Merge pull request #653 from MyIgel/403-forbidden-exports

Return 403 forbidden on shifts json, atom export and ical export if api key is missing or invalid
This commit is contained in:
msquare 2019-10-13 12:59:54 +02:00 committed by GitHub
commit b581da01a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 31 additions and 36 deletions

View File

@ -1,5 +1,6 @@
<?php <?php
use Engelsystem\Http\Exceptions\HttpForbidden;
use Engelsystem\ShiftSignupState; use Engelsystem\ShiftSignupState;
/** /**
@ -348,17 +349,18 @@ function shift_next_controller()
function shifts_json_export_controller() function shifts_json_export_controller()
{ {
$request = request(); $request = request();
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
engelsystem_error('Missing key.');
}
$user = auth()->apiUser('key'); $user = auth()->apiUser('key');
if (!$user) {
engelsystem_error('Key invalid.'); if (
!$request->has('key')
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|| !$user
) {
throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']);
} }
if (!auth()->can('shifts_json_export')) { if (!auth()->can('shifts_json_export')) {
engelsystem_error('No privilege for shifts_json_export.'); throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']);
} }
$shifts = load_ical_shifts(); $shifts = load_ical_shifts();

View File

@ -1,11 +0,0 @@
<?php
/**
* Displays a fatal message and stops execution.
*
* @param string $message
*/
function engelsystem_error($message)
{
raw_output($message);
}

View File

@ -60,7 +60,6 @@ $includeFiles = [
__DIR__ . '/../includes/helper/graph_helper.php', __DIR__ . '/../includes/helper/graph_helper.php',
__DIR__ . '/../includes/helper/message_helper.php', __DIR__ . '/../includes/helper/message_helper.php',
__DIR__ . '/../includes/helper/error_helper.php',
__DIR__ . '/../includes/helper/email_helper.php', __DIR__ . '/../includes/helper/email_helper.php',
__DIR__ . '/../includes/mailer/shifts_mailer.php', __DIR__ . '/../includes/mailer/shifts_mailer.php',

View File

@ -1,6 +1,7 @@
<?php <?php
use Engelsystem\Database\DB; use Engelsystem\Database\DB;
use Engelsystem\Http\Exceptions\HttpForbidden;
/** /**
* Publically available page to feed the news to feed readers * Publically available page to feed the news to feed readers
@ -8,17 +9,18 @@ use Engelsystem\Database\DB;
function user_atom() function user_atom()
{ {
$request = request(); $request = request();
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
engelsystem_error('Missing key.');
}
$user = auth()->apiUser('key'); $user = auth()->apiUser('key');
if (empty($user)) {
engelsystem_error('Key invalid.'); if (
!$request->has('key')
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|| empty($user)
) {
throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
} }
if (!auth()->can('atom')) { if (!auth()->can('atom')) {
engelsystem_error('No privilege for atom.'); throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
} }
$news = DB::select(' $news = DB::select('

View File

@ -1,22 +1,25 @@
<?php <?php
use Engelsystem\Http\Exceptions\HttpForbidden;
/** /**
* Controller for ical output of users own shifts or any user_shifts filter. * Controller for ical output of users own shifts or any user_shifts filter.
*/ */
function user_ical() function user_ical()
{ {
$request = request(); $request = request();
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
engelsystem_error('Missing key.');
}
$user = auth()->apiUser('key'); $user = auth()->apiUser('key');
if (!$user) {
engelsystem_error('Key invalid.'); if (
!$request->has('key')
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|| !$user
) {
throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
} }
if (!auth()->can('ical')) { if (!auth()->can('ical')) {
engelsystem_error('No privilege for ical.'); throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
} }
$ical_shifts = load_ical_shifts(); $ical_shifts = load_ical_shifts();