Add permission checks

action.php

@@ -4,9 +4,14 @@
  * Make things happen when buttons are pressed and forms submitted.
  */
 require_once __DIR__ . "/required.php";
+require_once __DIR__ . "/lib/login.php";
 
 dieifnotloggedin();
 
+if (account_has_permission($_SESSION['username'], "QWIKCLOCK") == FALSE) {
+    die("You don't have permission to be here.");
+}
+
 /**
  * Redirects back to the page ID in $_POST/$_GET['source'] with the given message ID.
  * The message will be displayed by the app.

app.php

@@ -1,10 +1,7 @@
 <?php
 require_once __DIR__ . "/required.php";
 
-if ($_SESSION['loggedin'] != true) {
-    header('Location: index.php');
-    die("Session expired.  Log in again to continue.");
-}
+redirectIfNotLoggedIn();
 
 require_once __DIR__ . "/pages.php";
 

index.php

@@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";
 
 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "QWIKCLOCK")) {
     header('Location: app.php');
 }
 
@@ -34,13 +34,17 @@ if (checkLoginServer()) {
                         break;
                 }
                 if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
-                    if (userHasTOTP($VARS['username'])) {
-                        $multiauth = true;
+                    if (account_has_permission($VARS['username'], "QWIKCLOCK") == FALSE) {
+                        $alert = lang("no admin permission", false);
                     } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
-                        header('Location: app.php');
-                        die("Logged in, go to app.php");
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
+                        if (userHasTOTP($VARS['username'])) {
+                            $multiauth = true;
+                        } else {
+                            doLoginUser($VARS['username'], $VARS['password']);
+                            header('Location: app.php');
+                            die("Logged in, go to app.php");
+                        }
                     }
                 }
             } else {

lang/en_us.php

@@ -5,6 +5,7 @@ define("STRINGS", [
     "username" => "Username",
     "password" => "Password",
     "continue" => "Continue",
+    "no admin permission" => "You do not have permission to access this system.",
     "authcode" => "Authentication code",
     "2fa prompt" => "Enter the six-digit code from your mobile authenticator app.",
     "2fa incorrect" => "Authentication code incorrect.",

required.php

@@ -186,6 +186,11 @@ if (!function_exists('base_url')) {
 function redirectIfNotLoggedIn() {
     if ($_SESSION['loggedin'] !== TRUE) {
         header('Location: ' . URL . '/index.php');
-        die();
+        die("You are not logged in.");
+    }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "QWIKCLOCK") == FALSE) {
+        header('Location: ./index.php');
+        die("You don't have permission to be here.");
     }
 }