Netsyms/Mods-for-HESK-Netsyms
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

more security stuff

Browse Source
This commit is contained in:
Mike Koch 2015-11-22 22:21:42 -05:00
parent 0db1f88b7f
commit ab0082c735
5 changed files with 46 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
api/admin/canned/index.php
View File

@ -5,7 +5,9 @@ define('API_PATH', '../../');
require_once(HESK_PATH . 'hesk_settings.inc.php'); require_once(HESK_PATH . 'hesk_settings.inc.php');
require_once(HESK_PATH . 'inc/common.inc.php'); require_once(HESK_PATH . 'inc/common.inc.php');
require_once(API_PATH . 'core/output.php'); require_once(API_PATH . 'core/output.php');
require_once(API_PATH . 'core/');
require_once(API_PATH . 'dao/canned_dao.php'); require_once(API_PATH . 'dao/canned_dao.php');
require_once(API_PATH . 'businesslogic/security_retriever.php');
hesk_load_api_database_functions(); hesk_load_api_database_functions();
hesk_dbConnect(); hesk_dbConnect();
@ -13,6 +15,21 @@ hesk_dbConnect();
// Routing // Routing
$request_method = $_SERVER['REQUEST_METHOD']; $request_method = $_SERVER['REQUEST_METHOD'];
if ($request_method == 'GET') { if ($request_method == 'GET') {
$headers = getallheaders();
$token = NULL;
if (isset($headers['X-Auth-Token'])) {
$token = $headers['X-Auth-Token'];
}
try {
get_user_for_token($token, $hesk_settings);
} catch (AccessException $e) {
if ($e->getCode() == 422) {
print_error($e->getMessage(), $e->getMessage());
}
return http_response_code($e->getCode());
}
if (isset($_GET['id'])) { if (isset($_GET['id'])) {
$results = get_canned_response($hesk_settings, $_GET['id']); $results = get_canned_response($hesk_settings, $_GET['id']);
} else { } else {
@ -22,7 +39,7 @@ if ($request_method == 'GET') {
if ($results == NULL) { if ($results == NULL) {
return http_response_code(404); return http_response_code(404);
} }
output($results); return output($results);
} }
return http_response_code(405); return http_response_code(405);

1
api/businesslogic/security_retriever.php
View File

@ -2,6 +2,7 @@
require_once(API_PATH . 'dao/security_dao.php'); require_once(API_PATH . 'dao/security_dao.php');
function get_user_for_token($token, $hesk_settings) { function get_user_for_token($token, $hesk_settings) {
$hash = hash('sha512', $token); $hash = hash('sha512', $token);
return get_user_for_token_hash($hash, $hesk_settings); return get_user_for_token_hash($hash, $hesk_settings);

9
api/core/headers.php Normal file
View File

@ -0,0 +1,9 @@
<?php
function get_header($key) {
$headers = getallheaders();
return isset($headers[$key])
? $headers[$key]
: NULL;
}

8
api/dao/security_dao.php
View File

@ -1,12 +1,18 @@
<?php <?php
define('NULL_OR_EMPTY_STRING', 'cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e');
require_once(API_PATH . 'exception/AccessException.php');
function get_user_for_token_hash($hash, $hesk_settings) { function get_user_for_token_hash($hash, $hesk_settings) {
if ($hash == NULL_OR_EMPTY_STRING) {
throw new AccessException(404);
}
$user_id_sql = "SELECT `user_id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "user_api_tokens` $user_id_sql = "SELECT `user_id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "user_api_tokens`
WHERE `token` = '" . hesk_dbEscape($hash) . "'"; WHERE `token` = '" . hesk_dbEscape($hash) . "'";
$user_id_rs = hesk_dbQuery($user_id_sql); $user_id_rs = hesk_dbQuery($user_id_sql);
if (hesk_dbNumRows($user_id_rs) == 0) { if (hesk_dbNumRows($user_id_rs) == 0) {
return http_response_code(422); throw new AccessException(422);
} }
$user_id = hesk_dbFetchAssoc($user_id_rs); $user_id = hesk_dbFetchAssoc($user_id_rs);

11
api/exception/AccessException.php Normal file
View File

@ -0,0 +1,11 @@
<?php
class AccessException extends Exception {
public function __construct($code)
{
$message = '';
if ($code == 422) {
$message = 'The X-Auth-Token is invalid';
}
parent::__construct($message, $code);
}
}