Add permissions checks

7 years ago · b2bf79a2f1
parent 769ea75e82
commit b2bf79a2f1
7 changed files with 63 additions and 12 deletions
--- a/action.php
+++ b/action.php
@ -26,6 +26,10 @@ function returnToSender($msg, $arg = "") {
    die();
 }

+if ($VARS['action'] != "signout" && !account_has_permission($_SESSION['username'], "INV_EDIT")) {
+    returnToSender("no_edit_permission");
+}
+
 switch ($VARS['action']) {
    case "edititem":
        $insert = true;
--- a/app.php
+++ b/app.php
@ -1,10 +1,7 @@
 <?php
 require_once __DIR__ . "/required.php";

-if ($_SESSION['loggedin'] != true) {
-    header('Location: index.php');
-    die("Session expired.  Log in again to continue.");
-}
+redirectIfNotLoggedIn();

 require_once __DIR__ . "/pages.php";

--- a/index.php
+++ b/index.php
@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";

 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "INV_VIEW")) {
    header('Location: app.php');
 }

@ -34,13 +34,17 @@ if (checkLoginServer()) {
                        break;
                }
                if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
-                    if (userHasTOTP($VARS['username'])) {
-                        $multiauth = true;
+                    if (account_has_permission($VARS['username'], "INV_VIEW") == FALSE) {
+                        $alert = lang("no permission", false);
                    } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
-                        header('Location: app.php');
-                        die("Logged in, go to app.php");
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
+                        if (userHasTOTP($VARS['username'])) {
+                            $multiauth = true;
+                        } else {
+                            doLoginUser($VARS['username'], $VARS['password']);
+                            header('Location: app.php');
+                            die("Logged in, go to app.php");
+                        }
                    }
                }
            } else {
--- a/lang/en_us.php
+++ b/lang/en_us.php
@ -15,6 +15,7 @@ define("STRINGS", [
    "account terminated" => "Account terminated.  Access denied.",
    "account state error" => "Your account state is not stable.  Log out, restart your browser, and try again.",
    "welcome user" => "Welcome, {user}!",
+    "no permission" => "You do not have permission to access this system.",
    "sign out" => "Sign out",
    "settings" => "Settings",
    "options" => "Options",
@ -24,6 +25,7 @@ define("STRINGS", [
    "login server error" => "The login server returned an error: {arg}",
    "login server user data error" => "The login server refused to provide account information.  Try again or contact technical support.",
    "captcha error" => "There was a problem with the CAPTCHA (robot test).  Try again.",
+    "no edit permission" => "You do not have permission to modify records.",
    "home" => "Home",
    "invalid itemid" => "The item ID is invalid.",
    "invalid category" => "The category is invalid.",
--- a/lang/messages.php
+++ b/lang/messages.php
@ -13,6 +13,10 @@ define("MESSAGES", [
        "string" => "page not found",
        "type" => "info"
    ],
+    "no_edit_permission" => [
+        "string" => "no edit permission",
+        "type" => "danger"
+    ],
    "invalid_itemid" => [
        "string" => "invalid itemid",
        "type" => "danger"
--- a/lib/login.php
+++ b/lib/login.php
@ -157,6 +157,37 @@ function get_account_status($username) {
    }
 }

+/**
+ * Check if the given username has the given permission (or admin access)
+ * @param string $username
+ * @param string $permcode
+ * @return boolean TRUE if the user has the permission (or admin access), else FALSE
+ */
+function account_has_permission($username, $permcode) {
+    $client = new GuzzleHttp\Client();
+
+    $response = $client
+            ->request('POST', PORTAL_API, [
+        'form_params' => [
+            'key' => PORTAL_KEY,
+            'action' => "permission",
+            'username' => $username,
+            'code' => $permcode
+        ]
+    ]);
+
+    if ($response->getStatusCode() > 299) {
+        sendError("Login server error: " . $response->getBody());
+    }
+
+    $resp = json_decode($response->getBody(), TRUE);
+    if ($resp['status'] == "OK") {
+        return $resp['has_permission'];
+    } else {
+        return false;
+    }
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 //                              Login handling                                //
 ////////////////////////////////////////////////////////////////////////////////
--- a/required.php
+++ b/required.php
@ -133,6 +133,10 @@ function dieifnotloggedin() {
        sendError("Session expired.  Please log out and log in again.");
        die();
    }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) {
+        die("You don't have permission to be here.");
+    }
 }

 /**
@ -186,7 +190,12 @@ if (!function_exists('base_url')) {

 function redirectIfNotLoggedIn() {
    if ($_SESSION['loggedin'] !== TRUE) {
-        header('Location: ' . URL . '/index.php');
+        header('Location: ./index.php');
        die();
    }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) {
+        header('Location: ./index.php');
+        die("You don't have permission to be here.");
+    }
 }