From c77e53fa9e1dfaefb3f6f411ca85fcc90d565f2d Mon Sep 17 00:00:00 2001
From: Mike Koch <mkoch227@gmail.com>
Date: Mon, 2 May 2016 17:14:18 -0400
Subject: [PATCH] Secure the internal API

---
 internal-api/admin/api-authentication/index.php | 8 ++++++++
 internal-api/admin/api-settings/index.php       | 7 +++++++
 internal-api/admin/calendar/index.php           | 5 +++++
 3 files changed, 20 insertions(+)

diff --git a/internal-api/admin/api-authentication/index.php b/internal-api/admin/api-authentication/index.php
index eb922362..8692b19b 100644
--- a/internal-api/admin/api-authentication/index.php
+++ b/internal-api/admin/api-authentication/index.php
@@ -4,15 +4,23 @@ define('HESK_PATH', '../../../');
 define('INTERNAL_API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
+require_once(HESK_PATH . 'inc/admin_functions.inc.php');
 require_once(INTERNAL_API_PATH . 'core/output.php');
 require_once(INTERNAL_API_PATH . 'dao/api_authentication_dao.php');
 
+hesk_session_start();
 hesk_load_internal_api_database_functions();
 hesk_dbConnect();
 
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'POST') {
+
+    if (!isset($_SESSION['heskprivileges']) || !hesk_checkPermission('can_man_settings', 0)) {
+        print_error('Access Denied', 'Access Denied!');
+        return http_response_code(401);
+    }
+
     $user_id = $_POST['userId'];
     $action = $_POST['action'];
 
diff --git a/internal-api/admin/api-settings/index.php b/internal-api/admin/api-settings/index.php
index beb5cffe..d2d241bc 100644
--- a/internal-api/admin/api-settings/index.php
+++ b/internal-api/admin/api-settings/index.php
@@ -4,12 +4,19 @@ define('HESK_PATH', '../../../');
 define('INTERNAL_API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
+require_once(HESK_PATH . 'inc/admin_functions.inc.php');
 require_once(INTERNAL_API_PATH . 'core/output.php');
 require_once(INTERNAL_API_PATH . 'dao/settings_dao.php');
 
+hesk_session_start();
 hesk_load_internal_api_database_functions();
 hesk_dbConnect();
 
+if (!isset($_SESSION['heskprivileges']) || !hesk_checkPermission('can_man_settings', 0)) {
+    print_error('Access Denied', 'Access Denied!');
+    return http_response_code(401);
+}
+
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'POST') {
diff --git a/internal-api/admin/calendar/index.php b/internal-api/admin/calendar/index.php
index 623b1ff6..512d6ac3 100644
--- a/internal-api/admin/calendar/index.php
+++ b/internal-api/admin/calendar/index.php
@@ -24,6 +24,11 @@ if ($request_method === 'GET') {
 
     return output($events);
 } elseif ($request_method === 'POST') {
+    if ($request_method !== 'update-ticket' && !hesk_checkPermission('can_man_calendar', 0)) {
+        print_error('Access Denied', 'Access Denied!');
+        return http_response_code(401);
+    }
+
     $action = hesk_POST('action');
 
     if ($action === 'create') {