $call) = explode('.', $method, 3);
         if ($type === 'plugin') {
             $plugin = plugin_load('remote', $pluginName);
@@ -90,10 +89,12 @@ class RemoteAPI {
             if (!$plugin) {
                 throw new RemoteException('Method dose not exists');
             }
+            $this->checkAccess($methods[$method]);
             $name = $this->getMethodName($methods, $method);
             return call_user_func_array(array($plugin, $name), $args);
         } else {
             $coreMethods = $this->getCoreMethods();
+            $this->checkAccess($coreMethods[$method]);
             if (!isset($coreMethods[$method])) {
                 throw new RemoteException('Method dose not exists');
             }
@@ -102,6 +103,16 @@ class RemoteAPI {
         }
     }
 
+    private function checkAccess($methodMeta) {
+        if (!isset($methodMeta['public'])) {
+            $this->forceAccess();
+        } else{
+            if ($methodMeta['public'] == '0') {
+                $this->forceAccess();
+            }
+        }
+    }
+
     private function checkArgumentLength($method, $args) {
         if (count($method['args']) < count($args)) {
             throw new RemoteException('Method dose not exists - wrong parameter count.');
@@ -141,7 +152,7 @@ class RemoteAPI {
      */
     public function forceAccess() {
         if (!$this->hasAccess()) {
-            throw new RemoteException('Access denied');
+            throw new RemoteAccessDenied();
         }
     }