Compare commits

...

6 Commits

19 changed files with 72 additions and 75 deletions

View File

@@ -474,21 +474,21 @@ class API
$allowedMethods = ['GET', 'POST', 'PUT', 'DELETE'];
$method = $_SERVER['REQUEST_METHOD'] ?? '';
if (!in_array($method, $allowedMethods)) {
# The HTTP_X_HTTP_METHOD_OVERRIDE header is allowed for API requests because
# some web servers do not support PUT or DELETE methods by default.
# This override is only applied when the request method is POST and the header is present.
if ($method === 'POST' && isset($_POST['X-HTTP-Method-Override'])) {
$override = strtoupper($_POST['X-HTTP-Method-Override']);
if (in_array($override, $allowedMethods, true)) {
$method = $override;
}
}
if (!in_array($method, $allowedMethods, true)) {
return false;
}
# Since browser doesnt allow DELETE or PUTs from the frontend forms (apart from some javascript/ajax fuckery)
# we need to check the _method POST value.
if ($this->user_type === 'frontend' && $method === 'POST' && isset($_POST['_method'])) {
$overrideMethod = strtoupper($_POST['_method']);
if (in_array($overrideMethod, ['PUT', 'DELETE'])) {
$this->request_method = $overrideMethod;
return true;
}
}
$this->request_method = $method;
return true;
}

View File

@@ -20,7 +20,7 @@ class API_system_modules extends API
public function enableModule()
{
$module_uuid_enabled = ($this->data['module_enabled']) ? 0 : 1;
$module_uuid_enabled = ($this->data['module_enabled']) ? 1 : 0;
# Module 'system cannot be disabled'
$query = "UPDATE system_modules SET module_enabled = ? WHERE module_uuid = ? AND module_slugify != 'system'";

View File

@@ -20,14 +20,15 @@ class API_system_sources extends API
source_custom_data,
source_create_timestamp,
source_modified_timestamp)
VALUES (UUID(), ?, ?, '', '', ?, ?, ?, NULL)
VALUES (UUID(), 'inserve', ?, '', '', ?, ?, ?, NULL)
ON DUPLICATE KEY UPDATE
source_url = VALUES(source_url),
source_auth_token = VALUES(source_auth_token),
source_custom_data = VALUES(source_custom_data),
source_modified_timestamp = VALUES(source_create_timestamp)";
$stmt = $this->prepareStatement($query);
$stmt->bind_param('ssssi', $this->data['source_name'], $this->data['source_url'], $this->data['source_auth_token'], $this->data['source_custom_data'], time());
$source_modified_timestamp = time();
$stmt->bind_param('sssi', $this->data['source_url'], $this->data['source_auth_token'], $this->data['source_custom_data'], $source_modified_timestamp);
$this->executeStatement($stmt);
$stmt->close();

View File

@@ -25,7 +25,7 @@ if ($API_permissions->request_method === 'GET') {
$API_permissions->validateData($requiredFields, $optionalFields);
$permissions = $API_permissions->getPermission();
$API_permissions->apiOutput($code = 200, ['success' => $permissions], 'permission_retrieved');
$API_permissions->apiOutput($code = 200, $permissions, 'permission_retrieved');
} elseif ($API_permissions->request_method === 'POST') {

View File

@@ -11,21 +11,14 @@ if ($API_system_sources->request_method === 'POST') {
# Enable or disable a module
$API_system_sources->checkPermissions('admin-sources', 'RW');
if ($_POST['source_name'] == 'inserve') {
$requiredFields = [
'source_name' => ['type' => 'string'],
'source_url' => ['type' => 'string'],
'source_auth_token' => ['type' => 'string'],
'source_custom_data' => ['type' => 'json'],
];
} else {
$API_system_sources->apiOutput(400, ['error' => 'Error: no valid source_name posted']);
}
$API_system_sources->validateData($requiredFields);
if ($_POST['source_name'] == 'inserve') {
$API_system_sources->inserveUpdate();
}
}

View File

@@ -55,7 +55,7 @@ if ($API_usergroups->request_method === 'GET') {
$API_usergroups->checkPermissions('admin-access-control-user-groups', 'RW');
# when called from the frontend will not be forwarding to a url since when its called from the frontend it doesnt need a redirection
# when called from the frontend will not be forwarding to a url since when it's called from the frontend it doesn't need a redirection
$API_usergroups->return_url = false;
$requiredFields = ['user_group_uuid' => ['type' => 'uuid']];

