Finish up securing API endpoints
This commit is contained in:
Mike Koch
parent
cb6103319e
commit
b9faaf2325
@ -20,7 +20,7 @@ $request_method = $_SERVER['REQUEST_METHOD'];
|
|||||||
* @apiVersion 0.0.0
|
* @apiVersion 0.0.0
|
||||||
* @apiName GetUser
|
* @apiName GetUser
|
||||||
* @apiGroup User
|
* @apiGroup User
|
||||||
* @apiPermission protected
|
* @apiPermission canManUsers
|
||||||
*
|
*
|
||||||
* @apiParam {Number} [id] The ID of the user. Omit for all users.
|
* @apiParam {Number} [id] The ID of the user. Omit for all users.
|
||||||
*
|
*
|
||||||
@ -30,7 +30,6 @@ $request_method = $_SERVER['REQUEST_METHOD'];
|
|||||||
* @apiSuccess {String} name The user's name
|
* @apiSuccess {String} name The user's name
|
||||||
* @apiSuccess {String} email The user's email address
|
* @apiSuccess {String} email The user's email address
|
||||||
* @apiSuccess {String} signature The user's signature, in plaintext
|
* @apiSuccess {String} signature The user's signature, in plaintext
|
||||||
* @apiSuccess {Unknown} language ??? (Unknown)
|
|
||||||
* @apiSuccess {String[]} categories Ticket categories the user has access to. If the user is an admin, this list has one element: ""
|
* @apiSuccess {String[]} categories Ticket categories the user has access to. If the user is an admin, this list has one element: ""
|
||||||
* @apiSuccess {Integer} afterReply Action to perform after replying to a ticket:<br>
|
* @apiSuccess {Integer} afterReply Action to perform after replying to a ticket:<br>
|
||||||
* `0` - Show the ticket I just replied to<br>
|
* `0` - Show the ticket I just replied to<br>
|
||||||
@ -55,6 +54,11 @@ $request_method = $_SERVER['REQUEST_METHOD'];
|
|||||||
* @apiSuccess {String} rating The overall rating of the user, as a floating point decimal
|
* @apiSuccess {String} rating The overall rating of the user, as a floating point decimal
|
||||||
* @apiSuccess {Integer} autorefresh The ticket table autorefresh time for the user, in milliseconds
|
* @apiSuccess {Integer} autorefresh The ticket table autorefresh time for the user, in milliseconds
|
||||||
* @apiSuccess {Boolean} active `true` if the user is active<br>`false` otherwise
|
* @apiSuccess {Boolean} active `true` if the user is active<br>`false` otherwise
|
||||||
|
* @apiSuccess {Integer} defaultCalendarView The default view displayed on the calendar screen:<br>
|
||||||
|
* `0` - Month<br>
|
||||||
|
* `1` - Week<br>
|
||||||
|
* `2` - Day<br>
|
||||||
|
* @apiSuccess {Boolean} notifyOverdueUnassigned Notify user of overdue tickets assigned to others / not assigned
|
||||||
*
|
*
|
||||||
* @apiSuccessExample {json} Success-Response:
|
* @apiSuccessExample {json} Success-Response:
|
||||||
* HTTP/1.1 200 OK
|
* HTTP/1.1 200 OK
|
||||||
@ -65,7 +69,6 @@ $request_method = $_SERVER['REQUEST_METHOD'];
|
|||||||
* "name": "Your name",
|
* "name": "Your name",
|
||||||
* "email": "mkoch227@gmail.com",
|
* "email": "mkoch227@gmail.com",
|
||||||
* "signature": "Sincerely,\r\n\r\nYour name\r\nYour website\r\nhttp://www.yourwebsite.com\r\n& < > ^ &",
|
* "signature": "Sincerely,\r\n\r\nYour name\r\nYour website\r\nhttp://www.yourwebsite.com\r\n& < > ^ &",
|
||||||
* "language": null,
|
|
||||||
* "categories": [
|
* "categories": [
|
||||||
* ""
|
* ""
|
||||||
* ],
|
* ],
|
||||||
@ -91,21 +94,28 @@ $request_method = $_SERVER['REQUEST_METHOD'];
|
|||||||
* "ratingPos": 0,
|
* "ratingPos": 0,
|
||||||
* "rating": "0",
|
* "rating": "0",
|
||||||
* "autorefresh": 0,
|
* "autorefresh": 0,
|
||||||
* "active": true
|
* "active": true,
|
||||||
|
* "defaultCalendarView": 0,
|
||||||
|
* "notifyOverdueUnassigned": true
|
||||||
* }
|
* }
|
||||||
*
|
*
|
||||||
* @apiError (noTokenProvided) 400 No `X-Auth-Token` was provided where it is required
|
* @apiError (noTokenProvided) 400 No `X-Auth-Token` was provided where it is required
|
||||||
* @apiError (invalidXAuthToken) 401 The `X-Auth-Token` provided was invalid
