Compare commits
5 Commits
3b200d30cb
...
a7e3c54a89
| Author | SHA1 | Date | |
|---|---|---|---|
| a7e3c54a89 | |||
| 98d5d1cb18 | |||
| c408e43283 | |||
| 9de2fc0ad1 | |||
| ec82b2add0 |
@@ -4,6 +4,7 @@ namespace api\classes;
|
|||||||
class API
|
class API
|
||||||
{
|
{
|
||||||
public $conn;
|
public $conn;
|
||||||
|
public $pdo;
|
||||||
|
|
||||||
# The user uuid that requested the API
|
# The user uuid that requested the API
|
||||||
protected $user_uuid;
|
protected $user_uuid;
|
||||||
@@ -42,14 +43,21 @@ class API
|
|||||||
# Used for the query builder base
|
# Used for the query builder base
|
||||||
public $baseQuery = false;
|
public $baseQuery = false;
|
||||||
|
|
||||||
|
# Used for the general get function, this prevents SQL injecting by only allowing these columns instead of
|
||||||
|
# Whatever the user inputs straigt into the query.
|
||||||
|
public $allowedGetColumns = false;
|
||||||
|
|
||||||
|
# Cache the columns of the tables for some small performance improvements.
|
||||||
|
private static array $columnCache = [];
|
||||||
|
|
||||||
public function __construct()
|
public function __construct()
|
||||||
{
|
{
|
||||||
|
|
||||||
require_once $_SERVER['DOCUMENT_ROOT'] . '/bin/php/db_connect.php';
|
require_once $_SERVER['DOCUMENT_ROOT'] . '/bin/php/db_connect.php';
|
||||||
include_once $_SERVER['DOCUMENT_ROOT'] . '/bin/php/Functions/globalFunctions.php';
|
include_once $_SERVER['DOCUMENT_ROOT'] . '/bin/php/Functions/globalFunctions.php';
|
||||||
|
|
||||||
# Setup Database connection
|
# Setup Database connection
|
||||||
$this->conn = $GLOBALS['conn'];
|
$this->conn = $GLOBALS['conn'];
|
||||||
|
$this->pdo = $GLOBALS['pdo'];
|
||||||
|
|
||||||
if (!empty($_SESSION['user']['user_uuid'])) {
|
if (!empty($_SESSION['user']['user_uuid'])) {
|
||||||
$this->InitUserTypeFrontend();
|
$this->InitUserTypeFrontend();
|
||||||
@@ -474,16 +482,22 @@ class API
|
|||||||
$allowedMethods = ['GET', 'POST', 'PUT', 'DELETE'];
|
$allowedMethods = ['GET', 'POST', 'PUT', 'DELETE'];
|
||||||
$method = $_SERVER['REQUEST_METHOD'] ?? '';
|
$method = $_SERVER['REQUEST_METHOD'] ?? '';
|
||||||
|
|
||||||
# The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because
|
# The X-HTTP-Method-Override header is allowed for API requests because
|
||||||
# some web servers do not support PUT or DELETE methods by default.
|
# some web servers do not support PUT or DELETE methods by default.
|
||||||
# This override is only applied when the request method is POST and the header is present.
|
# This override is only applied when the request method is POST and the header is present.
|
||||||
if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) {
|
if ($method === 'POST') {
|
||||||
$override = strtoupper($_POST['X-HTTP-Method-Override']);
