Netsyms/Mods-for-HESK-Netsyms
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Working on adding controller security

Browse Source
This commit is contained in:
Mike Koch 2017-12-01 12:56:23 -05:00
parent 3e8085110f
commit 0a2e37320a
No known key found for this signature in database
GPG Key ID: 9BA5D7F8391455ED
4 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
api/BusinessLogic/Security/UserPrivilege.php
View File

@ -15,4 +15,5 @@ class UserPrivilege extends \BaseClass {
const CAN_EDIT_TICKETS = 'can_edit_tickets'; const CAN_EDIT_TICKETS = 'can_edit_tickets';
const CAN_DELETE_TICKETS = 'can_del_tickets'; const CAN_DELETE_TICKETS = 'can_del_tickets';
const CAN_MANAGE_CATEGORIES = 'can_man_cat'; const CAN_MANAGE_CATEGORIES = 'can_man_cat';
const CAN_MANAGE_SERVICE_MESSAGES = 'can_service_msg';
} }

17
api/Controllers/ServiceMessages/ServiceMessagesController.php
View File

@ -2,15 +2,30 @@
namespace Controllers\ServiceMessages; namespace Controllers\ServiceMessages;
use BusinessLogic\Exceptions\ApiFriendlyException;
use BusinessLogic\Helpers; use BusinessLogic\Helpers;
use BusinessLogic\Security\UserContext; use BusinessLogic\Security\UserContext;
use BusinessLogic\Security\UserPrivilege;
use BusinessLogic\ServiceMessages\ServiceMessage; use BusinessLogic\ServiceMessages\ServiceMessage;
use BusinessLogic\ServiceMessages\ServiceMessageHandler; use BusinessLogic\ServiceMessages\ServiceMessageHandler;
use Controllers\ControllerWithSecurity;
use Controllers\JsonRetriever; use Controllers\JsonRetriever;
class ServiceMessagesController extends \BaseClass { class ServiceMessagesController extends \BaseClass {
/**
* @param $userContext UserContext
* @throws ApiFriendlyException
*/
function checkSecurity($userContext) {
if (!in_array(UserPrivilege::CAN_MANAGE_SERVICE_MESSAGES, $userContext->permissions)) {
throw new ApiFriendlyException("User does not have permission to access the following URI: " . $_SERVER['REQUEST_URI'], "Access Forbidden", 403);
}
}
function get() { function get() {
global $applicationContext, $hesk_settings; global $applicationContext, $hesk_settings, $userContext;
$this->checkSecurity($userContext);
/* @var $handler ServiceMessageHandler */ /* @var $handler ServiceMessageHandler */
$handler = $applicationContext->get(ServiceMessageHandler::clazz()); $handler = $applicationContext->get(ServiceMessageHandler::clazz());

4
api/Core/json_error.php
View File

@ -7,7 +7,11 @@ function print_error($title, $message, $logId = null, $response_code = 500) {
$error['type'] = 'ERROR'; $error['type'] = 'ERROR';
$error['title'] = $title; $error['title'] = $title;
$error['message'] = $message; $error['message'] = $message;
if ($logId !== null) {
$error['logId'] = $logId; $error['logId'] = $logId;
}
print output($error, $response_code); print output($error, $response_code);
return; return;

2
api/index.php
View File

@ -105,7 +105,7 @@ function exceptionHandler($exception) {
/* @var $castedException \BusinessLogic\Exceptions\ApiFriendlyException */ /* @var $castedException \BusinessLogic\Exceptions\ApiFriendlyException */
$castedException = $exception; $castedException = $exception;
print_error($castedException->title, $castedException->getMessage(), $castedException->httpResponseCode); print_error($castedException->title, $castedException->getMessage(), null, $castedException->httpResponseCode);
} elseif (exceptionIsOfType($exception, \Core\Exceptions\SQLException::clazz())) { } elseif (exceptionIsOfType($exception, \Core\Exceptions\SQLException::clazz())) {
/* @var $castedException \Core\Exceptions\SQLException */ /* @var $castedException \Core\Exceptions\SQLException */
$castedException = $exception; $castedException = $exception;