View File

@@ -20,28 +20,31 @@ if ($API_users->request_method === 'GET') {
'user_email' => ['type' => 'email'],
'user_first_name' => ['type' => 'string'],
'user_last_name' => ['type' => 'string'],
'user_full_name' => ['type' => 'string'],
'user_phone_number' => ['type' => 'string'],
'user_status' => ['type' => 'enum', 'values' => ['active', 'inactive', 'banned', 'pending']],
'user_password' => ['type' => 'string'],
'user_pref_language' => ['type' => 'string'],
'user_password_reset_token' => ['type' => 'string'],
'user_password_reset_expires' => ['type' => 'int'],
'user_full_name' => ['type' => 'string'], # Does not need to be posted, set later
'user_status' => ['type' => 'enum', 'values' => ['inactive', 'banned', 'pending']],
'user_password' => ['type' => 'string'], # Does not need to be posted, set later
'user_pref_language' => ['type' => 'enum', 'values' => ['en', 'nl']],
'user_password_reset_token' => ['type' => 'string'], # Does not need to be posted, set later
'user_password_reset_expires' => ['type' => 'int'], # Does not need to be posted, set later
];
# The user will need to verify their email, the password field cannot be NULL so set an random password for now till the user resets it on when verifing there email
$optionalFields = [
'user_phone_number' => ['type' => 'string']
];
# The user will need to verify their email, the password field cannot be NULL so set a random password for now till the user resets it on when verifying there email
$random_string = substr(str_shuffle(str_repeat('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01', 64)), 0, rand(50, 64));
$user_password = password_hash($random_string, PASSWORD_BCRYPT, ["cost" => 12]);
$API_users->postedData['user_password'] = $user_password;
$API_users->postedData['user_full_name'] = trim($API_users->postedData['user_first_name'] . ' ' . $API_users->postedData['user_last_name']);
$API_users->postedData['user_pref_language'] = $API_users->postedData['user_pref_language'] ?? 'en';
$API_users->postedData['user_full_name'] = trim($_POST['user_first_name'] . ' ' . $_POST['user_last_name']);
$API_users->postedData['user_pref_language'] = $_POST['user_pref_language'] ?? 'en';
# Password reset token that will be send to the newly created user
# Password reset token that will be sent to the newly created user
$API_users->postedData['user_password_reset_token'] = bin2hex(random_bytes(32));
$API_users->postedData['user_password_reset_expires'] = time() + 86400;
$API_users->validateData($requiredFields);
$API_users->validateData($requiredFields, $optionalFields);
$API_users->createUser();
} elseif ($API_users->request_method === 'PUT') {
@@ -56,19 +59,20 @@ if ($API_users->request_method === 'GET') {
'user_first_name' => ['type' => 'string'],
'user_last_name' => ['type' => 'string'],
'user_full_name' => ['type' => 'string'],
'user_phone_number' => ['type' => 'string'],
'user_status' => ['type' => 'enum', 'values' => ['active', 'inactive', 'banned', 'pending']],
'user_pref_language' => ['type' => 'string'],
'user_pref_language' => ['type' => 'enum', 'values' => ['en', 'nl']],
];
$optionalFields = [
'user_phone_number' => ['type' => 'string'],
'user_stompable' => ['type' => 'boolean']
];
$API_users->postedData['user_full_name'] = trim($_POST['user_first_name'] . ' ' . $_POST['user_last_name']);
$API_users->postedData['user_pref_language'] = $_POST['user_pref_language'] ?? 'en';
$API_users->postedData['user_stompable'] = (bool)$_POST['user_stompable'];
$API_users->validateData($requiredFields);
$API_users->postedData['user_full_name'] = trim($API_users->postedData['user_first_name'] . ' ' . $API_users->postedData['user_last_name']);
$API_users->postedData['user_pref_language'] = $API_users->postedData['user_pref_language'] ?? 'en';
$API_users->postedData['user_stompable'] = (bool)$API_users->postedData['user_stompable'];
$API_users->validateData($requiredFields, $optionalFields);
$API_users->updateUser();
@@ -82,7 +86,6 @@ if ($API_users->request_method === 'GET') {
'user_uuid' => ['type' => 'uuid'],
];
$API_users->validateData($requiredFields);
$API_users->deleteUser();

View File

@@ -79,7 +79,7 @@ if ($device_found) {
$formBuilder->startForm();
?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/devices">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/devices/?edit=<?php echo $device_data['device_uuid']; ?>">
<input type="hidden" name="device_uuid" value="<?php echo $device_data['device_uuid'] ?>">
<div class="card-body">

