API: Check for user permission

api/functions.php

@@ -52,7 +52,7 @@ function getCensoredKey() {
  * @return bool true if the request should continue, false if the request is bad
  */
 function authenticate(): bool {
-    global $VARS;
+    global $VARS, $SETTINGS;
     // HTTP basic auth
     if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW'])) {
         $username = $_SERVER['PHP_AUTH_USER'];
@@ -68,6 +68,13 @@ function authenticate(): bool {
         return false;
     }
     if ($user->checkPassword($password, true)) {
+        // Check that the user has permission to access the app
+        $perms = is_array($SETTINGS['api_permissions']) ? $SETTINGS['api_permissions'] : $SETTINGS['permissions'];
+        foreach ($perms as $perm) {
+            if (!$user->hasPermission($perm)) {
+                return false;
+            }
+        }
         return true;
     }
     return false;

settings.template.php

@@ -39,6 +39,10 @@ $SETTINGS = [
     // List of required user permissions to access this app.
     "permissions" => [
     ],
+    // List of permissions required for API access. Remove to use the value of
+    // "permissions" instead.
+    "api_permissions" => [
+    ],
     // For supported values, see http://php.net/manual/en/timezones.php
     "timezone" => "America/Denver",
     // Language to use for localization. See langs folder to add a language.