Netsyms/Mods-for-HESK-Netsyms
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Secure the internal API

Browse Source
This commit is contained in:
Mike Koch 2016-05-02 17:14:18 -04:00
parent b9faaf2325
commit c77e53fa9e
3 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
internal-api/admin/api-authentication/index.php
View File

@ -4,15 +4,23 @@ define('HESK_PATH', '../../../');
define('INTERNAL_API_PATH', '../../');
require_once(HESK_PATH . 'hesk_settings.inc.php');
require_once(HESK_PATH . 'inc/common.inc.php');
require_once(HESK_PATH . 'inc/admin_functions.inc.php');
require_once(INTERNAL_API_PATH . 'core/output.php');
require_once(INTERNAL_API_PATH . 'dao/api_authentication_dao.php');
hesk_session_start();
hesk_load_internal_api_database_functions();
hesk_dbConnect();
// Routing
$request_method = $_SERVER['REQUEST_METHOD'];
if ($request_method == 'POST') {
if (!isset($_SESSION['heskprivileges']) || !hesk_checkPermission('can_man_settings', 0)) {
print_error('Access Denied', 'Access Denied!');
return http_response_code(401);
}
$user_id = $_POST['userId'];
$action = $_POST['action'];

7
internal-api/admin/api-settings/index.php
View File

@ -4,12 +4,19 @@ define('HESK_PATH', '../../../');
define('INTERNAL_API_PATH', '../../');
require_once(HESK_PATH . 'hesk_settings.inc.php');
require_once(HESK_PATH . 'inc/common.inc.php');
require_once(HESK_PATH . 'inc/admin_functions.inc.php');
require_once(INTERNAL_API_PATH . 'core/output.php');
require_once(INTERNAL_API_PATH . 'dao/settings_dao.php');
hesk_session_start();
hesk_load_internal_api_database_functions();
hesk_dbConnect();
if (!isset($_SESSION['heskprivileges']) || !hesk_checkPermission('can_man_settings', 0)) {
print_error('Access Denied', 'Access Denied!');
return http_response_code(401);
}
// Routing
$request_method = $_SERVER['REQUEST_METHOD'];
if ($request_method == 'POST') {

5
internal-api/admin/calendar/index.php
View File

@ -24,6 +24,11 @@ if ($request_method === 'GET') {
return output($events);
} elseif ($request_method === 'POST') {
if ($request_method !== 'update-ticket' && !hesk_checkPermission('can_man_calendar', 0)) {
print_error('Access Denied', 'Access Denied!');
return http_response_code(401);
}
$action = hesk_POST('action');
if ($action === 'create') {