diff --git a/mobile/index.php b/mobile/index.php index dbb10f3..5b14cbc 100644 --- a/mobile/index.php +++ b/mobile/index.php @@ -8,10 +8,6 @@ * Mobile app API */ -// The name of the permission needed to log in. -// Set to null if you don't need it. -$access_permission = null; - require __DIR__ . "/../required.php"; header('Content-Type: application/json'); @@ -70,13 +66,14 @@ switch ($VARS['action']) { if ($user->exists()) { if ($user->getStatus()->getString() == "NORMAL") { if ($user->checkPassword($VARS['password'])) { - if (is_null($access_permission) || $user->hasPermission($access_permission)) { - Session::start($user); - $_SESSION['mobile'] = true; - exit(json_encode(["status" => "OK"])); - } else { - exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no admin permission", false)])); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no permission", false)])); + } } + Session::start($user); + $_SESSION['mobile'] = true; + exit(json_encode(["status" => "OK"])); } } } diff --git a/required.php b/required.php index 3cfa346..45be1df 100644 --- a/required.php +++ b/required.php @@ -131,11 +131,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { define("GET", true); } - function dieifnotloggedin() { if ($_SESSION['loggedin'] != true) { sendError("Session expired. Please log out and log in again."); } + $user = new User($_SESSION['uid']); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + session_destroy(); + die("You don't have permission to be here."); + } + } } /** @@ -160,4 +166,12 @@ function redirectIfNotLoggedIn() { header('Location: ' . $SETTINGS['url'] . '/index.php'); die(); } + $user = new User($_SESSION['uid']); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + session_destroy(); + header('Location: ./index.php'); + die("You don't have permission to be here."); + } + } }