Browse Source

Add more permissions checks

master
Skylar Ittner 8 months ago
parent
commit
b250908663
2 changed files with 22 additions and 11 deletions
  1. 7
    10
      mobile/index.php
  2. 15
    1
      required.php

+ 7
- 10
mobile/index.php View File

@@ -8,10 +8,6 @@
* Mobile app API
*/

// The name of the permission needed to log in.
// Set to null if you don't need it.
$access_permission = null;

require __DIR__ . "/../required.php";

header('Content-Type: application/json');
@@ -70,13 +66,14 @@ switch ($VARS['action']) {
if ($user->exists()) {
if ($user->getStatus()->getString() == "NORMAL") {
if ($user->checkPassword($VARS['password'])) {
if (is_null($access_permission) || $user->hasPermission($access_permission)) {
Session::start($user);
$_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"]));
} else {
exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no admin permission", false)]));
foreach ($SETTINGS['permissions'] as $perm) {
if (!$user->hasPermission($perm)) {
exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no permission", false)]));
}
}
Session::start($user);
$_SESSION['mobile'] = true;
exit(json_encode(["status" => "OK"]));
}
}
}

+ 15
- 1
required.php View File

@@ -131,11 +131,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
define("GET", true);
}


function dieifnotloggedin() {
if ($_SESSION['loggedin'] != true) {
sendError("Session expired. Please log out and log in again.");
}
$user = new User($_SESSION['uid']);
foreach ($SETTINGS['permissions'] as $perm) {
if (!$user->hasPermission($perm)) {
session_destroy();
die("You don't have permission to be here.");
}
}
}

/**
@@ -160,4 +166,12 @@ function redirectIfNotLoggedIn() {
header('Location: ' . $SETTINGS['url'] . '/index.php');
die();
}
$user = new User($_SESSION['uid']);
foreach ($SETTINGS['permissions'] as $perm) {
if (!$user->hasPermission($perm)) {
session_destroy();
header('Location: ./index.php');
die("You don't have permission to be here.");
}
}
}

Loading…
Cancel
Save