Business/QwikClock
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improve isManagerOf() error handling to prevent possible security bug

Browse Source
This commit is contained in:
Skylar Ittner 2018-01-03 21:58:58 -07:00
parent 279b13878b
commit 228d4c8bff
1 changed files with 58 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
lib/userinfo.php
View File

@ -90,10 +90,10 @@ function isManagerOf($m, $e) {
$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
return $resp['managerof'];
return $resp['managerof'] === true;
} else {
// this shouldn't happen, but in case it does just fake it.
return ["name" => $u, "username" => $u, "uid" => $u];
return false;
}
}
@ -154,4 +154,60 @@ function getManagedUsernames($manageruid) {
} else {
return [];
}
}
/**
* Get a list of the groups the user is a member of, as {['id':1,'name':"abc"],...}
* @param int $uid
*/
function getGroupsByUID($uid) {
$client = new GuzzleHttp\Client();
$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "getgroupsbyuser",
'uid' => $uid
]
]);
if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}
$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
return $resp['groups'];
} else {
return [];
}
}
/**
* Get a list of the groups the user is a member of, as {['id':1,'name':"abc"],...}
* @param int $username
*/
function getGroupsByUsername($username) {
$client = new GuzzleHttp\Client();
$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "getgroupsbyuser",
'username' => $username
]
]);
if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}
$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
return $resp['groups'];
} else {
return [];
}
}