Business/TaskFloor
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add permissions checks

Browse Source
This commit is contained in:
Skylar Ittner 2017-05-28 23:52:39 -06:00
parent 36d0dfb7ea
commit bdd9b52032
7 changed files with 66 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
action.php
View File

@ -20,6 +20,10 @@ function returnToSender($msg, $arg = "") {
die(); die();
} }
if ($VARS['action'] != "signout" && !account_has_permission($_SESSION['username'], "TASKFLOOR")) {
returnToSender("no_permission");
}
switch ($VARS['action']) { switch ($VARS['action']) {
case "signout": case "signout":
session_destroy(); session_destroy();

6
api.php
View File

@ -18,6 +18,12 @@ if (user_exists($username) !== true || authenticate_user($username, $password, $
header("HTTP/1.1 403 Unauthorized"); header("HTTP/1.1 403 Unauthorized");
die("\"403 Unauthorized\""); die("\"403 Unauthorized\"");
} }
if (!account_has_permission($username, "TASKFLOOR")) {
header("HTTP/1.1 403 Unauthorized");
die("\"403 Unauthorized\"");
}
$userinfo = getUserByUsername($username); $userinfo = getUserByUsername($username);
// query max results // query max results

18
index.php
View File

@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/login.php"; require_once __DIR__ . "/lib/login.php";
// if we're logged in, we don't need to be here. // if we're logged in, we don't need to be here.
if ($_SESSION['loggedin']) { if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "TASKFLOOR")) {
header('Location: app.php'); header('Location: app.php');
} }
@ -34,13 +34,17 @@ if (checkLoginServer()) {
break; break;
} }
if ($userpass_ok) { if ($userpass_ok) {
$_SESSION['passok'] = true; // stop logins using only username and authcode if (account_has_permission($VARS['username'], "TASKFLOOR") == FALSE) {
if (userHasTOTP($VARS['username'])) { $alert = lang("no permission", false);
$multiauth = true;
} else { } else {
doLoginUser($VARS['username'], $VARS['password']); $_SESSION['passok'] = true; // stop logins using only username and authcode
header('Location: app.php'); if (userHasTOTP($VARS['username'])) {
die("Logged in, go to app.php"); $multiauth = true;
} else {
doLoginUser($VARS['username'], $VARS['password']);
header('Location: app.php');
die("Logged in, go to app.php");
}
} }
} }
} else { } else {

1
lang/en_us.php
View File

@ -20,6 +20,7 @@ define("STRINGS", [
"settings" => "Settings", "settings" => "Settings",
"options" => "Options", "options" => "Options",
"404 error" => "404 Error", "404 error" => "404 Error",
"no permission" => "You do not have permission to access this system.",
"page not found" => "Page not found.", "page not found" => "Page not found.",
"invalid parameters" => "Invalid request parameters.", "invalid parameters" => "Invalid request parameters.",
"login server error" => "The login server returned an error: {arg}", "login server error" => "The login server returned an error: {arg}",

4
lang/messages.php
View File

@ -13,6 +13,10 @@ define("MESSAGES", [
"string" => "page not found", "string" => "page not found",
"type" => "info" "type" => "info"
], ],
"no_permission" => [
"string" => "no permission",
"type" => "danger"
],
"task_saved" => [ "task_saved" => [
"string" => "task saved", "string" => "task saved",
"type" => "success" "type" => "success"

31
lib/login.php
View File

@ -157,6 +157,37 @@ function get_account_status($username) {
} }
} }
/**
* Check if the given username has the given permission (or admin access)
* @param string $username
* @param string $permcode
* @return boolean TRUE if the user has the permission (or admin access), else FALSE
*/
function account_has_permission($username, $permcode) {
$client = new GuzzleHttp\Client();
$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "permission",
'username' => $username,
'code' => $permcode
]
]);
if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}
$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
return $resp['has_permission'];
} else {
return false;
}
}
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
// Login handling // // Login handling //
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////

9
required.php
View File

@ -132,6 +132,10 @@ function dieifnotloggedin() {
if ($_SESSION['loggedin'] != true) { if ($_SESSION['loggedin'] != true) {
sendError("Session expired. Please log out and log in again."); sendError("Session expired. Please log out and log in again.");
} }
require_once __DIR__ . "/lib/login.php";
if (account_has_permission($_SESSION['username'], "TASKFLOOR") == FALSE) {
die("You don't have permission to be here.");
}
} }
/** /**
@ -188,6 +192,11 @@ function redirectIfNotLoggedIn() {
header('Location: ' . URL . '/index.php'); header('Location: ' . URL . '/index.php');
die(); die();
} }
require_once __DIR__ . "/lib/login.php";
if (account_has_permission($_SESSION['username'], "TASKFLOOR") == FALSE) {
header('Location: ./index.php');
die("You don't have permission to be here.");
}
} }
/** /**