diff --git a/pub/api/classes/API_apitoken.php b/pub/api/classes/API_apitoken.php index 4e19144..4123c0e 100644 --- a/pub/api/classes/API_apitoken.php +++ b/pub/api/classes/API_apitoken.php @@ -3,6 +3,7 @@ namespace api\classes; use api\classes\API; +use api\classes\API_users; require_once 'API.php'; @@ -25,6 +26,46 @@ class API_apitoken extends API return $tokens; } + public function getUserTokens($returnBoolean = false) + { + list($query, $types, $params) = $this->buildDynamicQuery('system_api_tokens'); + + $items = $this->generalGetFunction($query, $types, $params, $returnBoolean, 'User'); + + return $items; + } + + public function checkTokenPermissions() + { + # First we need to find to what user the api_token belongs to if its not given. + # If the user_uuid is unknown, get the user_uuid based on the api_token_being. + if (!$this->data['user_uuid']) { + $_GET['builder'] = [1 => ['where' => [0 => 'api_token_uuid', 1 => $this->data['api_token_uuid']]]]; + $this->data['user_uuid'] = $this->getUserTokens()[0]['user_uuid']; + } + + if ($this->getUserUuid() === $this->data['user_uuid']) { + # The user is modifying its own api_token + $this->checkPermissions('user-apitoken-self', 'RW'); + + } else { + # An API token is being modified owned by another user. We need to make sure the current user is allowed to + # modify tokens of others. + $this->checkPermissions('user-apitoken-others', 'RW'); + + # Now get the user_group_uuid and then retrieve the group_weight + require_once 'API_users.php'; + $API_users = new API_users(); + $_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $this->data['user_uuid']]]]; + $user_group_uuid = $API_users->getUser()[0]['user_group_uuid']; + $user_group_weight = $API_users->getUserGroupWeight($user_group_uuid); + + if ($user_group_weight < $_SESSION['user']['user_group_weight']) { + $this->apiOutput(401, ['error' => 'You are not authorized to access this resource.']); + } + } + } + public function createNewToken() { diff --git a/pub/api/classes/API_users.php b/pub/api/classes/API_users.php index b07551a..52eafce 100644 --- a/pub/api/classes/API_users.php +++ b/pub/api/classes/API_users.php @@ -90,12 +90,14 @@ The Sentri gnomes'; $this->apiOutput(200, ['success' => 'User created successfully. mail has been sent']); } - private function getUserGroupWeight() + public function getUserGroupWeight($user_group_uuid = false) { require_once 'API_usergroups.php'; $API_usergroups = new API_usergroups(); - $_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $this->data['user_group_uuid']]]]; + + $uuid = $user_group_uuid ?: $this->data['user_group_uuid']; + $_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $uuid]]]; return $API_usergroups->getUserGroup()[0]['user_group_weight']; } diff --git a/pub/api/v1/user/apitoken/index.php b/pub/api/v1/user/apitoken/index.php index 280b43f..a333814 100644 --- a/pub/api/v1/user/apitoken/index.php +++ b/pub/api/v1/user/apitoken/index.php @@ -19,14 +19,7 @@ if ($API_apitoken->request_method === 'GET') { $API_apitoken->validateData($requiredFields); - if ($API_apitoken->getUserUuid() === $API_apitoken->data['user_uuid']) { - $API_apitoken->checkPermissions('user-apitoken-self', 'RW'); - - } else { - - $API_apitoken->checkPermissions('user-apitoken-others', 'RO'); - - } + $API_apitoken->checkTokenPermissions($API_apitoken->data['user_uuid']); $apitokens = $API_apitoken->getTokens(); @@ -46,23 +39,7 @@ if ($API_apitoken->request_method === 'GET') { $API_apitoken->validateData($requiredFields, $optionalFields); - # First retrieve the user_uuid from the post and lookup the user - require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_users.php'; - - $API_users = new API_users(); - $_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $API_apitoken->data['user_uuid']]]]; - $user_data = $API_users->getUser()[0]; - - if ($API_apitoken->getUserUuid() === $API_apitoken->data['user_uuid']) { - $API_apitoken->checkPermissions('user-apitoken-self', 'RW'); - - } else { - if ($user_data['user_email'] === 'superuser') { - $API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']); - } - - $API_apitoken->checkPermissions('user-apitoken-others', 'RW'); - } + $API_apitoken->checkTokenPermissions(); $API_apitoken->createNewToken(); @@ -77,18 +54,12 @@ if ($API_apitoken->request_method === 'GET') { 'api_token_uuid' => ['type' => 'uuid'], 'api_token_revoked' => ['type' => 'boolean'], ]; + $API_apitoken->validateData($requiredFields); + $api_token_data = $API_apitoken->getToken(); - if ($API_apitoken->getUserUuid() === $api_token_data['user_uuid']) { - $API_apitoken->checkPermissions('user-apitoken-self', 'RW'); - } else { - if ($api_token_data['user_email'] === 'superuser') { - $API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']); - } - $API_apitoken->checkPermissions('user-apitoken-others', 'RW'); - } - + $API_apitoken->checkTokenPermissions(); $API_apitoken->revokeToken(); @@ -103,17 +74,11 @@ if ($API_apitoken->request_method === 'GET') { $requiredFields = [ 'api_token_uuid' => ['type' => 'uuid'], ]; + $API_apitoken->validateData($requiredFields); $api_token_data = $API_apitoken->getToken(); - if ($API_apitoken->getUserUuid() === $api_token_data['user_uuid']) { - $API_apitoken->checkPermissions('user-apitoken-self', 'RW'); - } else { - if ($api_token_data['user_email'] === 'superuser') { - $API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']); - } - $API_apitoken->checkPermissions('user-apitoken-others', 'RW'); - } + $API_apitoken->checkTokenPermissions(); $API_apitoken->deleteToken(); diff --git a/pub/bin/pages/portal-management/pageAccessControl_admin_view.php b/pub/bin/pages/portal-management/pageAccessControl_admin_view.php index 3e7d612..b528bd4 100644 --- a/pub/bin/pages/portal-management/pageAccessControl_admin_view.php +++ b/pub/bin/pages/portal-management/pageAccessControl_admin_view.php @@ -60,6 +60,11 @@ if ($result->num_rows == 1) { $_GET['user_uuid'] = $user_uuid; +$userHashigherGroupWeight = false; +if ($admin_data['user_group_weight'] > $_SESSION['user']['user_group_weight']) { + $userHashigherGroupWeight = true; +}; + $API_token = new API_apitoken(); $requiredFields = ['user_uuid' => ['type' => 'uuid']]; $API_token->validateData($requiredFields); @@ -258,10 +263,13 @@ if ($admin_data) { ?> checkPermissions('user-apitoken-others', 'RW', true)) { ?>
- - + +
+ > + +
@@ -269,7 +277,8 @@ if ($admin_data) { ?> - + + @@ -281,23 +290,27 @@ if ($admin_data) { ?> + checkPermissions('user-apitoken-others', 'RW', true)) { ?> diff --git a/sql-update-1.2.2.sql b/sql-update-1.2.2.sql index 9fa7736..b08b923 100644 --- a/sql-update-1.2.2.sql +++ b/sql-update-1.2.2.sql @@ -1 +1 @@ -ALTER TABLE `system_api_tokens` ADD COLUMN `api_token_name` CHAR(64) NOT NULL AFTER `api_token`; \ No newline at end of file +ALTER TABLE `system_api_tokens` ADD COLUMN `api_token_name` CHAR(64) AFTER `api_token`; \ No newline at end of file
tokenToken idToken Name Expiration Created Last used
-
- +
+
+
- +