Compare commits

..

7 Commits

14 changed files with 74 additions and 28 deletions

View File

@@ -120,4 +120,13 @@ class API_permissions extends API
return $access_rights;
}
public function getUserGroupPermissions()
{
list($query, $types, $params) = $this->buildDynamicQuery('system_user_group_permissions');
$items = $this->generalGetFunction($query, $types, $params, false, 'userGroupPermissions');
return ($items);
}
}

View File

@@ -18,4 +18,14 @@ class API_portalsettings extends API
$this->apiOutput(200, ['success' => 'portal settings updated successfully.']);
}
}
public function getPortalSettings()
{
list($query, $types, $params) = $this->buildDynamicQuery('system_settings');
$items = $this->generalGetFunction($query, $types, $params, false, 'Settings');
return ($items);
}
}

View File

@@ -11,6 +11,7 @@ class API_servers extends API
{
public function getServers($returnBoolean = false)
{
list($query, $types, $params) = $this->buildDynamicQuery('servers');
$items = $this->generalGetFunction($query, $types, $params, $returnBoolean, 'Server');

View File

@@ -12,7 +12,7 @@ class API_system_modules extends API
{
list($query, $types, $params) = $this->buildDynamicQuery('system_modules');
$items = $this->generalGetFunction($query, $types, $params, $returnBoolean, 'Permission');
$items = $this->generalGetFunction($query, $types, $params, $returnBoolean, 'Modules');
return $items;
}

View File

@@ -6,7 +6,6 @@ session_start();
require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_companies.php';
# Check permissions
$API_companies = new API_companies();

View File

@@ -7,7 +7,16 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_portalsettings.php';
$API_portalsettings = new API_portalsettings();
if ($API_portalsettings->request_method === 'PUT') {
if ($API_portalsettings->request_method === 'GET') {
$API_portalsettings->checkPermissions('admin-portalsettings', 'RO');
$portalSettings = $API_portalsettings->getPortalSettings();
if ($portalSettings !== null) {
unset($portalSettings[0]["mail_smtp_pass"]);
}
$API_portalsettings->apiOutput($code = 200, ['success' => $portalSettings]);
} elseif ($API_portalsettings->request_method === 'PUT') {
# Edit the portal settings of the platform

View File

@@ -11,7 +11,11 @@ $API_permissions = new API_permissions();
$API_usergroups = new API_usergroups();
if ($API_permissions->request_method === 'GET') {
# to be made, get all the access-rights and implement the builder
$API_usergroups->checkPermissions('admin-access-control-permissions', 'RO');
$permissions = $API_permissions->getUserGroupPermissions();
$API_permissions->apiOutput($code = 200, ['success' => $permissions]);
} elseif ($API_permissions->request_method === 'PUT') {
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection

View File

@@ -8,16 +8,11 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_system_modules.php';
$API_system_modules = new API_system_modules();
if ($API_system_modules->request_method === 'GET') {
# this part here is not tested (the whole GET part)
$API_system_modules->checkPermissions('admin-modules', 'RO');
$requiredFields = [];
$API_system_modules->validateData($requiredFields);
$modules = $API_system_modules->getModules();
$API_system_modules->apiOutput($code = 200, ['success' => $modules], '');
} elseif ($API_system_modules->request_method === 'PUT') {
# Enable or disable a module
$API_system_modules->checkPermissions('admin-modules', 'RW');

View File

@@ -9,24 +9,11 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_permissions.php';
$API_permissions = new API_permissions();
if ($API_permissions->request_method === 'GET') {
# Retrieve all the permissions a user and return them.
$API_permissions->checkPermissions('admin-access-control-permissions', 'RO');
$requiredFields = [];
$optionalFields = [
'permission_uuid' => ['type' => 'uuid'],
'permission_name' => ['type' => 'string'],
'permission_slugify' => ['type' => 'slugify'],
'permission_description' => ['type' => 'string'],
'permission_create_timestamp' => ['type' => 'timestamp'],
'permission_modified_timestamp' => ['type' => 'timestamp']
];
$API_permissions->validateData($requiredFields, $optionalFields);
$permissions = $API_permissions->getPermission();
$API_permissions->apiOutput($code = 200, $permissions, 'permission_retrieved');
$API_permissions->apiOutput($code = 200, ['success' => $permissions], 'permission_retrieved');
} elseif ($API_permissions->request_method === 'POST') {
# Only superuser can create permission due to fact that the backend needs programming when setting a permission

