Add permissions checks

7 years ago · bdd9b52032
parent 36d0dfb7ea
commit bdd9b52032
7 changed files with 66 additions and 7 deletions
--- a/action.php
+++ b/action.php
@ -20,6 +20,10 @@ function returnToSender($msg, $arg = "") {
    die();
 }

+if ($VARS['action'] != "signout" && !account_has_permission($_SESSION['username'], "TASKFLOOR")) {
+    returnToSender("no_permission");
+}
+
 switch ($VARS['action']) {
    case "signout":
        session_destroy();
--- a/api.php
+++ b/api.php
@ -18,6 +18,12 @@ if (user_exists($username) !== true || authenticate_user($username, $password, $
    header("HTTP/1.1 403 Unauthorized");
    die("\"403 Unauthorized\"");
 }
+
+if (!account_has_permission($username, "TASKFLOOR")) {
+    header("HTTP/1.1 403 Unauthorized");
+    die("\"403 Unauthorized\"");
+}
+
 $userinfo = getUserByUsername($username);

 // query max results
--- a/index.php
+++ b/index.php
@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";

 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "TASKFLOOR")) {
    header('Location: app.php');
 }

@ -34,13 +34,17 @@ if (checkLoginServer()) {
                        break;
                }
                if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
-                    if (userHasTOTP($VARS['username'])) {
-                        $multiauth = true;
+                    if (account_has_permission($VARS['username'], "TASKFLOOR") == FALSE) {
+                        $alert = lang("no permission", false);
                    } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
-                        header('Location: app.php');
-                        die("Logged in, go to app.php");
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
+                        if (userHasTOTP($VARS['username'])) {
+                            $multiauth = true;
+                        } else {
+                            doLoginUser($VARS['username'], $VARS['password']);
+                            header('Location: app.php');
+                            die("Logged in, go to app.php");
+                        }
                    }
                }
            } else {
--- a/lang/en_us.php
+++ b/lang/en_us.php
@ -20,6 +20,7 @@ define("STRINGS", [
    "settings" => "Settings",
    "options" => "Options",
    "404 error" => "404 Error",
+    "no permission" => "You do not have permission to access this system.",
    "page not found" => "Page not found.",
    "invalid parameters" => "Invalid request parameters.",
    "login server error" => "The login server returned an error: {arg}",
--- a/lang/messages.php
+++ b/lang/messages.php
@ -13,6 +13,10 @@ define("MESSAGES", [
        "string" => "page not found",
        "type" => "info"
    ],
+    "no_permission" => [
+        "string" => "no permission",
+        "type" => "danger"
+    ],
    "task_saved" => [
        "string" => "task saved",
        "type" => "success"
--- a/lib/login.php
+++ b/lib/login.php
@ -157,6 +157,37 @@ function get_account_status($username) {
    }
 }

+/**
+ * Check if the given username has the given permission (or admin access)
+ * @param string $username
+ * @param string $permcode
+ * @return boolean TRUE if the user has the permission (or admin access), else FALSE
+ */
+function account_has_permission($username, $permcode) {
+    $client = new GuzzleHttp\Client();
+
+    $response = $client
+            ->request('POST', PORTAL_API, [
+        'form_params' => [
+            'key' => PORTAL_KEY,
+            'action' => "permission",
+            'username' => $username,
+            'code' => $permcode
+        ]
+    ]);
+
+    if ($response->getStatusCode() > 299) {
+        sendError("Login server error: " . $response->getBody());
+    }
+
+    $resp = json_decode($response->getBody(), TRUE);
+    if ($resp['status'] == "OK") {
+        return $resp['has_permission'];
+    } else {
+        return false;
+    }
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 //                              Login handling                                //
 ////////////////////////////////////////////////////////////////////////////////
--- a/required.php
+++ b/required.php
@ -132,6 +132,10 @@ function dieifnotloggedin() {
    if ($_SESSION['loggedin'] != true) {
        sendError("Session expired.  Please log out and log in again.");
    }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "TASKFLOOR") == FALSE) {
+        die("You don't have permission to be here.");
+    }
 }

 /**
@ -188,6 +192,11 @@ function redirectIfNotLoggedIn() {
        header('Location: ' . URL . '/index.php');
        die();
    }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "TASKFLOOR") == FALSE) {
+        header('Location: ./index.php');
+        die("You don't have permission to be here.");
+    }
 }

 /**