|
# $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] is from API calls
|
||||||
|
# $_POST['X-HTTP-Method-Override'] if from API calls from the frontend.
|
||||||
|
$override = $_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'] ?? $_POST['X-HTTP-Method-Override'] ?? null;
|
||||||
|
|
||||||
|
if (is_string($override)) {
|
||||||
|
$override = strtoupper($override);
|
||||||
|
|
||||||
if (in_array($override, $allowedMethods, true)) {
|
if (in_array($override, $allowedMethods, true)) {
|
||||||
$method = $override;
|
$method = $override;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!in_array($method, $allowedMethods, true)) {
|
if (!in_array($method, $allowedMethods, true)) {
|
||||||
return false;
|
return false;
|
||||||
@@ -688,6 +702,8 @@ class API
|
|||||||
|
|
||||||
protected function buildDynamicQuery(string $tableName): array
|
protected function buildDynamicQuery(string $tableName): array
|
||||||
{
|
{
|
||||||
|
$this->allowedGetColumns = $this->loadTableColumns($tableName);
|
||||||
|
|
||||||
if (!$this->baseQuery) {
|
if (!$this->baseQuery) {
|
||||||
$this->baseQuery = "SELECT * FROM " . $tableName;
|
$this->baseQuery = "SELECT * FROM " . $tableName;
|
||||||
}
|
}
|
||||||
@@ -708,6 +724,10 @@ class API
|
|||||||
$column = $builder['where'][0];
|
$column = $builder['where'][0];
|
||||||
$value = $builder['where'][1];
|
$value = $builder['where'][1];
|
||||||
|
|
||||||
|
if (!in_array($column, $this->allowedGetColumns, true)) {
|
||||||
|
$this->apiOutput(400, ['error' => 'The column ' . $column . ' is not allowed.']);
|
||||||
|
}
|
||||||
|
|
||||||
$whereClauses[] = "$column = ?";
|
$whereClauses[] = "$column = ?";
|
||||||
$types .= 's';
|
$types .= 's';
|
||||||
$values[] = $value;
|
$values[] = $value;
|
||||||
@@ -720,6 +740,20 @@ class API
|
|||||||
return [$this->baseQuery, $types, $values];
|
return [$this->baseQuery, $types, $values];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function loadTableColumns(string $tableName): array
|
||||||
|
{
|
||||||
|
if (isset(self::$columnCache[$tableName])) {
|
||||||
|
return self::$columnCache[$tableName];
|
||||||
|
}
|
||||||
|
|
||||||
|
$sql = "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA = DATABASE() AND TABLE_NAME = ?";
|
||||||
|
|
||||||
|
$stmt = $this->pdo->prepare($sql);
|
||||||
|
$stmt->execute([$tableName]);
|
||||||
|
|
||||||
|
return self::$columnCache[$tableName] = $stmt->fetchAll(\PDO::FETCH_COLUMN);
|
||||||
|
}
|
||||||
|
|
||||||
protected function generalGetFunction($query, $types, $params, $returnBoolean, $itemName)
|
protected function generalGetFunction($query, $types, $params, $returnBoolean, $itemName)
|
||||||
{
|
{
|
||||||
$stmt = $this->prepareStatement($query);
|
$stmt = $this->prepareStatement($query);
|
||||||
|
|||||||
@@ -29,4 +29,13 @@ class API_office_stompjes extends API
|
|||||||
|
|
||||||
$this->apiOutput(200, ['success' => 'Stomp removed.']);
|
$this->apiOutput(200, ['success' => 'Stomp removed.']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function getStomp()
|
||||||
|
{
|
||||||
|
list($query, $types, $params) = $this->buildDynamicQuery('office_stompjes');
|
||||||
|
|
||||||
|
$items = $this->generalGetFunction($query, $types, $params, false, 'Stompjes');
|
||||||
|
|
||||||
|
return ($items);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@@ -108,15 +108,27 @@ The Sentri gnomes';