|
* @apiError (invalidXAuthToken) 401 The `X-Auth-Token` provided was invalid, or the user does not have the 'can_man_users' permission
|
||||||
*/
|
*/
|
||||||
if ($request_method == 'GET') {
|
if ($request_method == 'GET') {
|
||||||
$token = get_header('X-Auth-Token');
|
$token = get_header('X-Auth-Token');
|
||||||
|
$user = NULL;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
get_user_for_token($token, $hesk_settings);
|
$user = get_user_for_token($token, $hesk_settings);
|
||||||
} catch (AccessException $e) {
|
} catch (AccessException $e) {
|
||||||
return http_response_code($e->getCode());
|
return http_response_code($e->getCode());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!$user['isadmin'] && strpos($user['heskprivileges'], 'can_man_users') === false) {
|
||||||
|
return http_response_code(401);
|
||||||
|
}
|
||||||
|
|
||||||
if (isset($_GET['id'])) {
|
if (isset($_GET['id'])) {
|
||||||
$results = retrieve_user($hesk_settings, $_GET['id']);
|
$results = retrieve_user($hesk_settings, $_GET['id']);
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
@ -68,6 +68,10 @@ function convert_to_camel_case($user) {
|
|||||||
unset($user['ratingpos']);
|
unset($user['ratingpos']);
|
||||||
$user['heskPrivileges'] = $user['heskprivileges'];
|
$user['heskPrivileges'] = $user['heskprivileges'];
|
||||||
unset($user['heskprivileges']);
|
unset($user['heskprivileges']);
|
||||||
|
$user['defaultCalendarView'] = $user['default_calendar_view'];
|
||||||
|
unset($user['default_calendar_view']);
|
||||||
|
$user['notifyOverdueUnassigned'] = $user['notify_overdue_unassigned'];
|
||||||
|
unset($user['notify_overdue_unassigned']);
|
||||||
|
|
||||||
return $user;
|
return $user;
|
||||||
}
|
}
|
||||||
@ -5,8 +5,8 @@
|
|||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
/**
|
/**
|
||||||
* @apiDefine protected Protected
|
* @apiDefine protected Protected (Any)
|
||||||
* A protected API can only be utilized by those with a valid `X-Auth-Token`.
|
* A protected API can only be utilized by any user with a valid `X-Auth-Token`.
|
||||||
*/
|
*/
|
||||||
/**
|
/**
|
||||||
* @apiDefine invalidXAuthToken 401 Unauthorized
|
* @apiDefine invalidXAuthToken 401 Unauthorized
|
||||||
@ -15,4 +15,7 @@
|
|||||||
/**
|
/**
|
||||||
* @apiDefine noTokenProvided 400 Bad Request
|
* @apiDefine noTokenProvided 400 Bad Request
|
||||||
* No `X-Auth-Token` was provided.
|
* No `X-Auth-Token` was provided.
|
||||||
|
*
|
||||||
|
* @apiDefine canManUsers Protected (Can Manage Users)
|
||||||
|
* A protected API can only be utilized by users with a valid `X-Auth-Token` and have the 'can_man_users' permission (or is an admin)
|
||||||
*/
|
*/
|
||||||
@ -36,6 +36,8 @@ function get_user($hesk_settings, $id = NULL) {
|
|||||||
$row['ratingpos'] = intval($row['ratingpos']);
|
$row['ratingpos'] = intval($row['ratingpos']);
|
||||||
$row['autorefresh'] = intval($row['autorefresh']);
|
$row['autorefresh'] = intval($row['autorefresh']);
|
||||||
$row['active'] = get_boolean($row['active']);
|
$row['active'] = get_boolean($row['active']);
|
||||||
|
$row['default_calendar_view'] = intval($row['default_calendar_view']);
|
||||||
|
$row['notify_overdue_unassigned'] = get_boolean($row['notify_overdue_unassigned']);
|
||||||
|
|
||||||
|
|
||||||
// TODO: Remove this once GitHub #346 is complete
|
// TODO: Remove this once GitHub #346 is complete
|
||||||
|
|||||||
@ -78,7 +78,7 @@ $request_method = $_SERVER['REQUEST_METHOD'];
|
|||||||
* "custom18": "",
|
* "custom18": "",
|
||||||
* "custom19": "",
|
* "custom19": "",
|
||||||
* "custom20": "",
|
* "custom20": "",
|
||||||
* "html": false,
|
* "html": false
|
||||||
* }
|
* }
|
||||||
*
|
*
|
||||||
* @apiError (noTokenProvided) 400 No `X-Auth-Token` was provided where it is required
|
* @apiError (noTokenProvided) 400 No `X-Auth-Token` was provided where it is required
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user