moved different api calls

This commit is contained in:
2026-05-17 17:20:06 +02:00
parent 776342d595
commit 369657a622
34 changed files with 39 additions and 40 deletions

View File

@@ -0,0 +1,28 @@
<?php
use api\classes\API_portalsettings;
session_start();
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_portalsettings.php';
$API_portalsettings = new API_portalsettings();
if ($API_portalsettings->request_method === 'PUT') {
# Edit the portal settings of the platform
$API_portalsettings->checkPermissions('admin-portalsettings', 'RW');
$requiredFields = [
'portal_uuid' => ['type' => 'uuid'],
'portal_name' => ['type' => 'string'],
'portal_provider_name' => ['type' => 'string'],
'admin_auth_methods' => ['type' => 'string']
];
$API_portalsettings->validateData($requiredFields);
# Update the permission
$API_portalsettings->updatePortalSettings();
}

View File

@@ -0,0 +1,46 @@
<?php
use api\classes\API_permissions;
use api\classes\API_usergroups;
session_start();
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_permissions.php';
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_usergroups.php';
$API_permissions = new API_permissions();
$API_usergroups = new API_usergroups();
if ($API_permissions->request_method === 'GET') {
# to be made, get all the access-rights and implement the builder
} elseif ($API_permissions->request_method === 'PUT') {
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
$API_permissions->return_url = false;
$API_permissions->checkPermissions('admin-access-control-permissions', 'RW');
$requiredFields = [
'permission_uuid' => ['type' => 'uuid'],
'user_group_uuid' => ['type' => 'uuid'],
'permission_value' => ['type' => 'enum', 'values' => ['NA', 'RO', 'RW']],
];
$API_permissions->validateData($requiredFields);
# check if the permission exists
$_GET['builder'] = [1 => ['where' => [0 => 'permission_uuid', 1 => $API_permissions->data['permission_uuid']]]];
$API_permissions->getPermission();
# check if the user_group_uuid exists
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $API_permissions->data['user_group_uuid']]]];
$user_group = $API_usergroups->getUsergroup();
# if the user updating the permissions is in a lower group (higher group weight number) prevent them for doing so to prevent
# Privilege escalation.
if ($user_group[0]['user_group_weight'] < $_SESSION['user']['user_group_weight']) {
$API_permissions->apiOutput(405, ['error' => 'You are not allowed to update this user since you are in a lower group']);
}
# Update the permission
$API_permissions->updateAccessRights();
}

View File

@@ -0,0 +1,43 @@
<?php
use api\classes\API_mailsettings;
session_start();
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_mailsettings.php';
$API_mailsettings = new API_mailsettings();
if ($API_mailsettings->request_method === 'PUT') {
# Edit the mailsettings of the platform
$API_mailsettings->checkPermissions('admin-mailsettings', 'RW');
$requiredFields = [
'portal_uuid' => ['type' => 'uuid'],
'mail_from_name' => ['type' => 'string'],
'mail_from_address' => ['type' => 'email'],
'mail_smtp_host' => ['type' => 'string'],
'mail_smtp_secure' => ['type' => 'enum', 'values' => ['tls', 'ssl', 'no']],
'mail_smtp_port' => ['type' => 'int', 'min' => 4, 'max' => 65535],
'mail_smtp_auth' => ['type' => 'boolean'],
'mail_smtp_user' => ['type' => 'string'],
'mail_smtp_pass' => ['type' => 'string']
];
# check if the password is changed
$updatePassword = str_contains($API_mailsettings->postedData['mail_smtp_pass'], '******') ? false : true;
if ($updatePassword) {
if (strlen($API_mailsettings->postedData['mail_smtp_pass']) < 12) {
$API_mailsettings->apiOutput(400, ['error' => 'Password too short']);
}
if (preg_match('/^(.)\1{5,}$/', $API_mailsettings->postedData['mail_smtp_pass'])) {
$API_mailsettings->apiOutput(400, ['error' => 'Password insecure']);
}
}
$API_mailsettings->validateData($requiredFields);
# Update the permission
$API_mailsettings->updateMailSettings($updatePassword);
}