|
|||||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $this->data['user_uuid']]]];
|
$_GET['builder'] = [1 => ['where' => [0 => 'user_uuid', 1 => $this->data['user_uuid']]]];
|
||||||
$this->getUser();
|
$this->getUser();
|
||||||
|
|
||||||
if ($this->getUserGroupWeight() < $_SESSION['user']['user_group_weight']) {
|
if (!isset($this->postedData['user_profile_change']) && $this->getUserGroupWeight() < $_SESSION['user']['user_group_weight']) {
|
||||||
$this->apiOutput(400, ['error' => 'You cannot edit a user with an lower weight then yourself!']);
|
$this->apiOutput(400, ['error' => 'You cannot edit a user with a lower weight than yourself!']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$query = "UPDATE system_users SET user_group_uuid = ?, user_email = ?, user_first_name = ?, user_last_name = ?, user_full_name = ?, user_phone_number = ?, user_status = ?, user_pref_language = ?, user_modified_timestamp = ?, user_stompable = ? WHERE user_uuid = ?";
|
$data = $this->data;
|
||||||
$stmt = $this->prepareStatement($query);
|
|
||||||
$stmt->bind_param('ssssssssiis', $this->data['user_group_uuid'], $this->data['user_email'], $this->data['user_first_name'], $this->data['user_last_name'], $this->data['user_full_name'], $this->data['user_phone_number'], $this->data['user_status'], $this->data['user_pref_language'], time(), $this->data['user_stompable'], $this->data['user_uuid']);
|
|
||||||
|
|
||||||
$this->executeStatement($stmt);
|
$userUuid = $data['user_uuid'];
|
||||||
|
unset($data['user_uuid']);
|
||||||
|
|
||||||
|
# always set timestamp
|
||||||
|
$data['user_modified_timestamp'] = time();
|
||||||
|
|
||||||
|
$set = [];
|
||||||
|
foreach ($data as $key => $value) {
|
||||||
|
$set[] = "$key = :$key";
|
||||||
|
}
|
||||||
|
|
||||||
|
$sql = sprintf("UPDATE system_users SET %s WHERE user_uuid = :user_uuid", implode(', ', $set));
|
||||||
|
$stmt = $GLOBALS['pdo']->prepare($sql);
|
||||||
|
$data['user_uuid'] = $userUuid;
|
||||||
|
$stmt->execute($data);
|
||||||
|
|
||||||
$this->apiOutput(200, ['success' => 'User successfully updated.']);
|
$this->apiOutput(200, ['success' => 'User successfully updated.']);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -12,9 +12,15 @@ if (!$GLOBALS['modules_enabled']['office']) {
|
|||||||
echo '405 Not Allowed';
|
echo '405 Not Allowed';
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
if ($API_office_stompjes->request_method === 'GET') {
|
||||||
|
$API_office_stompjes->checkPermissions('office-stompjes', 'RO');
|
||||||
|
|
||||||
if ($API_office_stompjes->request_method === 'POST') {
|
$stompjes = $API_office_stompjes->getStomp();
|
||||||
$API_office_stompjes->checkPermissions('ofice-stompjes-canstomp', 'RW');
|
|
||||||
|
$API_office_stompjes->apiOutput($code = 200, ['success' => $stompjes]);
|
||||||
|
|
||||||
|
} elseif ($API_office_stompjes->request_method === 'POST') {
|
||||||
|
$API_office_stompjes->checkPermissions('office-stompjes-canstomp', 'RW');
|
||||||
|
|
||||||
$API_office_stompjes->return_url = false;
|
$API_office_stompjes->return_url = false;
|
||||||
|
|
||||||
@@ -30,7 +36,7 @@ if ($API_office_stompjes->request_method === 'POST') {
|
|||||||
} elseif ($API_office_stompjes->request_method === 'DELETE') {
|
} elseif ($API_office_stompjes->request_method === 'DELETE') {
|
||||||
