Compare commits
4 Commits
5a27c678b1
...
7960b378ed
| Author | SHA1 | Date | |
|---|---|---|---|
| 7960b378ed | |||
| 1fa58e4508 | |||
| f4cd8e9cde | |||
| 38f8584ecf |
@@ -688,7 +688,7 @@ class API
|
|||||||
|
|
||||||
protected function buildDynamicQuery(string $tableName): array
|
protected function buildDynamicQuery(string $tableName): array
|
||||||
{
|
{
|
||||||
unset($this->baseQuery);
|
$this->baseQuery = '';
|
||||||
if (!$this->baseQuery) {
|
if (!$this->baseQuery) {
|
||||||
$this->baseQuery = "SELECT * FROM " . $tableName;
|
$this->baseQuery = "SELECT * FROM " . $tableName;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -14,7 +14,6 @@ if ($API_permissions->request_method === 'GET') {
|
|||||||
# to be made, get all the access-rights and implement the builder
|
# to be made, get all the access-rights and implement the builder
|
||||||
|
|
||||||
} elseif ($API_permissions->request_method === 'PUT') {
|
} elseif ($API_permissions->request_method === 'PUT') {
|
||||||
|
|
||||||
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
|
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
|
||||||
$API_permissions->return_url = false;
|
$API_permissions->return_url = false;
|
||||||
|
|
||||||
@@ -34,7 +33,13 @@ if ($API_permissions->request_method === 'GET') {
|
|||||||
|
|
||||||
# check if the user_group_uuid exists
|
# check if the user_group_uuid exists
|
||||||
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $API_permissions->data['user_group_uuid']]]];
|
$_GET['builder'] = [1 => ['where' => [0 => 'user_group_uuid', 1 => $API_permissions->data['user_group_uuid']]]];
|
||||||
$API_usergroups->getUsergroup();
|
$user_group = $API_usergroups->getUsergroup();
|
||||||
|
|
||||||
|
# if the user updating the permissions is in a lower group (higher group weight number) prevent them for doing so to prevent
|
||||||
|
# Privilege escalation.
|
||||||
|
if ($user_group[0]['user_group_weight'] < $_SESSION['user']['user_group_weight']) {
|
||||||
|
$API_permissions->apiOutput(405, ['error' => 'You are not allowed to update this user since you are in a lower group']);
|
||||||
|
}
|
||||||
|
|
||||||
# Update the permission
|
# Update the permission
|
||||||
$API_permissions->updateAccessRights();
|
$API_permissions->updateAccessRights();
|
||||||
|
|||||||
@@ -20,7 +20,7 @@ if ($API_mailsettings->request_method === 'PUT') {
|
|||||||
'mail_smtp_secure' => ['type' => 'enum', 'values' => ['tls', 'ssl', 'no']],
|
'mail_smtp_secure' => ['type' => 'enum', 'values' => ['tls', 'ssl', 'no']],
|
||||||
'mail_smtp_port' => ['type' => 'int', 'min' => 4, 'max' => 65535],
|
'mail_smtp_port' => ['type' => 'int', 'min' => 4, 'max' => 65535],
|
||||||
'mail_smtp_auth' => ['type' => 'boolean'],
|
'mail_smtp_auth' => ['type' => 'boolean'],
|
||||||
'mail_smtp_user' => ['type' => 'email'],
|
'mail_smtp_user' => ['type' => 'string'],
|
||||||
'mail_smtp_pass' => ['type' => 'string']
|
'mail_smtp_pass' => ['type' => 'string']
|
||||||
];
|
];
|
||||||
# check if the password is changed
|
# check if the password is changed
|
||||||
|
|||||||
@@ -47,8 +47,10 @@ if ($API_permissions->request_method === 'GET') {
|
|||||||
|
|
||||||
} elseif ($API_permissions->request_method === 'PUT') {
|
} elseif ($API_permissions->request_method === 'PUT') {
|
||||||
|
|
||||||
# Update the permission name and description
|
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
|
||||||
$API_permissions->checkPermissions('admin-access-control-permissions', 'RW');
|
if (!$API_permissions->isSuperuser()) {
|
||||||
|
$API_permissions->apiOutput(401, ['error' => 'You are not authorized to access this resource.']);
|
||||||
|
}
|
||||||
|
|
||||||
$requiredFields = [
|
$requiredFields = [
|
||||||
'permission_uuid' => ['type' => 'uuid'],
|
'permission_uuid' => ['type' => 'uuid'],
|
||||||
|
|||||||
@@ -301,4 +301,5 @@ return [
|
|||||||
'source_inserve_sync_licenses_desc' => 'This API call first executes the <b>Sync cloud distributor companies</b> action and then synchronizes all servers in an active, deleted, or trial state with Inserve licenses. It creates or updates server licenses in Inserve if they do not exist or if the license quantities differ from those in Sentri.',
|
'source_inserve_sync_licenses_desc' => 'This API call first executes the <b>Sync cloud distributor companies</b> action and then synchronizes all servers in an active, deleted, or trial state with Inserve licenses. It creates or updates server licenses in Inserve if they do not exist or if the license quantities differ from those in Sentri.',
|
||||||