View File

@@ -0,0 +1,89 @@
<?php
use api\classes\API_permissions;
session_start();
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_permissions.php';
$API_permissions = new API_permissions();
if ($API_permissions->request_method === 'GET') {
# Retrieve all the permissions a user and return them.
$API_permissions->checkPermissions('admin-access-control-permissions', 'RO');
$requiredFields = [];
$optionalFields = [
'permission_uuid' => ['type' => 'uuid'],
'permission_name' => ['type' => 'string'],
'permission_slugify' => ['type' => 'slugify'],
'permission_description' => ['type' => 'string'],
'permission_create_timestamp' => ['type' => 'timestamp'],
'permission_modified_timestamp' => ['type' => 'timestamp']
];
$API_permissions->validateData($requiredFields, $optionalFields);
$permissions = $API_permissions->getPermission();
$API_permissions->apiOutput($code = 200, ['success' => $permissions], 'permission_retrieved');
} elseif ($API_permissions->request_method === 'POST') {
# Only superuser can create permission due to fact that the backend needs programming when setting a permission
if (!$API_permissions->isSuperuser()) {
$API_permissions->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
}
$requiredFields = [
'permission_name' => ['type' => 'string', 'min' => 6, 'max' => 255],
'permission_slugify' => ['type' => 'slugify', 'min' => 6, 'max' => 255],
'permission_description' => ['type' => 'string', 'min' => 1, 'max' => 512],
'module_uuid' => ['type' => 'uuid'],
];
$API_permissions->validateData($requiredFields);
$API_permissions->createPermission();
} elseif ($API_permissions->request_method === 'PUT') {
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
if (!$API_permissions->isSuperuser()) {
$API_permissions->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
}
$requiredFields = [
'permission_uuid' => ['type' => 'uuid'],
'permission_name' => ['type' => 'string', 'min' => 6, 'max' => 255],
'permission_description' => ['type' => 'string', 'min' => 1, 'max' => 512],
'module_uuid' => ['type' => 'uuid'],
];
$API_permissions->validateData($requiredFields);
# check if the permission exists
$_GET['builder'] = [1 => ['where' => [0 => 'permission_uuid', 1 => $API_permissions->data['permission_uuid']]]];
$API_permissions->getPermission();
# Update the permission
$API_permissions->updatePermission();
} elseif ($API_permissions->request_method === 'DELETE') {
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
if (!$API_permissions->isSuperuser()) {
$API_permissions->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
}
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
$API_permissions->return_url = false;
$requiredFields = ['permission_uuid' => ['type' => 'uuid']];
$API_permissions->validateData($requiredFields);
# check if the permission exists
$_GET['builder'] = [1 => ['where' => [0 => 'permission_uuid', 1 => $API_permissions->data['permission_uuid']]]];
$API_permissions->getPermission();
# delete permission
$API_permissions->deletePermission();
}

View File

@@ -0,0 +1,67 @@
<?php
use api\classes\API_usergroups;
session_start();
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_usergroups.php';
$API_usergroups = new API_usergroups();
if ($API_usergroups->request_method === 'GET') {
# GET a user group(s)
} elseif ($API_usergroups->request_method === 'POST') {
# Create a new user group
$API_usergroups->checkPermissions('admin-access-control-user-groups', 'RW');
$requiredFields = [
'user_group_name' => ['type' => 'string'],
'user_group_slugify' => ['type' => 'slugify'],
'user_group_weight' => ['type' => 'int'],
'user_group_type' => ['type' => 'enum', 'values' => ['admin', 'user']],
];
$API_usergroups->validateData($requiredFields);
# superuser group is a fixed group name for the superuser
if ($API_usergroups->data['user_group_name'] === 'superuser' || $API_usergroups->data['user_group_slugify'] === 'superuser') {
$API_usergroups->apiOutput(400, ['error' => 'superuser group cannot be created'], 'cannot_add_superuser_group');
}
$API_usergroups->createUsergroups();
} elseif ($API_usergroups->request_method === 'PUT') {
# Update a user group
$requiredFields = [
'user_group_uuid' => ['type' => 'uuid'],
'user_group_name' => ['type' => 'string'],
'user_group_weight' => ['type' => 'int'],
];
$API_usergroups->validateData($requiredFields);
$API_usergroups->updateUserGroup();
} elseif ($API_usergroups->request_method === 'DELETE') {
# Delete a user group
$API_usergroups->checkPermissions('admin-access-control-user-groups', 'RW');
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
$API_usergroups->return_url = false;
$requiredFields = ['user_group_uuid' => ['type' => 'uuid']];
$API_usergroups->validateData($requiredFields);
# Delete the device from the database.
$API_usergroups->deleteUsergroup();
}

