From c97e058786aed0be4cc2ff15bce78daf9ab24c84 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Fri, 1 Mar 2019 23:41:10 -0700
Subject: [PATCH] API: Check for user permission

---
 api/functions.php     | 9 ++++++++-
 settings.template.php | 4 ++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/api/functions.php b/api/functions.php
index 1f41d85..9357a53 100644
--- a/api/functions.php
+++ b/api/functions.php
@@ -52,7 +52,7 @@ function getCensoredKey() {
  * @return bool true if the request should continue, false if the request is bad
  */
 function authenticate(): bool {
-    global $VARS;
+    global $VARS, $SETTINGS;
     // HTTP basic auth
     if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
         $username = $_SERVER['PHP_AUTH_USER'];
@@ -68,6 +68,13 @@ function authenticate(): bool {
         return false;
     }
     if ($user->checkPassword($password, true)) {
+        // Check that the user has permission to access the app
+        $perms = is_array($SETTINGS['api_permissions']) ? $SETTINGS['api_permissions'] : $SETTINGS['permissions'];
+        foreach ($perms as $perm) {
+            if (!$user->hasPermission($perm)) {
+                return false;
+            }
+        }
         return true;
     }
     return false;
diff --git a/settings.template.php b/settings.template.php
index 94686c0..1ef4b35 100644
--- a/settings.template.php
+++ b/settings.template.php
@@ -39,6 +39,10 @@ $SETTINGS = [
     // List of required user permissions to access this app.
     "permissions" => [
     ],
+    // List of permissions required for API access. Remove to use the value of
+    // "permissions" instead.
+    "api_permissions" => [
+    ],
     // For supported values, see http://php.net/manual/en/timezones.php
     "timezone" => "America/Denver",
     // Language to use for localization. See langs folder to add a language.