Business
/
NickelBox
Watch 1
Star 0
Fork 0
Code Issues 7 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Add more permissions checks

master
Skylar Ittner 3 months ago
parent
892102528b
commit
b250908663
2 changed files with 22 additions and 11 deletions
Split View Show Diff Stats
  1. 7
    10
      mobile/index.php
  2. 15
    1
      required.php

+ 7
- 10
mobile/index.php View File 

@@ -8,10 +8,6 @@
8 8 
  * Mobile app API
9 9 
  */
10 10
11 
-// The name of the permission needed to log in.
12 
-// Set to null if you don't need it.
13 
-$access_permission = null;
14 
-
15 11 
 require __DIR__ . "/../required.php";
16 12
17 13 
 header('Content-Type: application/json');
 
@@ -70,13 +66,14 @@ switch ($VARS['action']) {
70 66 
         if ($user->exists()) {
71 67 
             if ($user->getStatus()->getString() == "NORMAL") {
72 68 
                 if ($user->checkPassword($VARS['password'])) {
73 
-                    if (is_null($access_permission) || $user->hasPermission($access_permission)) {
74 
-                        Session::start($user);
75 
-                        $_SESSION['mobile'] = true;
76 
-                        exit(json_encode(["status" => "OK"]));
77 
-                    } else {
78 
-                        exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no admin permission", false)]));
69 
+                    foreach ($SETTINGS['permissions'] as $perm) {
70 
+                        if (!$user->hasPermission($perm)) {
71 
+                            exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no permission", false)]));
72 
+                        }
79 73 
                     }
74 
+                    Session::start($user);
75 
+                    $_SESSION['mobile'] = true;
76 
+                    exit(json_encode(["status" => "OK"]));
80 77 
                 }
81 78 
             }
82 79 
         }

+ 15
- 1
required.php View File 

@@ -131,11 +131,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
131 131 
     define("GET", true);
132 132 
 }
133 133
134 
-
135 134 
 function dieifnotloggedin() {
136 135 
     if ($_SESSION['loggedin'] != true) {
137 136 
         sendError("Session expired.  Please log out and log in again.");
138 137 
     }
138 
+    $user = new User($_SESSION['uid']);
139 
+    foreach ($SETTINGS['permissions'] as $perm) {
140 
+        if (!$user->hasPermission($perm)) {
141 
+            session_destroy();
142 
+            die("You don't have permission to be here.");
143 
+        }
144 
+    }
139 145 
 }
140 146
141 147 
 /**
 
@@ -160,4 +166,12 @@ function redirectIfNotLoggedIn() {
160 166 
         header('Location: ' . $SETTINGS['url'] . '/index.php');
161 167 
         die();
162 168 
     }
169 
+    $user = new User($_SESSION['uid']);
170 
+    foreach ($SETTINGS['permissions'] as $perm) {
171 
+        if (!$user->hasPermission($perm)) {
172 
+            session_destroy();
173 
+            header('Location: ./index.php');
174 
+            die("You don't have permission to be here.");
175 
+        }
176 
+    }
163 177 
 }

Write Preview
Loading…
Cancel
Save