|
|
||||||
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
|
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
|
||||||
$API_office_stompjes->checkPermissions('ofice-stompjes', 'RW');
|
$API_office_stompjes->checkPermissions('office-stompjes', 'RW');
|
||||||
|
|
||||||
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
|
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
|
||||||
$API_office_stompjes->return_url = false;
|
$API_office_stompjes->return_url = false;
|
||||||
|
|||||||
@@ -48,8 +48,24 @@ if ($API_users->request_method === 'GET') {
|
|||||||
$API_users->createUser();
|
$API_users->createUser();
|
||||||
|
|
||||||
} elseif ($API_users->request_method === 'PUT') {
|
} elseif ($API_users->request_method === 'PUT') {
|
||||||
|
|
||||||
# Edit a user
|
# Edit a user
|
||||||
|
if (isset($API_users->postedData['user_profile_change'])) { # If the user is changing their own profile
|
||||||
|
$API_users->postedData['user_uuid'] = $_SESSION['user']['user_uuid']; # Make sure the user being changed is always its own user_uuid
|
||||||
|
|
||||||
|
$requiredFields = [
|
||||||
|
'user_uuid' => ['type' => 'uuid'],
|
||||||
|
'user_email' => ['type' => 'email'],
|
||||||
|
'user_first_name' => ['type' => 'string'],
|
||||||
|
'user_last_name' => ['type' => 'string'],
|
||||||
|
'user_full_name' => ['type' => 'string'],
|
||||||
|
'user_pref_language' => ['type' => 'enum', 'values' => ['en', 'nl']],
|
||||||
|
];
|
||||||
|
|
||||||
|
$optionalFields = [
|
||||||
|
'user_phone_number' => ['type' => 'string']
|
||||||
|
];
|
||||||
|
|
||||||
|
} else {
|
||||||
$API_users->checkPermissions('admin-access-admins', 'RW');
|
$API_users->checkPermissions('admin-access-admins', 'RW');
|
||||||
|
|
||||||
$requiredFields = [
|
$requiredFields = [
|
||||||
@@ -68,9 +84,11 @@ if ($API_users->request_method === 'GET') {
|
|||||||
'user_stompable' => ['type' => 'boolean']
|
'user_stompable' => ['type' => 'boolean']
|
||||||
];
|
];
|
||||||
|
|
||||||
|
$API_users->postedData['user_stompable'] = (bool)$API_users->postedData['user_stompable'];
|
||||||
|
}
|
||||||
|
|
||||||
$API_users->postedData['user_full_name'] = trim($API_users->postedData['user_first_name'] . ' ' . $API_users->postedData['user_last_name']);
|
$API_users->postedData['user_full_name'] = trim($API_users->postedData['user_first_name'] . ' ' . $API_users->postedData['user_last_name']);
|
||||||
$API_users->postedData['user_pref_language'] = $API_users->postedData['user_pref_language'] ?? 'en';
|
$API_users->postedData['user_pref_language'] = $API_users->postedData['user_pref_language'] ?? 'en';
|
||||||
$API_users->postedData['user_stompable'] = (bool)$API_users->postedData['user_stompable'];
|
|
||||||
|
|
||||||
$API_users->validateData($requiredFields, $optionalFields);
|
$API_users->validateData($requiredFields, $optionalFields);
|
||||||
|
|
||||||
@@ -78,7 +96,6 @@ if ($API_users->request_method === 'GET') {
|
|||||||
|
|
||||||
} elseif ($API_users->request_method === 'DELETE') {
|
} elseif ($API_users->request_method === 'DELETE') {
|
||||||
|
|
||||||
|
|
||||||
$API_users->return_url = false;
|
$API_users->return_url = false;
|
||||||
|
|
||||||
$API_users->checkPermissions('admin-access-admins', 'RW');
|
$API_users->checkPermissions('admin-access-admins', 'RW');
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API.php';
