From b2bf79a2f1b7028652420e165320fbe923f617ce Mon Sep 17 00:00:00 2001 From: Skylar Ittner Date: Sun, 28 May 2017 23:46:28 -0600 Subject: [PATCH] Add permissions checks --- action.php | 4 ++++ app.php | 5 +---- index.php | 18 +++++++++++------- lang/en_us.php | 2 ++ lang/messages.php | 4 ++++ lib/login.php | 31 +++++++++++++++++++++++++++++++ required.php | 11 ++++++++++- 7 files changed, 63 insertions(+), 12 deletions(-) diff --git a/action.php b/action.php index 08542a1..6e375fb 100644 --- a/action.php +++ b/action.php @@ -26,6 +26,10 @@ function returnToSender($msg, $arg = "") { die(); } +if ($VARS['action'] != "signout" && !account_has_permission($_SESSION['username'], "INV_EDIT")) { + returnToSender("no_edit_permission"); +} + switch ($VARS['action']) { case "edititem": $insert = true; diff --git a/app.php b/app.php index aaecc1b..55f3783 100644 --- a/app.php +++ b/app.php @@ -1,10 +1,7 @@ "Account terminated. Access denied.", "account state error" => "Your account state is not stable. Log out, restart your browser, and try again.", "welcome user" => "Welcome, {user}!", + "no permission" => "You do not have permission to access this system.", "sign out" => "Sign out", "settings" => "Settings", "options" => "Options", @@ -24,6 +25,7 @@ define("STRINGS", [ "login server error" => "The login server returned an error: {arg}", "login server user data error" => "The login server refused to provide account information. Try again or contact technical support.", "captcha error" => "There was a problem with the CAPTCHA (robot test). Try again.", + "no edit permission" => "You do not have permission to modify records.", "home" => "Home", "invalid itemid" => "The item ID is invalid.", "invalid category" => "The category is invalid.", diff --git a/lang/messages.php b/lang/messages.php index 95ee459..055b753 100644 --- a/lang/messages.php +++ b/lang/messages.php @@ -13,6 +13,10 @@ define("MESSAGES", [ "string" => "page not found", "type" => "info" ], + "no_edit_permission" => [ + "string" => "no edit permission", + "type" => "danger" + ], "invalid_itemid" => [ "string" => "invalid itemid", "type" => "danger" diff --git a/lib/login.php b/lib/login.php index 88c5313..aeeead2 100644 --- a/lib/login.php +++ b/lib/login.php @@ -157,6 +157,37 @@ function get_account_status($username) { } } +/** + * Check if the given username has the given permission (or admin access) + * @param string $username + * @param string $permcode + * @return boolean TRUE if the user has the permission (or admin access), else FALSE + */ +function account_has_permission($username, $permcode) { + $client = new GuzzleHttp\Client(); + + $response = $client + ->request('POST', PORTAL_API, [ + 'form_params' => [ + 'key' => PORTAL_KEY, + 'action' => "permission", + 'username' => $username, + 'code' => $permcode + ] + ]); + + if ($response->getStatusCode() > 299) { + sendError("Login server error: " . $response->getBody()); + } + + $resp = json_decode($response->getBody(), TRUE); + if ($resp['status'] == "OK") { + return $resp['has_permission']; + } else { + return false; + } +} + //////////////////////////////////////////////////////////////////////////////// // Login handling // //////////////////////////////////////////////////////////////////////////////// diff --git a/required.php b/required.php index b9feef8..d38ffa2 100644 --- a/required.php +++ b/required.php @@ -133,6 +133,10 @@ function dieifnotloggedin() { sendError("Session expired. Please log out and log in again."); die(); } + require_once __DIR__ . "/lib/login.php"; + if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) { + die("You don't have permission to be here."); + } } /** @@ -186,7 +190,12 @@ if (!function_exists('base_url')) { function redirectIfNotLoggedIn() { if ($_SESSION['loggedin'] !== TRUE) { - header('Location: ' . URL . '/index.php'); + header('Location: ./index.php'); die(); } + require_once __DIR__ . "/lib/login.php"; + if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) { + header('Location: ./index.php'); + die("You don't have permission to be here."); + } }