From 0a2e37320aef3a7cd9c4f8670772ba051c249a00 Mon Sep 17 00:00:00 2001 From: Mike Koch Date: Fri, 1 Dec 2017 12:56:23 -0500 Subject: [PATCH] Working on adding controller security --- api/BusinessLogic/Security/UserPrivilege.php | 1 + .../ServiceMessagesController.php | 17 ++++++++++++++++- api/Core/json_error.php | 6 +++++- api/index.php | 2 +- 4 files changed, 23 insertions(+), 3 deletions(-) diff --git a/api/BusinessLogic/Security/UserPrivilege.php b/api/BusinessLogic/Security/UserPrivilege.php index 353e8e43..8cd1eee4 100644 --- a/api/BusinessLogic/Security/UserPrivilege.php +++ b/api/BusinessLogic/Security/UserPrivilege.php @@ -15,4 +15,5 @@ class UserPrivilege extends \BaseClass { const CAN_EDIT_TICKETS = 'can_edit_tickets'; const CAN_DELETE_TICKETS = 'can_del_tickets'; const CAN_MANAGE_CATEGORIES = 'can_man_cat'; + const CAN_MANAGE_SERVICE_MESSAGES = 'can_service_msg'; } \ No newline at end of file diff --git a/api/Controllers/ServiceMessages/ServiceMessagesController.php b/api/Controllers/ServiceMessages/ServiceMessagesController.php index bf6c26de..b147f123 100644 --- a/api/Controllers/ServiceMessages/ServiceMessagesController.php +++ b/api/Controllers/ServiceMessages/ServiceMessagesController.php @@ -2,15 +2,30 @@ namespace Controllers\ServiceMessages; +use BusinessLogic\Exceptions\ApiFriendlyException; use BusinessLogic\Helpers; use BusinessLogic\Security\UserContext; +use BusinessLogic\Security\UserPrivilege; use BusinessLogic\ServiceMessages\ServiceMessage; use BusinessLogic\ServiceMessages\ServiceMessageHandler; +use Controllers\ControllerWithSecurity; use Controllers\JsonRetriever; class ServiceMessagesController extends \BaseClass { + /** + * @param $userContext UserContext + * @throws ApiFriendlyException + */ + function checkSecurity($userContext) { + if (!in_array(UserPrivilege::CAN_MANAGE_SERVICE_MESSAGES, $userContext->permissions)) { + throw new ApiFriendlyException("User does not have permission to access the following URI: " . $_SERVER['REQUEST_URI'], "Access Forbidden", 403); + } + } + function get() { - global $applicationContext, $hesk_settings; + global $applicationContext, $hesk_settings, $userContext; + + $this->checkSecurity($userContext); /* @var $handler ServiceMessageHandler */ $handler = $applicationContext->get(ServiceMessageHandler::clazz()); diff --git a/api/Core/json_error.php b/api/Core/json_error.php index 1ff438c0..c9ea1b61 100644 --- a/api/Core/json_error.php +++ b/api/Core/json_error.php @@ -7,7 +7,11 @@ function print_error($title, $message, $logId = null, $response_code = 500) { $error['type'] = 'ERROR'; $error['title'] = $title; $error['message'] = $message; - $error['logId'] = $logId; + + if ($logId !== null) { + $error['logId'] = $logId; + } + print output($error, $response_code); return; diff --git a/api/index.php b/api/index.php index d7fa3656..8502e108 100644 --- a/api/index.php +++ b/api/index.php @@ -105,7 +105,7 @@ function exceptionHandler($exception) { /* @var $castedException \BusinessLogic\Exceptions\ApiFriendlyException */ $castedException = $exception; - print_error($castedException->title, $castedException->getMessage(), $castedException->httpResponseCode); + print_error($castedException->title, $castedException->getMessage(), null, $castedException->httpResponseCode); } elseif (exceptionIsOfType($exception, \Core\Exceptions\SQLException::clazz())) { /* @var $castedException \Core\Exceptions\SQLException */ $castedException = $exception;