Apply group weight system to API token modifications
This commit is contained in:
@@ -3,6 +3,7 @@
|
|||||||
namespace api\classes;
|
namespace api\classes;
|
||||||
|
|
||||||
use api\classes\API;
|
use api\classes\API;
|
||||||
|
use api\classes\API_users;
|
||||||
|
|
||||||
require_once 'API.php';
|
require_once 'API.php';
|
||||||
|
|
||||||
@@ -25,6 +26,46 @@ class API_apitoken extends API
|
|||||||
return $tokens;
|
return $tokens;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function getUserTokens($returnBoolean = false)
|
||||||
|
{
|
||||||
|
list($query, $types, $params) = $this->buildDynamicQuery('system_api_tokens');
|
||||||
|
|
||||||
|
$items = $this->generalGetFunction($query, $types, $params, $returnBoolean, 'User');
|
||||||
|
|
||||||
|
return $items;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function checkTokenPermissions()
|
||||||
|
{
|
||||||
|
# First we need to find to what user the api_token belongs to if its not given.
|
||||||
|
# If the user_uuid is unknown, get the user_uuid based on the api_token_being.
|
||||||
|
if (!$this->data['user_uuid']) {
|
||||||
|
$_GET['builder'] = [1 => ['where' => [0 => 'api_token_uuid', 1 => $this->data['api_token_uuid']]]];
|
||||||
|
$this->data['user_uuid'] = $this->getUserTokens()[0]['user_uuid'];
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($this->getUserUuid() === $this->data['user_uuid']) {
|
||||||
|
# The user is modifying its own api_token
|
||||||
|
$this->checkPermissions('user-apitoken-self', 'RW');
|
||||||
|
|
||||||
|
} else {
|
||||||
|
# An API token is being modified owned by another user. We need to make sure the current user is allowed to
|
||||||
|
# modify tokens of others.
|
||||||
|
$this->checkPermissions('user-apitoken-others', 'RW');
|
||||||
|
|
||||||
|
# Now get the user_group_uuid and then retrieve the group_weight
|
||||||
|
require_once 'API_users.php';
|
||||||
|
$API_users = new API_users();
|
||||||
|
$_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $this->data['user_uuid']]]];
|
||||||
|
$user_group_uuid = $API_users->getUser()[0]['user_group_uuid'];
|
||||||
|
$user_group_weight = $API_users->getUserGroupWeight($user_group_uuid);
|
||||||
|
|
||||||
|
if ($user_group_weight < $_SESSION['user']['user_group_weight']) {
|
||||||
|
$this->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public function createNewToken()
|
public function createNewToken()
|
||||||
{
|
{
|
||||||
|
|
||||||
|
|||||||
@@ -90,12 +90,14 @@ The Sentri gnomes';
|
|||||||
$this->apiOutput(200, ['success' => 'User created successfully. mail has been sent']);
|
$this->apiOutput(200, ['success' => 'User created successfully. mail has been sent']);
|
||||||
}
|
}
|
||||||
|
|
||||||
private function getUserGroupWeight()
|
public function getUserGroupWeight($user_group_uuid = false)
|
||||||
{
|
{
|
||||||
require_once 'API_usergroups.php';
|
require_once 'API_usergroups.php';
|
||||||
|
|
||||||
$API_usergroups = new API_usergroups();
|
$API_usergroups = new API_usergroups();
|
||||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $this->data['user_group_uuid']]]];
|
|
||||||
|
$uuid = $user_group_uuid ?: $this->data['user_group_uuid'];
|
||||||
|
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $uuid]]];
|
||||||
|
|
||||||
return $API_usergroups->getUserGroup()[0]['user_group_weight'];
|
