reivilibre/TaskBoard
Archived
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases 2 Wiki Activity

Security enhancements in API to verify admin user on certain routes.

Browse Source
This commit is contained in:
kiswa 2014-10-17 11:34:41 -04:00
parent 0014ab16a8
commit 374f23cbf8
4 changed files with 29 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
api/boardRoutes.php
View File

@ -11,7 +11,7 @@ $app->get('/boards', function() use($app, $jsonResponse) {
$app->post('/boards', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$board = R::dispense('board');
loadBoardData($board, $data);
@ -27,7 +27,7 @@ $app->post('/boards', function() use($app, $jsonResponse) {
$app->post('/boards/update', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$board = R::load('board', $data->boardId);
if ($board->id) {
$before = $board->export();
@ -45,7 +45,7 @@ $app->post('/boards/update', function() use($app, $jsonResponse) {
$app->post('/boards/remove', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$board = R::load('board', $data->boardId);
if ($board->id == $data->boardId) {
$before = $board->export();
@ -72,7 +72,7 @@ $app->post('/boards/remove', function() use($app, $jsonResponse) {
$app->post('/autoactions', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$board = R::load('board', $data->boardId);
if ($board->id) {
$autoAction = R::dispense('autoaction');
@ -93,12 +93,9 @@ $app->post('/autoactions', function() use($app, $jsonResponse) {
});
$app->get('/autoactions', function() use($app, $jsonResponse) {
if (validateToken()) {
$user = getUser();
if ($user->isAdmin) {
$actions = R::findAll('autoaction');
$jsonResponse->addBeans($actions);
}
if (validateToken(true)) {
$actions = R::findAll('autoaction');
$jsonResponse->addBeans($actions);
}
$app->response->setBody($jsonResponse->asJson());
});
@ -106,16 +103,13 @@ $app->get('/autoactions', function() use($app, $jsonResponse) {
$app->post('/autoactions/remove', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
$user = getUser();
if ($user->isAdmin) {
$autoAction = R::load('autoaction', $data->actionId);
R::trash($autoAction);
if (validateToken(true)) {
$autoAction = R::load('autoaction', $data->actionId);
R::trash($autoAction);
$actions = R::findAll('autoaction');
$jsonResponse->addBeans($actions);
$jsonResponse->addAlert('success', 'Automatic action removed.');
}
$actions = R::findAll('autoaction');
$jsonResponse->addBeans($actions);
$jsonResponse->addAlert('success', 'Automatic action removed.');
}
$app->response->setBody($jsonResponse->asJson());
});

12
api/helpers.php
View File

@ -218,7 +218,7 @@ function updateUsername($user, $data) {
}
// Validate a provided JWT.
function validateToken() {
function validateToken($requireAdmin = false) {
global $jsonResponse, $app;
$retVal = false;
@ -229,6 +229,16 @@ function validateToken() {
$jsonResponse->message = 'Invalid token.';
$app->response->setStatus(401);
}
if ($retVal && $requireAdmin) {
$user = getUser();
if (!$user->isAdmin) {
clearDbToken();
$jsonResponse->message = 'Insufficient user privileges.';
$app->response->setStatus(401);
}
}
return $retVal;
}

2
api/itemRoutes.php
View File

@ -227,7 +227,7 @@ $app->post('/items/:itemId/upload/remove', function($itemId) use ($app, $jsonRes
$app->post('/items/remove', function() use ($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$item = R::load('item', $data->itemId);
if ($item->id) {
$before = $item->export();

8
api/userRoutes.php
View File

@ -110,7 +110,7 @@ $app->post('/updateboard', function() use($app, $jsonResponse) {
// Get all user actions
$app->get('/actions', function() use($app, $jsonResponse) {
if (validateToken()) {
if (validateToken(true)) {
$actions = R::findAll('activity', ' order by timestamp desc ');
$jsonResponse->addBeans($actions);
}
@ -147,7 +147,7 @@ $app->get('/users', function() use($app, $jsonResponse) {
$app->post('/users', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$nameTaken = R::findOne('user', ' username = ?', [$data->username]);
if (null != $nameTaken) {
@ -177,7 +177,7 @@ $app->post('/users', function() use($app, $jsonResponse) {
$app->post('/users/update', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$user = R::load('user', $data->userId);
$actor = getUser();
if ($user->id && $actor->isAdmin) {
@ -207,7 +207,7 @@ $app->post('/users/update', function() use($app, $jsonResponse) {
$app->post('/users/remove', function() use($app, $jsonResponse) {
$data = json_decode($app->environment['slim.input']);
if (validateToken()) {
if (validateToken(true)) {
$user = R::load('user', $data->userId);
$actor = getUser();
if ($user->id == $data->userId && $actor->isAdmin) {