Working on adding controller security

7 years ago · 0a2e37320a
parent 3e8085110f
commit 0a2e37320a
4 changed files with 23 additions and 3 deletions
--- a/api/BusinessLogic/Security/UserPrivilege.php
+++ b/api/BusinessLogic/Security/UserPrivilege.php
@ -15,4 +15,5 @@ class UserPrivilege extends \BaseClass {
    const CAN_EDIT_TICKETS = 'can_edit_tickets';
    const CAN_DELETE_TICKETS = 'can_del_tickets';
    const CAN_MANAGE_CATEGORIES = 'can_man_cat';
+    const CAN_MANAGE_SERVICE_MESSAGES = 'can_service_msg';
 }
--- a/api/Controllers/ServiceMessages/ServiceMessagesController.php
+++ b/api/Controllers/ServiceMessages/ServiceMessagesController.php
@ -2,15 +2,30 @@

 namespace Controllers\ServiceMessages;

+use BusinessLogic\Exceptions\ApiFriendlyException;
 use BusinessLogic\Helpers;
 use BusinessLogic\Security\UserContext;
+use BusinessLogic\Security\UserPrivilege;
 use BusinessLogic\ServiceMessages\ServiceMessage;
 use BusinessLogic\ServiceMessages\ServiceMessageHandler;
+use Controllers\ControllerWithSecurity;
 use Controllers\JsonRetriever;

 class ServiceMessagesController extends \BaseClass {
+    /**
+     * @param $userContext UserContext
+     * @throws ApiFriendlyException
+     */
+    function checkSecurity($userContext) {
+        if (!in_array(UserPrivilege::CAN_MANAGE_SERVICE_MESSAGES, $userContext->permissions)) {
+            throw new ApiFriendlyException("User does not have permission to access the following URI: " . $_SERVER['REQUEST_URI'], "Access Forbidden", 403);
+        }
+    }
+    
    function get() {
-        global $applicationContext, $hesk_settings;
+        global $applicationContext, $hesk_settings, $userContext;
+
+        $this->checkSecurity($userContext);

        /* @var $handler ServiceMessageHandler */
        $handler = $applicationContext->get(ServiceMessageHandler::clazz());
--- a/api/Core/json_error.php
+++ b/api/Core/json_error.php
@ -7,7 +7,11 @@ function print_error($title, $message, $logId = null, $response_code = 500) {
    $error['type'] = 'ERROR';
    $error['title'] = $title;
    $error['message'] = $message;
-    $error['logId'] = $logId;
+
+    if ($logId !== null) {
+        $error['logId'] = $logId;
+    }
+

    print output($error, $response_code);
    return;
--- a/api/index.php
+++ b/api/index.php
@ -105,7 +105,7 @@ function exceptionHandler($exception) {
        /* @var $castedException \BusinessLogic\Exceptions\ApiFriendlyException */
        $castedException = $exception;

-        print_error($castedException->title, $castedException->getMessage(), $castedException->httpResponseCode);
+        print_error($castedException->title, $castedException->getMessage(), null, $castedException->httpResponseCode);
    } elseif (exceptionIsOfType($exception, \Core\Exceptions\SQLException::clazz())) {
        /* @var $castedException \Core\Exceptions\SQLException */
        $castedException = $exception;