'source_inserve_sync_subscriptions' => 'Sync server subscriptions',
|
'source_inserve_sync_subscriptions' => 'Sync server subscriptions',
|
||||||
'source_inserve_sync_subscriptions_desc' => 'This API call first executes the <b>Sync cloud distributor</b> companies action and then creates a subscription if it does not exist, or updates the subscription description if it does. It also creates subscription lines with the correct product_code entered in the <b>custom source data</b> JSON field.',
|
'source_inserve_sync_subscriptions_desc' => 'This API call first executes the <b>Sync cloud distributor</b> companies action and then creates a subscription if it does not exist, or updates the subscription description if it does. It also creates subscription lines with the correct product_code entered in the <b>custom source data</b> JSON field.',
|
||||||
|
'not_allowed_to_change_due_to_group_weight' => 'You are not permitted to modify these settings because has a lower group weight, which is used to enforce hierarchy and prevent privilege escalation.',
|
||||||
];
|
];
|
||||||
@@ -301,4 +301,5 @@ return [
|
|||||||
'source_inserve_sync_licenses_desc' => 'Deze API-call voert eerst de <b>Synchroniseer cloud-distributeurbedrijven</b> actie uit en synchroniseert daarna alle servers in een actieve, verwijderde of trial status met Inserve-licenties. Het maakt serverlicenties in Inserve aan of werkt ze bij als ze niet bestaan of als de licentieaantallen afwijken van die in Sentri.',
|
'source_inserve_sync_licenses_desc' => 'Deze API-call voert eerst de <b>Synchroniseer cloud-distributeurbedrijven</b> actie uit en synchroniseert daarna alle servers in een actieve, verwijderde of trial status met Inserve-licenties. Het maakt serverlicenties in Inserve aan of werkt ze bij als ze niet bestaan of als de licentieaantallen afwijken van die in Sentri.',
|
||||||
'source_inserve_sync_subscriptions' => 'Synchroniseer serverabonnementen',
|
'source_inserve_sync_subscriptions' => 'Synchroniseer serverabonnementen',
|
||||||
'source_inserve_sync_subscriptions_desc' => 'Deze API-call voert eerst de actie <b>Sync cloud distributor companies</b> uit en maakt vervolgens een abonnement aan als dit nog niet bestaat, of werkt de beschrijving van het abonnement bij als het wel bestaat. Daarnaast worden abonnementsregels aangemaakt met de juiste product_code die is ingevuld in het <b>custom source data</b> JSON-veld.',
|
'source_inserve_sync_subscriptions_desc' => 'Deze API-call voert eerst de actie <b>Sync cloud distributor companies</b> uit en maakt vervolgens een abonnement aan als dit nog niet bestaat, of werkt de beschrijving van het abonnement bij als het wel bestaat. Daarnaast worden abonnementsregels aangemaakt met de juiste product_code die is ingevuld in het <b>custom source data</b> JSON-veld.',
|
||||||
|
'not_allowed_to_change_due_to_group_weight' => 'U mag deze instellingen niet wijzigen omdat deze een lagere groepsgewichtwaarde hebben, wat wordt gebruikt om de hiërarchie af te dwingen en privilege-escalatie te voorkomen.'
|
||||||
];
|
];
|
||||||
@@ -85,7 +85,7 @@ if ($user_data) { ?>
|
|||||||
</div>
|
</div>
|
||||||
<div class="form-group form-show-validation row justify-content-center">
|
<div class="form-group form-show-validation row justify-content-center">
|
||||||
<div class="d-flex flex-column align-items-center">
|
<div class="d-flex flex-column align-items-center">
|
||||||
<label for="user_profile_picture" class="label-input-file btn btn-black btn-round mb-4">
|
<label for="user_profile_picture" class="label-input-file btn btn-primary btn-round mb-4 text-light">
|
||||||
<span class="btn-label"><i class="fa fa-file-image"></i></span>
|
<span class="btn-label"><i class="fa fa-file-image"></i></span>
|
||||||
<?php echo __('upload_image') ?>
|
<?php echo __('upload_image') ?>
|
||||||
</label>
|
</label>
|
||||||
|
|||||||
@@ -18,7 +18,8 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_permissions.php';
|
|||||||
|
|
||||||
# Check permissions
|
# Check permissions
|
||||||
$API = new API();
|
$API = new API();
|
||||||
if (!$API->checkPermissions('admin-access-control-permissions', 'RW', true)) {
|
# Only superuser can delete permission due to fact that the backend needs programming when setting a permission
|
||||||
|
if (!$API->isSuperuser()) {
|
||||||
echo 'error 401 unauthorized';
|
echo 'error 401 unauthorized';
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -46,6 +46,15 @@ $stmt = $GLOBALS['pdo']->prepare($query);
|
|||||||
$stmt->execute([$user_group_uuid]);
|
$stmt->execute([$user_group_uuid]);
|
||||||
