Merge ssh://source.netsyms.com:2322/Business/BusinessAppTemplate

# Conflicts: # .gitignore # README.md # action.php # api.php # app.php # composer.json # composer.lock # index.php # lang/en_us.php # lang/messages.php # lib/iputils.php # lib/login.php # lib/userinfo.php # mobile/index.php # nbproject/project.properties # nbproject/project.xml # pages.php # pages/404.php # pages/home.php # required.php # settings.template.php # static/css/app.css # static/img/logo.png # static/img/logo.svg # static/js/app.js
6 years ago · 99a852787d
parent bf332b7559 35e531a56b
commit 99a852787d
17 changed files with 66 additions and 20 deletions
--- a/app.php
+++ b/app.php
@ -18,6 +18,12 @@ if (!is_empty($_GET['page'])) {
        $pageid = "404";
    }
 }
+
+header("Link: <static/css/bootstrap.min.css>; rel=preload; as=style", false);
+header("Link: <static/css/material-color/material-color.min.css>; rel=preload; as=style", false);
+header("Link: <static/css/app.css>; rel=preload; as=style", false);
+header("Link: <static/js/jquery-3.3.1.min.js>; rel=preload; as=script", false);
+header("Link: <static/js/bootstrap.min.js>; rel=preload; as=script", false);
 ?>
 <!DOCTYPE html>
 <html>
@ -43,6 +49,7 @@ if (!is_empty($_GET['page'])) {
        if (isset(PAGES[$pageid]['styles'])) {
            foreach (PAGES[$pageid]['styles'] as $style) {
                echo "<link href=\"$style\" rel=\"stylesheet\">\n";
+                header("Link: <$style>; rel=preload; as=style", false);
            }
        }
        ?>
@ -169,6 +176,7 @@ END;
        if (isset(PAGES[$pageid]['scripts'])) {
            foreach (PAGES[$pageid]['scripts'] as $script) {
                echo "<script src=\"$script\"></script>\n";
+                header("Link: <$script>; rel=preload; as=script", false);
            }
        }
        ?>
--- a/index.php
+++ b/index.php
@ -72,6 +72,11 @@ if (checkLoginServer()) {
 } else {
    $alert = lang("login server unavailable", false);
 }
+header("Link: <static/css/bootstrap.min.css>; rel=preload; as=style", false);
+header("Link: <static/css/material-color/material-color.min.css>; rel=preload; as=style", false);
+header("Link: <static/css/index.css>; rel=preload; as=style", false);
+header("Link: <static/js/jquery-3.3.1.min.js>; rel=preload; as=script", false);
+header("Link: <static/js/bootstrap.min.js>; rel=preload; as=script", false);
 ?>
 <!DOCTYPE html>
 <html>
--- a/lib/iputils.php
+++ b/lib/iputils.php
@ -25,7 +25,7 @@ function ip4_in_cidr($ip, $cidr) {
 * @param string $ip IP to check in IPV6 format
 * @param string $cidr CIDR netmask
 * @return boolean true if the IP is in this range, false otherwise.
- * @author MW. <https://stackoverflow.com/a/7952169>
+ * @author MW. <https://stackoverflow.com/a/7952169/2534036>
 */
 function ip6_in_cidr($ip, $cidr) {
    $address = inet_pton($ip);
--- a/lib/login.php
+++ b/lib/login.php
@ -40,6 +40,33 @@ function checkLoginServer() {
    }
 }

+/**
+ * Checks if the given AccountHub API key is valid by attempting to 
+ * access the API with it.
+ * @param String $key The API key to check
+ * @return boolean TRUE if the key is valid, FALSE if invalid or something went wrong
+ */
+function checkAPIKey($key) {
+    try {
+        $client = new GuzzleHttp\Client();
+
+        $response = $client
+                ->request('POST', PORTAL_API, [
+            'form_params' => [
+                'key' => $key,
+                'action' => "ping"
+            ]
+        ]);
+
+        if ($response->getStatusCode() === 200) {
+            return true;
+        }
+        return false;
+    } catch (Exception $e) {
+        return false;
+    }
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 //                           Account handling                                 //
 ////////////////////////////////////////////////////////////////////////////////
--- a/mobile/index.php
+++ b/mobile/index.php
@ -9,6 +9,10 @@
 * Mobile app API
 */

+// The name of the permission needed to log in.
+// Set to null if you don't need it.
+$access_permission = "ADMIN";
+
 require __DIR__ . "/../required.php";

 require __DIR__ . "/../lib/login.php";
@ -93,9 +97,9 @@ switch ($VARS['action']) {
        if (user_exists($VARS['username'])) {
            if (get_account_status($VARS['username']) == "NORMAL") {
                if (authenticate_user($VARS['username'], $VARS['password'], $autherror)) {
-                    if (account_has_permission($VARS['username'], "ADMIN")) {
+                    if (is_null($access_permission) || account_has_permission($VARS['username'], $access_permission)) {
                        doLoginUser($VARS['username'], $VARS['password']);
-                        $_SESSION['mobile'] = TRUE;
+                        $_SESSION['mobile'] = true;
                        exit(json_encode(["status" => "OK"]));
                    } else {
                        exit(json_encode(["status" => "ERROR", "msg" => lang("no admin permission", false)]));
--- a/required.php
+++ b/required.php
@ -12,10 +12,12 @@ ob_start(); // allow sending headers after content
 // Unicode, solves almost all stupid encoding problems
 header('Content-Type: text/html; charset=utf-8');

-// l33t $ecurity h4x
+// Strip PHP version
+header('X-Powered-By: PHP');
+
+// Security
 header('X-Content-Type-Options: nosniff');
 header('X-XSS-Protection: 1; mode=block');
-header('X-Powered-By: PHP'); // no versions makes it harder to find vulns
 header('X-Frame-Options: "DENY"');
 header('Referrer-Policy: "no-referrer, strict-origin-when-cross-origin"');
 $SECURE_NONCE = base64_encode(random_bytes(8));
@ -81,7 +83,7 @@ function sendError($error) {
            . "<h1>A fatal application error has occurred.</h1>"
            . "<i>(This isn't your fault.)</i>"
            . "<h2>Details:</h2>"
-            . "<p>". htmlspecialchars($error) . "</p>");
+            . "<p>" . htmlspecialchars($error) . "</p>");
 }

 date_default_timezone_set(TIMEZONE);