Add security to additional endpoints

9 years ago · 209e039cdb
parent ab0082c735
commit 209e039cdb
3 changed files with 28 additions and 6 deletions
--- a/api/admin/canned/index.php
+++ b/api/admin/canned/index.php
@ -5,7 +5,7 @@ define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
 require_once(API_PATH . 'core/output.php');
-require_once(API_PATH . 'core/');
+require_once(API_PATH . 'core/headers.php');
 require_once(API_PATH . 'dao/canned_dao.php');
 require_once(API_PATH . 'businesslogic/security_retriever.php');

@ -15,11 +15,7 @@ hesk_dbConnect();
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'GET') {
-    $headers = getallheaders();
-    $token = NULL;
-    if (isset($headers['X-Auth-Token'])) {
-        $token = $headers['X-Auth-Token'];
-    }
+    $token = get_header('X-Auth-Token');

    try {
        get_user_for_token($token, $hesk_settings);
--- a/api/admin/ticket-template/index.php
+++ b/api/admin/ticket-template/index.php
@ -4,8 +4,10 @@ define('HESK_PATH', '../../../');
 define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
+require_once(API_PATH . 'core/headers.php');
 require_once(API_PATH . 'core/output.php');
 require_once(API_PATH . 'dao/ticket_template_dao.php');
+require_once(API_PATH . 'businesslogic/security_retriever.php');

 hesk_load_api_database_functions();
 hesk_dbConnect();
@ -14,6 +16,17 @@ hesk_dbConnect();
 $request_method = $_SERVER['REQUEST_METHOD'];

 if ($request_method == 'GET') {
+    $token = get_header('X-Auth-Token');
+
+    try {
+        get_user_for_token($token, $hesk_settings);
+    } catch (AccessException $e) {
+        if ($e->getCode() == 422) {
+            print_error($e->getMessage(), $e->getMessage());
+        }
+        return http_response_code($e->getCode());
+    }
+
    if (isset($_GET['id'])) {
        $results = get_ticket_template($hesk_settings, $_GET['id']);
    } else {
--- a/api/admin/ticket/index.php
+++ b/api/admin/ticket/index.php
@ -4,8 +4,10 @@ define('HESK_PATH', '../../../');
 define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
+require_once(API_PATH . 'core/headers.php');
 require_once(API_PATH . 'core/output.php');
 require_once(API_PATH . 'dao/ticket_dao.php');
+require_once(API_PATH . 'businesslogic/security_retriever.php');

 hesk_load_api_database_functions();
 hesk_dbConnect();
@ -13,6 +15,17 @@ hesk_dbConnect();
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'GET') {
+    $token = get_header('X-Auth-Token');
+
+    try {
+        get_user_for_token($token, $hesk_settings);
+    } catch (AccessException $e) {
+        if ($e->getCode() == 422) {
+            print_error($e->getMessage(), $e->getMessage());
+        }
+        return http_response_code($e->getCode());
+    }
+
    if (isset($_GET['id'])) {
        $results = get_ticket_for_id($hesk_settings, $_GET['id']);
    } elseif (isset($_GET['trackid'])) {