$group_permissions = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
$group_permissions = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||||
|
|
||||||
|
$toggleDisabled = false;
|
||||||
|
if ($user_group['user_group_weight'] < $_SESSION['user']['user_group_weight']) {
|
||||||
|
$toggleDisabled = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$API->checkPermissions('admin-access-control-permissions', 'RW', true)) {
|
||||||
|
$toggleDisabled = true;
|
||||||
|
}
|
||||||
|
|
||||||
# Set breadcrumb data
|
# Set breadcrumb data
|
||||||
array_push($GLOBALS['breadCrumbArray'], array('display' => __('user_groups'), 'href' => '/accesscontrol/#user-groups'));
|
array_push($GLOBALS['breadCrumbArray'], array('display' => __('user_groups'), 'href' => '/accesscontrol/#user-groups'));
|
||||||
array_push($GLOBALS['breadCrumbArray'], array('display' => $user_group['user_group_name'], 'href' => ''));
|
array_push($GLOBALS['breadCrumbArray'], array('display' => $user_group['user_group_name'], 'href' => ''));
|
||||||
@@ -121,28 +130,35 @@ $pageNavbar->outPutNavbar();
|
|||||||
</tr>
|
</tr>
|
||||||
</tfoot>
|
</tfoot>
|
||||||
<tbody>
|
<tbody>
|
||||||
<?php
|
|
||||||
|
|
||||||
|
<?php if ($toggleDisabled) { ?>
|
||||||
|
<div class="alert alert-warning" role="alert">
|
||||||
|
<?php echo __('not_allowed_to_change_due_to_group_weight') ?>
|
||||||
|
</div>
|
||||||
|
<?php }
|
||||||
|
|
||||||
foreach ($group_permissions as $group_permissions_data) { ?>
|
foreach ($group_permissions as $group_permissions_data) { ?>
|
||||||
<tr>
|
<tr>
|
||||||
<td><?php echo $group_permissions_data['permission_name'] ?> </td>
|
<td><?php echo $group_permissions_data['permission_name'] ?> </td>
|
||||||
<td>
|
<td>
|
||||||
<label class="switch">
|
<label class="switch">
|
||||||
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="NA" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'NA') ? 'checked' : '') ?>
|
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="NA" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'NA') ? 'checked' : '') ?>
|
||||||
<?php echo ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) ? '' : 'disabled' ?>>
|
<?php echo ($toggleDisabled) ? 'disabled' : '' ?>>
|
||||||
<div class="slider"></div>
|
<div class="slider"></div>
|
||||||
</label>
|
</label>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<label class="switch">
|
<label class="switch">
|
||||||
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="RO" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'RO') ? 'checked' : '') ?>
|
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="RO" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'RO') ? 'checked' : '') ?>
|
||||||
<?php echo ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) ? '' : 'disabled' ?>>
|
<?php echo ($toggleDisabled) ? 'disabled' : '' ?>>
|
||||||
<div class="slider"></div>
|
<div class="slider"></div>
|
||||||
</label>
|
</label>
|
||||||
</td>
|
</td>
|
||||||
<td>
|
<td>
|
||||||
<label class="switch">
|
<label class="switch">
|
||||||
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="RW" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'RW') ? 'checked' : '') ?>
|
<input type="checkbox" class="checkbox" data-permission-uuid="<?= $group_permissions_data['permission_uuid'] ?>" data-user-group-uuid="<?= $group_permissions_data['user_group_uuid'] ?>" data-value="RW" data-api-url="/api/v1/access-rights/" <?php echo(($group_permissions_data['permission_value'] == 'RW') ? 'checked' : '') ?>
|
||||||
<?php echo ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) ? '' : 'disabled' ?>>
|
<?php echo ($toggleDisabled) ? 'disabled' : '' ?>>
|
||||||
<div class="slider"></div>
|
<div class="slider"></div>
|
||||||
</label>
|
</label>
|
||||||
</td>
|
</td>
|
||||||
|
|||||||
@@ -201,7 +201,7 @@ while ($row = $stmt->fetch_assoc()) {
|
|||||||
<td class=""><?php echo $permission['permission_description'] ?></td>
|
<td class=""><?php echo $permission['permission_description'] ?></td>
|
||||||
<td class="text-nowrap">
|
<td class="text-nowrap">
|
||||||
|
|
||||||
<?php if ($API->checkPermissions('admin-access-control-permissions', 'RW', true)) { ?>
|
<?php if ($API->isSuperuser()) { ?>
|
||||||
<a href="?permission_edit=<?php echo $permission['permission_uuid'] ?>" class="btn btn-primary btn-sm btn-rounded"><i class="fas fa-edit"></i></a>
|
<a href="?permission_edit=<?php echo $permission['permission_uuid'] ?>" class="btn btn-primary btn-sm btn-rounded"><i class="fas fa-edit"></i></a>
|
||||||
<?php } ?>
|
<?php } ?>
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user