View File

@@ -60,7 +60,7 @@ function makeFileTables($API, $dataFolder, $device_slugify)
<?php if ($API->checkPermissions('admin-devices-files', 'RW', true)) { ?>
<form action="/api/v1/autop/devices/files" method="post">
<input type="hidden" name="filePath" value="">
<input type="hidden" name="_method" value="DELETE">
<input type="hidden" name="X-HTTP-Method-Override" value="DELETE">
<a href="#" class="btn btn-danger btn-sm btn-rounded delete-btn" data-item-uuid="<?php echo $urlPath ?>" data-api-url="/api/v1/autop/devices/files/" data-item-name="file_name"><i class="fas fa-trash-alt"></i></a>
</form>
<?php } ?>

View File

@@ -58,7 +58,7 @@ if ($platform_data) {
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/autop/platforms/">
<input type="hidden" name="platform_uuid" value="<?php echo $platform_data["platform_uuid"] ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<div class="card-body">
<div class="form-group form-show-validation row">
<label for="platform_name" class="col-lg-3 col-md-3 col-sm-4 mt-sm-2"><?php echo __('platform_name') ?></label>

View File

@@ -55,7 +55,7 @@ $formBuilder->startForm();
if ($vendor_data) { ?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/autop/vendors">
<input type="hidden" name="vendor_uuid" value="<?php echo $vendor_data["vendor_uuid"] ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<div class="card-body">
<div class="form-group form-show-validation row">
<label for="vendor_name" class="col-lg-3 col-md-3 col-sm-4 mt-sm-2"><?php echo __('vendor_name') ?></label>

View File

@@ -60,7 +60,7 @@ $pageNavbar->outPutNavbar();
if ($admin_data) {
$formBuilder->startForm(); ?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/portal-management/users/">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/accesscontrol/?admin_view=<?php echo $user_uuid ?>">
<input type="hidden" name="user_uuid" value="<?php echo $user_uuid; ?>"/>
<div class="card-body">

View File

@@ -61,7 +61,7 @@ if ($permission_data) {
$formBuilder->startForm(); ?>
<form id="FormValidation" method="post" action="/api/v1/portal-management/permissions/">
<input type="hidden" name="_return" value="/accesscontrol/?permission_view=<?php echo $permission_uuid ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="permission_uuid" value="<?php echo $permission_uuid ?>">
<div class="card-body">
<div class="form-group form-show-validation row">

View File

@@ -53,7 +53,7 @@ $pageNavbar->outPutNavbar();
$formBuilder->startForm();
?>
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/portal-management/user-groups/">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="user_group_uuid" value="<?php echo $user_group['user_group_uuid'] ?>"/>
<input type="hidden" name="user_group_slugify" value="<?php echo $user_group['user_group_slugify'] ?>"/>
<div class="card-body">

View File

@@ -86,7 +86,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
</div>
<div class="card">
<form id="FormValidation" method="post" action="/api/v1/portal-management/configure/">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/systemconfig/#global-settings">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<div class="card-body">
@@ -175,7 +175,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
<div class="card">
<form id="FormValidation" method="post" action="/api/v1/portal-management/mail/configure/">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/systemconfig/#mail-settings">
<div class="card-body">
<div class="form-group form-show-validation row">
@@ -271,7 +271,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
</p>
<form id="FormValidation" method="post" action="/api/v1/portal-management/mail/test/">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/systemconfig/#mail-settings">
<div class="form-group form-show-validation row">
<label for="mail_to" class="col-lg-3 col-md-3 col-sm-4 mt-sm-2"><?php echo __('mail_to') ?>:</label>
@@ -308,7 +308,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
<div class="card p-3">
<form id="FormValidation" method="post" action="/api/v1/modules/">
<input type="hidden" name="portal_uuid" value="<?php echo $portal_settings['portal_uuid']; ?>">
<input type="hidden" name="_method" value="PUT">
<input type="hidden" name="X-HTTP-Method-Override" value="PUT">
<input type="hidden" name="_return" value="/systemconfig/#modules">
<table class="multi-filter-select display table table-striped table-hover" data-skip-columns="0,5">
<thead>
@@ -331,7 +331,7 @@ while ($module = $system_modules_data->fetch_assoc()) {
<td>
<label class="switch">
<input type="checkbox" class="checkbox" data-api-url="/api/v1/portal-management/modules/" data-api-data='<?php echo json_encode(['module_uuid' => $module['module_uuid'], 'module_enabled' => $module['module_enabled'] ? 0 : 1]) ?>' data-api-changevalue="module_enabled"
<input type="checkbox" class="checkbox" data-api-url="/api/v1/portal-management/modules/" data-api-data='<?php echo json_encode(['module_uuid' => $module['module_uuid'], 'module_enabled' => $module['module_enabled'] ? 1 : 0]) ?>' data-api-changevalue="module_enabled"
<?php echo(($module['module_enabled']) ? 'checked' : '') ?>
<?php echo ($API->checkPermissions('admin-modules', 'RW', true)) ? '' : 'disabled' ?>
<?php echo(($module['module_slugify'] == 'system') ? 'disabled' : '') ?>>