return $API_usergroups->getUserGroup()[0]['user_group_weight'];
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -19,14 +19,7 @@ if ($API_apitoken->request_method === 'GET') {
|
|||||||
|
|
||||||
$API_apitoken->validateData($requiredFields);
|
$API_apitoken->validateData($requiredFields);
|
||||||
|
|
||||||
if ($API_apitoken->getUserUuid() === $API_apitoken->data['user_uuid']) {
|
$API_apitoken->checkTokenPermissions($API_apitoken->data['user_uuid']);
|
||||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
|
||||||
|
|
||||||
} else {
|
|
||||||
|
|
||||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RO');
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
$apitokens = $API_apitoken->getTokens();
|
$apitokens = $API_apitoken->getTokens();
|
||||||
|
|
||||||
@@ -46,23 +39,7 @@ if ($API_apitoken->request_method === 'GET') {
|
|||||||
|
|
||||||
$API_apitoken->validateData($requiredFields, $optionalFields);
|
$API_apitoken->validateData($requiredFields, $optionalFields);
|
||||||
|
|
||||||
# First retrieve the user_uuid from the post and lookup the user
|
$API_apitoken->checkTokenPermissions();
|
||||||
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_users.php';
|
|
||||||
|
|
||||||
$API_users = new API_users();
|
|
||||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $API_apitoken->data['user_uuid']]]];
|
|
||||||
$user_data = $API_users->getUser()[0];
|
|
||||||
|
|
||||||
if ($API_apitoken->getUserUuid() === $API_apitoken->data['user_uuid']) {
|
|
||||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
|
||||||
|
|
||||||
} else {
|
|
||||||
if ($user_data['user_email'] === 'superuser') {
|
|
||||||
$API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
|
||||||
}
|
|
||||||
|
|
||||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RW');
|
|
||||||
}
|
|
||||||
|
|
||||||
$API_apitoken->createNewToken();
|
$API_apitoken->createNewToken();
|
||||||
|
|
||||||
@@ -77,18 +54,12 @@ if ($API_apitoken->request_method === 'GET') {
|
|||||||
'api_token_uuid' => ['type' => 'uuid'],
|
'api_token_uuid' => ['type' => 'uuid'],
|
||||||
'api_token_revoked' => ['type' => 'boolean'],
|
'api_token_revoked' => ['type' => 'boolean'],
|
||||||
];
|
];
|
||||||
|
|
||||||
$API_apitoken->validateData($requiredFields);
|
$API_apitoken->validateData($requiredFields);
|
||||||
|
|
||||||
$api_token_data = $API_apitoken->getToken();
|
$api_token_data = $API_apitoken->getToken();
|
||||||
|
|
||||||
if ($API_apitoken->getUserUuid() === $api_token_data['user_uuid']) {
|
$API_apitoken->checkTokenPermissions();
|
||||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
|
||||||
} else {
|
|
||||||
if ($api_token_data['user_email'] === 'superuser') {
|
|
||||||
$API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
|
||||||
}
|
|
||||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RW');
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
$API_apitoken->revokeToken();
|
$API_apitoken->revokeToken();
|
||||||
|
|
||||||
@@ -103,17 +74,11 @@ if ($API_apitoken->request_method === 'GET') {
|
|||||||
$requiredFields = [
|
$requiredFields = [
|
||||||
'api_token_uuid' => ['type' => 'uuid'],
|
'api_token_uuid' => ['type' => 'uuid'],
|
||||||
];
|
];
|
||||||
|
|
||||||
$API_apitoken->validateData($requiredFields);
|
$API_apitoken->validateData($requiredFields);
|
||||||
$api_token_data = $API_apitoken->getToken();