|
|||||||
|
|
||||||
# Check permissions
|
# Check permissions
|
||||||
$API = new API();
|
$API = new API();
|
||||||
if (!$API->checkPermissions('ofice-stompjes', 'RO', true)) {
|
if (!$API->checkPermissions('office-stompjes', 'RO', true)) {
|
||||||
echo 'error 401 unauthorized';
|
echo 'error 401 unauthorized';
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
@@ -135,7 +135,7 @@ while ($row = $stmt->fetch_assoc()) {
|
|||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="col col-stats ms-3 ms-sm-0">
|
<div class="col col-stats ms-3 ms-sm-0">
|
||||||
<a href="#" class="btn btn-warning btn-lg btn-rounded stomp-btn w-100 <?php echo (!$API->checkPermissions('ofice-stompjes-canstomp', 'RW', true)) ? 'disabled' : '' ?>" data-item-uuid="<?php echo $administrator['user_uuid'] ?>" data-item-name="user_uuid" data-api-url="/api/v1/office/stompjes/"><i class="fa-solid fa-hand-fist"></i></a>
|
<a href="#" class="btn btn-warning btn-lg btn-rounded stomp-btn w-100 <?php echo (!$API->checkPermissions('office-stompjes-canstomp', 'RW', true)) ? 'disabled' : '' ?>" data-item-uuid="<?php echo $administrator['user_uuid'] ?>" data-item-name="user_uuid" data-api-url="/api/v1/office/stompjes/"><i class="fa-solid fa-hand-fist"></i></a>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
@@ -154,7 +154,7 @@ while ($row = $stmt->fetch_assoc()) {
|
|||||||
<th></th>
|
<th></th>
|
||||||
<th><?php echo __('first_name') ?></th>
|
<th><?php echo __('first_name') ?></th>
|
||||||
<th><?php echo __('time') ?></th>
|
<th><?php echo __('time') ?></th>
|
||||||
<?php if ($API->checkPermissions('ofice-stompjes', 'RW', true)) { ?>
|
<?php if ($API->checkPermissions('office-stompjes', 'RW', true)) { ?>
|
||||||
<th><?php echo __('actions') ?></th>
|
<th><?php echo __('actions') ?></th>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
</tr>
|
</tr>
|
||||||
@@ -164,7 +164,7 @@ while ($row = $stmt->fetch_assoc()) {
|
|||||||
<th></th>
|
<th></th>
|
||||||
<th><?php echo __('first_name') ?></th>
|
<th><?php echo __('first_name') ?></th>
|
||||||
<th><?php echo __('time') ?></th>
|
<th><?php echo __('time') ?></th>
|
||||||
<?php if ($API->checkPermissions('ofice-stompjes', 'RW', true)) { ?>
|
<?php if ($API->checkPermissions('office-stompjes', 'RW', true)) { ?>
|
||||||
<th><?php echo __('actions') ?></th>
|
<th><?php echo __('actions') ?></th>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
</tr>
|
</tr>
|
||||||
@@ -180,7 +180,7 @@ while ($row = $stmt->fetch_assoc()) {
|
|||||||
</td>
|
</td>
|
||||||
<td class="text-nowrap"><?php echo $administrators[$stompje['user_uuid']]['user_first_name'] ?></td>
|
<td class="text-nowrap"><?php echo $administrators[$stompje['user_uuid']]['user_first_name'] ?></td>
|
||||||
<td class="text-nowrap"><?php echo date('d-m-y H:i:s', $stompje['stomp_timestamp']) ?></td>
|
<td class="text-nowrap"><?php echo date('d-m-y H:i:s', $stompje['stomp_timestamp']) ?></td>
|
||||||
<?php if ($API->checkPermissions('ofice-stompjes', 'RW', true)) { ?>
|
<?php if ($API->checkPermissions('office-stompjes', 'RW', true)) { ?>
|
||||||
<td>
|
<td>
|
||||||
<a href="#" class="btn btn-danger btn-sm btn-rounded stomp-delete-btn" data-item-uuid="<?php echo $stompje['stomp_uuid'] ?>" data-api-url="/api/v1/office/stompjes/" data-item-name="stomp_uuid"><i class="fas fa-trash-alt"></i></a>
|