View File

@@ -9,9 +9,11 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_usergroups.php';
$API_usergroups = new API_usergroups();
if ($API_usergroups->request_method === 'GET') {
$API_usergroups->checkPermissions('admin-access-control-user-groups', 'RO');
# GET a user group(s)
$userGroups = $API_usergroups->getUserGroup();
$API_usergroups->apiOutput($code = 200, ['success' => $userGroups], '');
} elseif ($API_usergroups->request_method === 'POST') {
# Create a new user group

View File

@@ -8,8 +8,27 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/api/classes/API_users.php';
$API_users = new API_users();
if ($API_users->request_method === 'GET') {
#echo json_encode($api->getAllUsers());
$API_users->checkPermissions('admin-access-admins', 'RO');
$users = $API_users->getUser();
$removeFields = [
'user_profile_picture_thumbnail',
'user_password',
'user_password_reset_token',
'user_two_factor_secret',
'user_profile_picture',
'user_profile_picture_thumbnail'
];
foreach ($users as &$user) {
foreach ($removeFields as $field) {
unset($user[$field]);
}
}
unset($user);
$API_users->apiOutput($code = 200, ['success' => $users], '');
} elseif ($API_users->request_method === 'POST') {
# create a new user

View File

@@ -13,7 +13,13 @@ if (!$GLOBALS['modules_enabled']['servers']) {
exit;
}
if ($API_servers->request_method === 'POST') {
if ($API_servers->request_method === 'GET') {
$API_servers->checkPermissions('servers', 'RO');
$servers = $API_servers->getServers();
$API_servers->apiOutput($code = 200, ['success' => $servers], '');
} elseif ($API_servers->request_method === 'POST') {
$API_servers->checkPermissions('servers', 'RW');
$requiredFields = [

View File

@@ -19,7 +19,7 @@ if ($API_apitoken->request_method === 'GET') {
$API_apitoken->validateData($requiredFields);
$API_apitoken->checkTokenPermissions($API_apitoken->data['user_uuid']);
$API_apitoken->checkTokenPermissions();
$apitokens = $API_apitoken->getTokens();

View File

@@ -3,3 +3,8 @@ UPDATE `sentri`.`system_permissions` SET `permission_name`='office-stompjes-cans
UPDATE `sentri`.`system_permissions` SET `permission_name`='office-stompjes' WHERE `permission_uuid`='11abc93d-c265-11f0-95da-7e99ed98b725';
UPDATE `sentri`.`system_permissions` SET `permission_slugify`='office-stompjes' WHERE `permission_uuid`='11abc93d-c265-11f0-95da-7e99ed98b725';
UPDATE `sentri`.`system_permissions` SET `permission_slugify`='office-stompjes-canstomp' WHERE `permission_uuid`='5f284b11-de7c-11f0-9d57-00155d00153f';
UPDATE `sentri`.`system_permissions` SET `permission_description`='Users with read-write (RW) permissions can stomp other users content but cannot delete stomps. Read-only (RO) permissions have no effect.' WHERE `permission_uuid`='5f284b11-de7c-11f0-9d57-00155d00153f';
UPDATE `sentri`.`system_permissions` SET `permission_description`='Grants access to modify the mail settings. It is advisable to restrict this permission to only the highest-level administrators.' WHERE `permission_uuid`='7588d486-3100-11f0-9300-7e99ed98b725';
UPDATE `sentri`.`system_permissions` SET `permission_description`='Grants access to modify the global settings. It is advisable to restrict this permission to only the highest-level administrators.' WHERE `permission_uuid`='1d018159-3109-11f0-9300-7e99ed98b725';
UPDATE `sentri`.`system_permissions` SET `permission_description`='Grants access to manage groups. Read/Write (RW) access allows users to create, modify, and delete groups. Read-Only (RO) access permits viewing groups without making changes.' WHERE `permission_uuid`='32541357-3814-11f0-9300-7e99ed98b725';
UPDATE `sentri`.`system_permissions` SET `permission_description`='superuser can create or delete permissions, regardless of a group's Read-Write (RW) access. While RW access allows a group to modify all existing permissions, it does not permit the creation or deletion of them. Use caution when assigning RW access only the highest-level administrative group should be granted this permission, as it effectively provides control over the entire portal.' WHERE `permission_uuid`='32541357-3814-11f0-9300-7e99ed98b725';