diff --git a/mobile/index.php b/mobile/index.php index 66f9721..beaad4a 100644 --- a/mobile/index.php +++ b/mobile/index.php @@ -8,10 +8,6 @@ * Mobile app API */ -// The name of the permission needed to log in. -// Set to null if you don't need it. -$access_permission = "ADMIN"; - require __DIR__ . "/../required.php"; header('Content-Type: application/json'); @@ -70,13 +66,14 @@ switch ($VARS['action']) { if ($user->exists()) { if ($user->getStatus()->getString() == "NORMAL") { if ($user->checkPassword($VARS['password'])) { - if (is_null($access_permission) || $user->hasPermission($access_permission)) { - Session::start($user); - $_SESSION['mobile'] = true; - exit(json_encode(["status" => "OK"])); - } else { - exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no admin permission", false)])); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + exit(json_encode(["status" => "ERROR", "msg" => $Strings->get("no permission", false)])); + } } + Session::start($user); + $_SESSION['mobile'] = true; + exit(json_encode(["status" => "OK"])); } } } diff --git a/required.php b/required.php index 56e7c10..1abb05b 100644 --- a/required.php +++ b/required.php @@ -145,11 +145,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { define("GET", true); } - function dieifnotloggedin() { if ($_SESSION['loggedin'] != true) { die("You don't have permission to be here."); } + $user = new User($_SESSION['uid']); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + session_destroy(); + die("You don't have permission to be here."); + } + } } /** @@ -174,4 +180,12 @@ function redirectIfNotLoggedIn() { header('Location: ' . $SETTINGS['url'] . '/index.php'); die(); } + $user = new User($_SESSION['uid']); + foreach ($SETTINGS['permissions'] as $perm) { + if (!$user->hasPermission($perm)) { + session_destroy(); + header('Location: ./index.php'); + die("You don't have permission to be here."); + } + } }