<a href="#" class="btn btn-danger btn-sm btn-rounded stomp-delete-btn" data-item-uuid="<?php echo $stompje['stomp_uuid'] ?>" data-api-url="/api/v1/office/stompjes/" data-item-name="stomp_uuid"><i class="fas fa-trash-alt"></i></a>
|
||||||
</td>
|
</td>
|
||||||
|
|||||||
@@ -47,7 +47,7 @@ function showCard($module_name, $page_name, $width = 3)
|
|||||||
showCard('servers', 'server_overview', '6');
|
showCard('servers', 'server_overview', '6');
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($GLOBALS['modules_enabled']['office'] && $API->checkPermissions('ofice-stompjes', 'RO', true)) {
|
if ($GLOBALS['modules_enabled']['office'] && $API->checkPermissions('office-stompjes', 'RO', true)) {
|
||||||
showCard('office', 'stompjeslist');
|
showCard('office', 'stompjeslist');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -51,8 +51,10 @@ $pageNavbar->outPutNavbar();
|
|||||||
|
|
||||||
if ($user_data) {
|
if ($user_data) {
|
||||||
$formBuilder->startForm(); ?>
|
$formBuilder->startForm(); ?>
|
||||||
<form id="FormValidation" enctype="multipart/form-data" method="POST" action="/api/v1/userprofile/configure/">
|
<form id="FormValidation" enctype="multipart/form-data" method="POST" action="/api/v1/portal-management/users/">
|
||||||
|
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
|
||||||
<input type="hidden" name="user_uuid" value="<?php echo $user_uuid; ?>"/>
|
<input type="hidden" name="user_uuid" value="<?php echo $user_uuid; ?>"/>
|
||||||
|
<input type="hidden" name="user_profile_change" value="true"/>
|
||||||
<div class="card-body">
|
<div class="card-body">
|
||||||
|
|
||||||
<div class="form-group form-show-validation row">
|
<div class="form-group form-show-validation row">
|
||||||
|
|||||||
@@ -237,7 +237,7 @@ class pageBuilder extends API
|
|||||||
<?php
|
<?php
|
||||||
showPage('portal-management', 'dashboard');
|
showPage('portal-management', 'dashboard');
|
||||||
|
|
||||||
if ($GLOBALS['modules_enabled']['office'] && $API->checkPermissions('ofice-stompjes', 'RO', true)) {
|
if ($GLOBALS['modules_enabled']['office'] && $API->checkPermissions('office-stompjes', 'RO', true)) {
|
||||||
showSpan('office');
|
showSpan('office');
|
||||||
showPage('office', 'stompjeslist');
|
showPage('office', 'stompjeslist');
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1 +1,5 @@
|
|||||||
ALTER TABLE `system_users` CHANGE COLUMN `user_pref_language` `user_pref_language` ENUM("en","nl") NOT NULL DEFAULT 'en' COLLATE 'utf8mb4_general_ci' AFTER `user_login_attempts`;
|
ALTER TABLE `system_users` CHANGE COLUMN `user_pref_language` `user_pref_language` ENUM("en","nl") NOT NULL DEFAULT 'en' COLLATE 'utf8mb4_general_ci' AFTER `user_login_attempts`;
|
||||||
|
UPDATE `sentri`.`system_permissions` SET `permission_name`='office-stompjes-canstomp' WHERE `permission_uuid`='5f284b11-de7c-11f0-9d57-00155d00153f';
|
||||||
|
UPDATE `sentri`.`system_permissions` SET `permission_name`='office-stompjes' WHERE `permission_uuid`='11abc93d-c265-11f0-95da-7e99ed98b725';
|
||||||
|
UPDATE `sentri`.`system_permissions` SET `permission_slugify`='office-stompjes' WHERE `permission_uuid`='11abc93d-c265-11f0-95da-7e99ed98b725';
|
||||||
|
UPDATE `sentri`.`system_permissions` SET `permission_slugify`='office-stompjes-canstomp' WHERE `permission_uuid`='5f284b11-de7c-11f0-9d57-00155d00153f';
|
||||||
Reference in New Issue
Block a user