More work on security

9 years ago · 0db1f88b7f
parent 5b098c8fca
commit 0db1f88b7f
3 changed files with 26 additions and 1 deletions
--- a/api/businesslogic/security_retriever.php
+++ b/api/businesslogic/security_retriever.php
@ -0,0 +1,8 @@
+<?php
+require_once(API_PATH . 'dao/security_dao.php');
+
+function get_user_for_token($token, $hesk_settings) {
+    $hash = hash('sha512', $token);
+
+    return get_user_for_token_hash($hash, $hesk_settings);
+}
--- a/api/admin/category/index.php
+++ b/api/admin/category/index.php
@ -1,7 +1,7 @@
 <?php
 define('IN_SCRIPT', 1);
 define('HESK_PATH', '../../../');
-define('API_PATH', '../../');
+define('API_PATH', '../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
 require_once(API_PATH . 'core/output.php');
--- a/api/dao/security_dao.php
+++ b/api/dao/security_dao.php
@ -0,0 +1,17 @@
+<?php
+
+function get_user_for_token_hash($hash, $hesk_settings) {
+    $user_id_sql = "SELECT `user_id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "user_api_tokens`
+        WHERE `token` = '" . hesk_dbEscape($hash) . "'";
+
+    $user_id_rs = hesk_dbQuery($user_id_sql);
+    if (hesk_dbNumRows($user_id_rs) == 0) {
+        return http_response_code(422);
+    }
+    $user_id = hesk_dbFetchAssoc($user_id_rs);
+
+    $user_sql = "SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `id` = ".intval($user_id['user_id']);
+    $user_rs = hesk_dbQuery($user_sql);
+
+    return hesk_dbFetchAssoc($user_rs);
+}