|
$api_token_data = $API_apitoken->getToken();
|
||||||
|
|
||||||
if ($API_apitoken->getUserUuid() === $api_token_data['user_uuid']) {
|
$API_apitoken->checkTokenPermissions();
|
||||||
$API_apitoken->checkPermissions('user-apitoken-self', 'RW');
|
|
||||||
} else {
|
|
||||||
if ($api_token_data['user_email'] === 'superuser') {
|
|
||||||
$API_apitoken->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
|
||||||
}
|
|
||||||
$API_apitoken->checkPermissions('user-apitoken-others', 'RW');
|
|
||||||
}
|
|
||||||
|
|
||||||
$API_apitoken->deleteToken();
|
$API_apitoken->deleteToken();
|
||||||
|
|
||||||
|
|||||||
@@ -60,6 +60,11 @@ if ($result->num_rows == 1) {
|
|||||||
|
|
||||||
$_GET['user_uuid'] = $user_uuid;
|
$_GET['user_uuid'] = $user_uuid;
|
||||||
|
|
||||||
|
$userHashigherGroupWeight = false;
|
||||||
|
if ($admin_data['user_group_weight'] > $_SESSION['user']['user_group_weight']) {
|
||||||
|
$userHashigherGroupWeight = true;
|
||||||
|
};
|
||||||
|
|
||||||
$API_token = new API_apitoken();
|
$API_token = new API_apitoken();
|
||||||
$requiredFields = ['user_uuid' => ['type' => 'uuid']];
|
$requiredFields = ['user_uuid' => ['type' => 'uuid']];
|
||||||
$API_token->validateData($requiredFields);
|
$API_token->validateData($requiredFields);
|
||||||
@@ -258,10 +263,13 @@ if ($admin_data) { ?>
|
|||||||
<?php if ($API_token->checkPermissions('user-apitoken-others', 'RW', true)) { ?>
|
<?php if ($API_token->checkPermissions('user-apitoken-others', 'RW', true)) { ?>
|
||||||
<form method="POST" action="/api/v1/user/apitoken/">
|
<form method="POST" action="/api/v1/user/apitoken/">
|
||||||
<input type="hidden" name="user_uuid" value="<?php echo $user_uuid ?>">
|
<input type="hidden" name="user_uuid" value="<?php echo $user_uuid ?>">
|
||||||
<input type="hidden" name="_return" value="/accesscontrol/?admin_view=<?php echo $user_uuid ?>">
|
<input type="hidden" name="_return" value="/userprofile/">
|
||||||
<button type="submit" href="#" class="btn btn-primary">
|
<div class="input-group mb-3">
|
||||||
<i class="fa-solid fa-plus"></i> Generate new token
|
<input type="text" name="api_token_name" class="form-control" placeholder="API Token name..." aria-label="API Token name..." aria-describedby="button-addon2" <?php echo($userHashigherGroupWeight ? '' : 'disabled') ?>>
|
||||||
|
<button type="submit" href="#" class="btn btn-success" <?php echo($userHashigherGroupWeight ? '' : 'disabled') ?>>
|
||||||
|
<i class="fa-solid fa-plus"></i> <?php echo __('generate_new_api_token') ?>
|
||||||
</button>
|
</button>
|
||||||
|
</div>
|
||||||
</form>
|
</form>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
</div>
|
</div>
|
||||||
@@ -269,7 +277,8 @@ if ($admin_data) { ?>
|
|||||||
<table class="table table-hover table-striped">
|
<table class="table table-hover table-striped">
|
||||||
<thead>
|
<thead>
|
||||||
<tr>
|
<tr>
|
||||||
<th>token</th>
|
<th>Token id</th>
|
||||||
|
<th>Token Name</th>
|
||||||
<th>Expiration</th>
|
<th>Expiration</th>
|
||||||
<th>Created</th>
|
<th>Created</th>
|
||||||
<th>Last used</th>
|
<th>Last used</th>
|
||||||
@@ -281,23 +290,27 @@ if ($admin_data) { ?>
|
|||||||
<tr>
|
<tr>
|
||||||
<td class="text-nowrap" style="max-width: 100%;">
|
<td class="text-nowrap" style="max-width: 100%;">
|
||||||
<div class="d-flex align-items-center gap-2" style="max-width: 100%;">
