Apply group weight system to API token modifications
This commit is contained in:
@@ -3,6 +3,7 @@
|
||||
namespace api\classes;
|
||||
|
||||
use api\classes\API;
|
||||
use api\classes\API_users;
|
||||
|
||||
require_once 'API.php';
|
||||
|
||||
@@ -25,6 +26,46 @@ class API_apitoken extends API
|
||||
return $tokens;
|
||||
}
|
||||
|
||||
public function getUserTokens($returnBoolean = false)
|
||||
{
|
||||
list($query, $types, $params) = $this->buildDynamicQuery('system_api_tokens');
|
||||
|
||||
$items = $this->generalGetFunction($query, $types, $params, $returnBoolean, 'User');
|
||||
|
||||
return $items;
|
||||
}
|
||||
|
||||
public function checkTokenPermissions()
|
||||
{
|
||||
# First we need to find to what user the api_token belongs to if its not given.
|
||||
# If the user_uuid is unknown, get the user_uuid based on the api_token_being.
|
||||
if (!$this->data['user_uuid']) {
|
||||
$_GET['builder'] = [1 => ['where' => [0 => 'api_token_uuid', 1 => $this->data['api_token_uuid']]]];
|
||||
$this->data['user_uuid'] = $this->getUserTokens()[0]['user_uuid'];
|
||||
}
|
||||
|
||||
if ($this->getUserUuid() === $this->data['user_uuid']) {
|
||||
# The user is modifying its own api_token
|
||||
$this->checkPermissions('user-apitoken-self', 'RW');
|
||||
|
||||
} else {
|
||||
# An API token is being modified owned by another user. We need to make sure the current user is allowed to
|
||||
# modify tokens of others.
|
||||
$this->checkPermissions('user-apitoken-others', 'RW');
|
||||
|
||||
# Now get the user_group_uuid and then retrieve the group_weight
|
||||
require_once 'API_users.php';
|
||||
$API_users = new API_users();
|
||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $this->data['user_uuid']]]];
|
||||
$user_group_uuid = $API_users->getUser()[0]['user_group_uuid'];
|
||||
$user_group_weight = $API_users->getUserGroupWeight($user_group_uuid);
|
||||
|
||||
if ($user_group_weight < $_SESSION['user']['user_group_weight']) {
|
||||
$this->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function createNewToken()
|
||||
{
|
||||
|
||||
|
||||
@@ -90,12 +90,14 @@ The Sentri gnomes';
|
||||
$this->apiOutput(200, ['success' => 'User created successfully. mail has been sent']);
|
||||
}
|
||||
|
||||
private function getUserGroupWeight()
|
||||
public function getUserGroupWeight($user_group_uuid = false)
|
||||
{
|
||||
require_once 'API_usergroups.php';
|
||||
|
||||
$API_usergroups = new API_usergroups();
|
||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $this->data['user_group_uuid']]]];
|
||||
|
||||
$uuid = $user_group_uuid ?: $this->data['user_group_uuid'];
|
||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $uuid]]];
|
||||
|
||||
return $API_usergroups->getUserGroup()[0]['user_group_weight'];
|
||||
}
|
||||
|
||||
@@ -19,14 +19,7 @@ if ($API_apitoken->request_method === 'GET') {
|
||||
|
||||
$API_apitoken->validateData($requiredFields);
|
||||
|
||||
if ($API_apitoken->getUserUuid() === $API_apitoken->data['user_uuid']) {
|
||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
||||
|
||||
} else {
|
||||
|
||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RO');
|
||||
|
||||
}
|
||||
$API_apitoken->checkTokenPermissions($API_apitoken->data['user_uuid']);
|
||||
|
||||
$apitokens = $API_apitoken->getTokens();
|
||||
|
||||
@@ -46,23 +39,7 @@ if ($API_apitoken->request_method === 'GET') {
|
||||
|
||||
$API_apitoken->validateData($requiredFields, $optionalFields);
|
||||
|
||||
# First retrieve the user_uuid from the post and lookup the user
|
||||
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_users.php';
|
||||
|
||||
$API_users = new API_users();
|
||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $API_apitoken->data['user_uuid']]]];
|
||||
$user_data = $API_users->getUser()[0];
|
||||
|
||||
if ($API_apitoken->getUserUuid() === $API_apitoken->data['user_uuid']) {
|
||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
||||
|
||||
} else {
|
||||
if ($user_data['user_email'] === 'superuser') {
|
||||
$API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
||||
}
|
||||
|
||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RW');
|
||||
}
|
||||
$API_apitoken->checkTokenPermissions();
|
||||
|
||||
$API_apitoken->createNewToken();
|
||||
|
||||
@@ -77,18 +54,12 @@ if ($API_apitoken->request_method === 'GET') {
|
||||
'api_token_uuid' => ['type' => 'uuid'],
|
||||
'api_token_revoked' => ['type' => 'boolean'],
|
||||
];
|
||||
|
||||
$API_apitoken->validateData($requiredFields);
|
||||
|
||||
$api_token_data = $API_apitoken->getToken();
|
||||
|
||||
if ($API_apitoken->getUserUuid() === $api_token_data['user_uuid']) {
|
||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
||||
} else {
|
||||
if ($api_token_data['user_email'] === 'superuser') {
|
||||
$API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
||||
}
|
||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RW');
|
||||
}
|
||||
|
||||
$API_apitoken->checkTokenPermissions();
|
||||
|
||||
$API_apitoken->revokeToken();
|
||||
|
||||
@@ -103,17 +74,11 @@ if ($API_apitoken->request_method === 'GET') {
|
||||
$requiredFields = [
|
||||
'api_token_uuid' => ['type' => 'uuid'],
|
||||
];
|
||||
|
||||
$API_apitoken->validateData($requiredFields);
|
||||
$api_token_data = $API_apitoken->getToken();
|
||||
|
||||
if ($API_apitoken->getUserUuid() === $api_token_data['user_uuid']) {
|
||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
||||
} else {
|
||||
if ($api_token_data['user_email'] === 'superuser') {
|
||||
$API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
||||
}
|
||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RW');
|
||||
}
|
||||
$API_apitoken->checkTokenPermissions();
|
||||
|
||||
$API_apitoken->deleteToken();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user