Browse Source

Add more permissions checks

master
Skylar Ittner 5 months ago
parent
commit
b250908663
2 changed files with 22 additions and 11 deletions
  1. 7
    10
      mobile/index.php
  2. 15
    1
      required.php

+ 7
- 10
mobile/index.php View File

@@ -8,10 +8,6 @@
8 8
  * Mobile app API
9 9
  */
10 10
 
11
-// The name of the permission needed to log in.
12
-// Set to null if you don't need it.
13
-$access_permission = null;
14
-
15 11
 require __DIR__ . "/../required.php";
16 12
 
17 13
 header('Content-Type: application/json');
@@ -70,13 +66,14 @@ switch ($VARS['action']) {
70 66
         if ($user->exists()) {
71 67
             if ($user->getStatus()->getString() == "NORMAL") {
72 68
                 if ($user->checkPassword($VARS['password'])) {
73
-                    if (is_null($access_permission) || $user->hasPermission($access_permission)) {
74
-                        Session::start($user);
75
-                        $_SESSION['mobile'] = true;
76
-                        exit(json_encode(["status" => "OK"]));
77
-                    } else {
78
-                        exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no admin permission", false)]));
69
+                    foreach ($SETTINGS['permissions'] as $perm) {
70
+                        if (!$user->hasPermission($perm)) {
71
+                            exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no permission", false)]));
72
+                        }
79 73
                     }
74
+                    Session::start($user);
75
+                    $_SESSION['mobile'] = true;
76
+                    exit(json_encode(["status" => "OK"]));
80 77
                 }
81 78
             }
82 79
         }

+ 15
- 1
required.php View File

@@ -131,11 +131,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
131 131
     define("GET", true);
132 132
 }
133 133
 
134
-
135 134
 function dieifnotloggedin() {
136 135
     if ($_SESSION['loggedin'] != true) {
137 136
         sendError("Session expired.  Please log out and log in again.");
138 137
     }
138
+    $user = new User($_SESSION['uid']);
139
+    foreach ($SETTINGS['permissions'] as $perm) {
140
+        if (!$user->hasPermission($perm)) {
141
+            session_destroy();
142
+            die("You don't have permission to be here.");
143
+        }
144
+    }
139 145
 }
140 146
 
141 147
 /**
@@ -160,4 +166,12 @@ function redirectIfNotLoggedIn() {
160 166
         header('Location: ' . $SETTINGS['url'] . '/index.php');
161 167
         die();
162 168
     }
169
+    $user = new User($_SESSION['uid']);
170
+    foreach ($SETTINGS['permissions'] as $perm) {
171
+        if (!$user->hasPermission($perm)) {
172
+            session_destroy();
173
+            header('Location: ./index.php');
174
+            die("You don't have permission to be here.");
175
+        }
176
+    }
163 177
 }

Loading…
Cancel
Save