|
<div class="d-flex align-items-center gap-2" style="max-width: 100%;">
|
||||||
<div class="text-truncate" style="max-width: 200px;">
|
<div class="text-truncate" style="max-width: 200px;" id="<?php echo $token_data['api_token_uuid'] ?>" data-copy-data="<?php echo $token_data['api_token_uuid']; ?>">
|
||||||
<?php echo substr($token_data['api_token'], 0, 15) . '...'; ?>
|
<?php echo $token_data['api_token_uuid']; ?>
|
||||||
</div>
|
</div>
|
||||||
|
<button type="button" class="btn btn-sm btn-outline-secondary" data-copy-target="<?php echo $token_data['api_token_uuid'] ?>" title="Copy ID">
|
||||||
|
<i class="fa-solid fa-copy"></i>
|
||||||
|
</button>
|
||||||
</div>
|
</div>
|
||||||
</td>
|
</td>
|
||||||
|
<td><?php echo $token_data['api_token_name'] ?></td>
|
||||||
<td><?php showTime($token_data['api_token_expiration_timestamp']) ?></td>
|
<td><?php showTime($token_data['api_token_expiration_timestamp']) ?></td>
|
||||||
<td><?php showTime($token_data['api_token_created_timestamp']) ?></td>
|
<td><?php showTime($token_data['api_token_created_timestamp']) ?></td>
|
||||||
<td><?php showTime($token_data['api_token_last_used_timestamp']) ?></td>
|
<td><?php showTime($token_data['api_token_last_used_timestamp']) ?></td>
|
||||||
<td>
|
<td>
|
||||||
<label class="switch">
|
<label class="switch">
|
||||||
<input type="checkbox" class="checkbox" data-api-data='<?php echo json_encode(['api_token_uuid' => $token_data['api_token_uuid'], 'api_token_revoked' => $token_data['api_token_revoked'] ? 1 : 0]) ?>' data-api-changevalue="api_token_revoked" data-api-url="/api/v1/user/apitoken/" <?php echo((($token_data['api_token_revoked'])) ? 'checked' : '') ?>>
|
<input type="checkbox" class="checkbox" data-api-data='<?php echo json_encode(['api_token_uuid' => $token_data['api_token_uuid'], 'api_token_revoked' => $token_data['api_token_revoked'] ? 1 : 0]) ?>' data-api-changevalue="api_token_revoked" data-api-url="/api/v1/user/apitoken/" <?php echo((($token_data['api_token_revoked'])) ? 'checked' : '') ?> <?php echo($userHashigherGroupWeight ? '' : 'disabled') ?>>
|
||||||
<div class="slider"></div>
|
<div class="slider"></div>
|
||||||
</label>
|
</label>
|
||||||
</td>
|
</td>
|
||||||
<?php if ($API_token->checkPermissions('user-apitoken-others', 'RW', true)) { ?>
|
<?php if ($API_token->checkPermissions('user-apitoken-others', 'RW', true)) { ?>
|
||||||
<td class="text-nowrap">
|
<td class="text-nowrap">
|
||||||
<a href="#" class="btn btn-danger btn-sm btn-rounded delete-btn" data-item-uuid="<?php echo $token_data['api_token_uuid'] ?>" data-item-name="api_token_uuid" data-api-url="/api/v1/user/apitoken/"><i class="fas fa-trash-alt"></i></a>
|
<a href="#" class="btn btn-danger btn-sm btn-rounded delete-btn <?php echo($userHashigherGroupWeight ? '' : 'disabled') ?>" data-item-uuid="<?php echo $token_data['api_token_uuid'] ?>" data-item-name="api_token_uuid" data-api-url="/api/v1/user/apitoken/"><i class="fas fa-trash-alt"></i></a>
|
||||||
</td>
|
</td>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
</tr>
|
</tr>
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
ALTER TABLE `system_api_tokens` ADD COLUMN `api_token_name` CHAR(64) NOT NULL AFTER `api_token`;
|
ALTER TABLE `system_api_tokens` ADD COLUMN `api_token_name` CHAR(64) AFTER `api_token`;
|
||||||
Reference in New Issue
Block a user