Netsyms/Mods-for-HESK-Netsyms
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add security to additional endpoints

Browse Source
This commit is contained in:
Mike Koch 2015-11-23 12:38:53 -05:00
parent ab0082c735
commit 209e039cdb
3 changed files with 28 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
api/admin/canned/index.php
View File

@ -5,7 +5,7 @@ define('API_PATH', '../../');
require_once(HESK_PATH . 'hesk_settings.inc.php'); require_once(HESK_PATH . 'hesk_settings.inc.php');
require_once(HESK_PATH . 'inc/common.inc.php'); require_once(HESK_PATH . 'inc/common.inc.php');
require_once(API_PATH . 'core/output.php'); require_once(API_PATH . 'core/output.php');
require_once(API_PATH . 'core/'); require_once(API_PATH . 'core/headers.php');
require_once(API_PATH . 'dao/canned_dao.php'); require_once(API_PATH . 'dao/canned_dao.php');
require_once(API_PATH . 'businesslogic/security_retriever.php'); require_once(API_PATH . 'businesslogic/security_retriever.php');
@ -15,11 +15,7 @@ hesk_dbConnect();
// Routing // Routing
$request_method = $_SERVER['REQUEST_METHOD']; $request_method = $_SERVER['REQUEST_METHOD'];
if ($request_method == 'GET') { if ($request_method == 'GET') {
$headers = getallheaders(); $token = get_header('X-Auth-Token');
$token = NULL;
if (isset($headers['X-Auth-Token'])) {
$token = $headers['X-Auth-Token'];
}
try { try {
get_user_for_token($token, $hesk_settings); get_user_for_token($token, $hesk_settings);

13
api/admin/ticket-template/index.php
View File

@ -4,8 +4,10 @@ define('HESK_PATH', '../../../');
define('API_PATH', '../../'); define('API_PATH', '../../');
require_once(HESK_PATH . 'hesk_settings.inc.php'); require_once(HESK_PATH . 'hesk_settings.inc.php');
require_once(HESK_PATH . 'inc/common.inc.php'); require_once(HESK_PATH . 'inc/common.inc.php');
require_once(API_PATH . 'core/headers.php');
require_once(API_PATH . 'core/output.php'); require_once(API_PATH . 'core/output.php');
require_once(API_PATH . 'dao/ticket_template_dao.php'); require_once(API_PATH . 'dao/ticket_template_dao.php');
require_once(API_PATH . 'businesslogic/security_retriever.php');
hesk_load_api_database_functions(); hesk_load_api_database_functions();
hesk_dbConnect(); hesk_dbConnect();
@ -14,6 +16,17 @@ hesk_dbConnect();
$request_method = $_SERVER['REQUEST_METHOD']; $request_method = $_SERVER['REQUEST_METHOD'];
if ($request_method == 'GET') { if ($request_method == 'GET') {
$token = get_header('X-Auth-Token');
try {
get_user_for_token($token, $hesk_settings);
} catch (AccessException $e) {
if ($e->getCode() == 422) {
print_error($e->getMessage(), $e->getMessage());
}
return http_response_code($e->getCode());
}
if (isset($_GET['id'])) { if (isset($_GET['id'])) {
$results = get_ticket_template($hesk_settings, $_GET['id']); $results = get_ticket_template($hesk_settings, $_GET['id']);
} else { } else {

13
api/admin/ticket/index.php
View File

@ -4,8 +4,10 @@ define('HESK_PATH', '../../../');
define('API_PATH', '../../'); define('API_PATH', '../../');
require_once(HESK_PATH . 'hesk_settings.inc.php'); require_once(HESK_PATH . 'hesk_settings.inc.php');
require_once(HESK_PATH . 'inc/common.inc.php'); require_once(HESK_PATH . 'inc/common.inc.php');
require_once(API_PATH . 'core/headers.php');
require_once(API_PATH . 'core/output.php'); require_once(API_PATH . 'core/output.php');
require_once(API_PATH . 'dao/ticket_dao.php'); require_once(API_PATH . 'dao/ticket_dao.php');
require_once(API_PATH . 'businesslogic/security_retriever.php');
hesk_load_api_database_functions(); hesk_load_api_database_functions();
hesk_dbConnect(); hesk_dbConnect();
@ -13,6 +15,17 @@ hesk_dbConnect();
// Routing // Routing
$request_method = $_SERVER['REQUEST_METHOD']; $request_method = $_SERVER['REQUEST_METHOD'];
if ($request_method == 'GET') { if ($request_method == 'GET') {
$token = get_header('X-Auth-Token');
try {
get_user_for_token($token, $hesk_settings);
} catch (AccessException $e) {
if ($e->getCode() == 422) {
print_error($e->getMessage(), $e->getMessage());
}
return http_response_code($e->getCode());
}
if (isset($_GET['id'])) { if (isset($_GET['id'])) {
$results = get_ticket_for_id($hesk_settings, $_GET['id']); $results = get_ticket_for_id($hesk_settings, $_GET['id']);
} elseif (isset($_GET['trackid'])) { } elseif (isset($_GET['trackid'])) {