View File

@@ -56,9 +56,8 @@ $pageNavbar->outPutNavbar();
</div>
<form id="FormValidation" method="post" action="/api/v1/portal-management/sources/inserve/">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/portal-management/sources/inserve">
<input type="hidden" name="source_name" value="inserve">
<div class="card-body">
<div class="form-group form-show-validation row">

View File

@@ -110,7 +110,7 @@ $logo = $logos[$baseos] ?? 'server';
if ($API->checkPermissions('servers', 'RW', true)) {
$pageNavbar->AddHTMLButton(
'<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/servers/">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/servers?view=' . $server_data['server_uuid'] . '">
<input type="hidden" name="server_vm_id" value="' . $server_data['server_vm_id'] . '"/>' .
(
@@ -155,7 +155,7 @@ $pageNavbar->outPutNavbar();
<div class="col-lg-auto col-md-auto">
<table class="table table-borderless">
<form id="FormValidation" enctype="multipart/form-data" method="post" action="/api/v1/servers/">
<input type="hidden" name="_method" value="POST">
<input type="hidden" name="X-HTTP-Method-Override" value="POST">
<input type="hidden" name="_return" value="/servers?view=<?php echo $server_data['server_uuid'] ?>">
<input type="hidden" name="server_vm_id" value="<?php echo $server_data['server_vm_id'] ?>"/>
<tr>

View File

@@ -248,7 +248,7 @@ if (isset($this->jsScriptLoadData['activateCompany'])) { ?>
const params = {
company_uuid: companyUuid,
company_state: newState,
_method: 'PUT'
"X-HTTP-Method-Override": "PUT"
};
const rootStyles = getComputedStyle(document.documentElement);
@@ -641,7 +641,7 @@ if (isset($this->jsScriptLoadData['stompjes'])) { ?>
// Make the POST request to delete the device
$.post(apiUrl, {
[itemName]: itemUuid,
_method: "POST"
"X-HTTP-Method-Override": "POST"
})
.done(function (response) {
@@ -712,7 +712,7 @@ if (isset($this->jsScriptLoadData['stompjes'])) { ?>
// Make the POST request to delete the device
$.post(deleteStompOptions.apiUrl, {
[deleteStompOptions.itemName]: deleteStompOptions.itemUuid,
_method: "DELETE"
"X-HTTP-Method-Override": "DELETE"
})
.done(function (response) {
@@ -963,7 +963,7 @@ if (isset($this->jsScriptLoadData['delete_confirmation'])) { ?>
// Make the POST request to delete the item
$.post(apiUrl, {
[itemName]: itemUuid,
_method: "DELETE"
"X-HTTP-Method-Override": "DELETE"
})
.done(function (response) {
@@ -1154,7 +1154,7 @@ if (isset($this->jsScriptLoadData['updateToggle'])) { ?>
}
// Add method override
dataObj._method = 'PUT';
dataObj['X-HTTP-Method-Override'] = 'PUT';
// Convert to URL-encoded string
const formBody = new URLSearchParams(dataObj).toString();
@@ -1169,8 +1169,8 @@ if (isset($this->jsScriptLoadData['updateToggle'])) { ?>
});
if (response.ok) {
// Remove _method before saving back
delete dataObj._method;
// Remove X-HTTP-Method-Override before saving back
delete dataObj['X-HTTP-Method-Override']
input.setAttribute('data-api-data', JSON.stringify(dataObj));
} else {
input.checked = !input.checked; // revert toggle
@@ -1209,7 +1209,7 @@ if (isset($this->jsScriptLoadData['updatePermissions'])) { ?>
formData.append('permission_uuid', permissionUUID);
formData.append('user_group_uuid', userGroupUUID);
formData.append('permission_value', permissionValue);
formData.append('_method', 'PUT')
formData.append('X-HTTP-Method-Override', 'PUT')
try {
const response = await fetch(apiUrl, {

1
sql-update-1.2.3.sql Normal file
View File

@@ -0,0 +1 @@
ALTER TABLE `system_users` CHANGE COLUMN `user_pref_language` `user_pref_language` ENUM("en","nl") NOT NULL DEFAULT 'en' COLLATE 'utf8mb4_general_ci' AFTER `user_login_attempts`;