Add permissions checks

action.php

@@ -26,6 +26,10 @@ function returnToSender($msg, $arg = "") {
     die();
 }
 
+if ($VARS['action'] != "signout" && !account_has_permission($_SESSION['username'], "INV_EDIT")) {
+    returnToSender("no_edit_permission");
+}
+
 switch ($VARS['action']) {
     case "edititem":
         $insert = true;

app.php

@@ -1,10 +1,7 @@
 <?php
 require_once __DIR__ . "/required.php";
 
-if ($_SESSION['loggedin'] != true) {
+redirectIfNotLoggedIn();
-    header('Location: index.php');
-    die("Session expired.  Log in again to continue.");
-}
 
 require_once __DIR__ . "/pages.php";
 

index.php

@@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/login.php";
 
 // if we're logged in, we don't need to be here.
-if ($_SESSION['loggedin']) {
+if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "INV_VIEW")) {
     header('Location: app.php');
 }
 
@@ -34,13 +34,17 @@ if (checkLoginServer()) {
                         break;
                 }
                 if ($userpass_ok) {
-                    $_SESSION['passok'] = true; // stop logins using only username and authcode
+                    if (account_has_permission($VARS['username'], "INV_VIEW") == FALSE) {
-                    if (userHasTOTP($VARS['username'])) {
+                        $alert = lang("no permission", false);
-                        $multiauth = true;
                     } else {
-                        doLoginUser($VARS['username'], $VARS['password']);
+                        $_SESSION['passok'] = true; // stop logins using only username and authcode
-                        header('Location: app.php');
+                        if (userHasTOTP($VARS['username'])) {
-                        die("Logged in, go to app.php");
+                            $multiauth = true;
+                        } else {
+                            doLoginUser($VARS['username'], $VARS['password']);
+                            header('Location: app.php');
+                            die("Logged in, go to app.php");
+                        }
                     }
                 }
             } else {

lang/en_us.php

@@ -15,6 +15,7 @@ define("STRINGS", [
     "account terminated" => "Account terminated.  Access denied.",
     "account state error" => "Your account state is not stable.  Log out, restart your browser, and try again.",
     "welcome user" => "Welcome, {user}!",
+    "no permission" => "You do not have permission to access this system.",
     "sign out" => "Sign out",
     "settings" => "Settings",
     "options" => "Options",
@@ -24,6 +25,7 @@ define("STRINGS", [
     "login server error" => "The login server returned an error: {arg}",
     "login server user data error" => "The login server refused to provide account information.  Try again or contact technical support.",
     "captcha error" => "There was a problem with the CAPTCHA (robot test).  Try again.",
+    "no edit permission" => "You do not have permission to modify records.",
     "home" => "Home",
     "invalid itemid" => "The item ID is invalid.",
     "invalid category" => "The category is invalid.",

lang/messages.php

@@ -13,6 +13,10 @@ define("MESSAGES", [
         "string" => "page not found",
         "type" => "info"
     ],
+    "no_edit_permission" => [
+        "string" => "no edit permission",
+        "type" => "danger"
+    ],
     "invalid_itemid" => [
         "string" => "invalid itemid",
         "type" => "danger"

lib/login.php

@@ -157,6 +157,37 @@ function get_account_status($username) {
     }
 }
 
+/**
+ * Check if the given username has the given permission (or admin access)
+ * @param string $username
+ * @param string $permcode
+ * @return boolean TRUE if the user has the permission (or admin access), else FALSE
+ */
+function account_has_permission($username, $permcode) {
+    $client = new GuzzleHttp\Client();
+
+    $response = $client
+            ->request('POST', PORTAL_API, [
+        'form_params' => [
+            'key' => PORTAL_KEY,
+            'action' => "permission",
+            'username' => $username,
+            'code' => $permcode
+        ]
+    ]);
+
+    if ($response->getStatusCode() > 299) {
+        sendError("Login server error: " . $response->getBody());
+    }
+
+    $resp = json_decode($response->getBody(), TRUE);
+    if ($resp['status'] == "OK") {
+        return $resp['has_permission'];
+    } else {
+        return false;
+    }
+}
+
 ////////////////////////////////////////////////////////////////////////////////
 //                              Login handling                                //
 ////////////////////////////////////////////////////////////////////////////////

required.php

@@ -133,6 +133,10 @@ function dieifnotloggedin() {
         sendError("Session expired.  Please log out and log in again.");
         die();
     }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) {
+        die("You don't have permission to be here.");
+    }
 }
 
 /**
@@ -186,7 +190,12 @@ if (!function_exists('base_url')) {
 
 function redirectIfNotLoggedIn() {
     if ($_SESSION['loggedin'] !== TRUE) {
-        header('Location: ' . URL . '/index.php');
+        header('Location: ./index.php');
         die();
     }
+    require_once __DIR__ . "/lib/login.php";
+    if (account_has_permission($_SESSION['username'], "INV_VIEW") == FALSE) {
+        header('Location: ./index.php');
+        die("You don't have permission to be here.");
+    }
 }