View File

@@ -0,0 +1,89 @@
<?php
use api\classes\API_users;
session_start();
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_users.php';
$API_users = new API_users();
if ($API_users->request_method === 'GET') {
#echo json_encode($api->getAllUsers());
} elseif ($API_users->request_method === 'POST') {
# create a new user
$API_users->checkPermissions('admin-access-admins', 'RW');
$requiredFields = [
'user_group_uuid' => ['type' => 'uuid'],
'user_email' => ['type' => 'email'],
'user_first_name' => ['type' => 'string'],
'user_last_name' => ['type' => 'string'],
'user_full_name' => ['type' => 'string'],
'user_phone_number' => ['type' => 'string'],
'user_status' => ['type' => 'enum', 'values' => ['active', 'inactive', 'banned', 'pending']],
'user_password' => ['type' => 'string'],
'user_pref_language' => ['type' => 'string'],
'user_password_reset_token' => ['type' => 'string'],
'user_password_reset_expires' => ['type' => 'int'],
];
# The user will need to verify their email, the password field cannot be NULL so set an random password for now till the user resets it on when verifing there email
$random_string = substr(str_shuffle(str_repeat('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01', 64)), 0, rand(50, 64));
$user_password = password_hash($random_string, PASSWORD_BCRYPT, ["cost" => 12]);
$API_users->postedData['user_password'] = $user_password;
$API_users->postedData['user_full_name'] = trim($_POST['user_first_name'] . ' ' . $_POST['user_last_name']);
$API_users->postedData['user_pref_language'] = $_POST['user_pref_language'] ?? 'en';
# Password reset token that will be send to the newly created user
$API_users->postedData['user_password_reset_token'] = bin2hex(random_bytes(32));
$API_users->postedData['user_password_reset_expires'] = time() + 86400;
$API_users->validateData($requiredFields);
$API_users->createUser();
} elseif ($API_users->request_method === 'PUT') {
# Edit a user
$API_users->checkPermissions('admin-access-admins', 'RW');
$requiredFields = [
'user_uuid' => ['type' => 'uuid'],
'user_group_uuid' => ['type' => 'uuid'],
'user_email' => ['type' => 'email'],
'user_first_name' => ['type' => 'string'],
'user_last_name' => ['type' => 'string'],
'user_full_name' => ['type' => 'string'],
'user_phone_number' => ['type' => 'string'],
'user_status' => ['type' => 'enum', 'values' => ['active', 'inactive', 'banned', 'pending']],
'user_pref_language' => ['type' => 'string'],
'user_stompable' => ['type' => 'boolean']
];
$API_users->postedData['user_full_name'] = trim($_POST['user_first_name'] . ' ' . $_POST['user_last_name']);
$API_users->postedData['user_pref_language'] = $_POST['user_pref_language'] ?? 'en';
$API_users->postedData['user_stompable'] = (bool)$_POST['user_stompable'];
$API_users->validateData($requiredFields);
$API_users->updateUser();
} elseif ($API_users->request_method === 'DELETE') {
$API_users->return_url = false;
$API_users->checkPermissions('admin-access-admins', 'RW');
$requiredFields = [
'user_uuid' => ['type' => 'uuid'],
];
$API_users->validateData($requiredFields);
$API_users->deleteUser();
}