Merge pull request #653 from MyIgel/403-forbidden-exports
Return 403 forbidden on shifts json, atom export and ical export if api key is missing or invalid
This commit is contained in:
commit
b581da01a3
|
@ -1,5 +1,6 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
use Engelsystem\Http\Exceptions\HttpForbidden;
|
||||||
use Engelsystem\ShiftSignupState;
|
use Engelsystem\ShiftSignupState;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -348,17 +349,18 @@ function shift_next_controller()
|
||||||
function shifts_json_export_controller()
|
function shifts_json_export_controller()
|
||||||
{
|
{
|
||||||
$request = request();
|
$request = request();
|
||||||
|
|
||||||
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
|
|
||||||
engelsystem_error('Missing key.');
|
|
||||||
}
|
|
||||||
|
|
||||||
$user = auth()->apiUser('key');
|
$user = auth()->apiUser('key');
|
||||||
if (!$user) {
|
|
||||||
engelsystem_error('Key invalid.');
|
if (
|
||||||
|
!$request->has('key')
|
||||||
|
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|
||||||
|
|| !$user
|
||||||
|
) {
|
||||||
|
throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!auth()->can('shifts_json_export')) {
|
if (!auth()->can('shifts_json_export')) {
|
||||||
engelsystem_error('No privilege for shifts_json_export.');
|
throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$shifts = load_ical_shifts();
|
$shifts = load_ical_shifts();
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
<?php
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Displays a fatal message and stops execution.
|
|
||||||
*
|
|
||||||
* @param string $message
|
|
||||||
*/
|
|
||||||
function engelsystem_error($message)
|
|
||||||
{
|
|
||||||
raw_output($message);
|
|
||||||
}
|
|
|
@ -60,7 +60,6 @@ $includeFiles = [
|
||||||
|
|
||||||
__DIR__ . '/../includes/helper/graph_helper.php',
|
__DIR__ . '/../includes/helper/graph_helper.php',
|
||||||
__DIR__ . '/../includes/helper/message_helper.php',
|
__DIR__ . '/../includes/helper/message_helper.php',
|
||||||
__DIR__ . '/../includes/helper/error_helper.php',
|
|
||||||
__DIR__ . '/../includes/helper/email_helper.php',
|
__DIR__ . '/../includes/helper/email_helper.php',
|
||||||
|
|
||||||
__DIR__ . '/../includes/mailer/shifts_mailer.php',
|
__DIR__ . '/../includes/mailer/shifts_mailer.php',
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
use Engelsystem\Database\DB;
|
use Engelsystem\Database\DB;
|
||||||
|
use Engelsystem\Http\Exceptions\HttpForbidden;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Publically available page to feed the news to feed readers
|
* Publically available page to feed the news to feed readers
|
||||||
|
@ -8,17 +9,18 @@ use Engelsystem\Database\DB;
|
||||||
function user_atom()
|
function user_atom()
|
||||||
{
|
{
|
||||||
$request = request();
|
$request = request();
|
||||||
|
|
||||||
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
|
|
||||||
engelsystem_error('Missing key.');
|
|
||||||
}
|
|
||||||
|
|
||||||
$user = auth()->apiUser('key');
|
$user = auth()->apiUser('key');
|
||||||
if (empty($user)) {
|
|
||||||
engelsystem_error('Key invalid.');
|
if (
|
||||||
|
!$request->has('key')
|
||||||
|
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|
||||||
|
|| empty($user)
|
||||||
|
) {
|
||||||
|
throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!auth()->can('atom')) {
|
if (!auth()->can('atom')) {
|
||||||
engelsystem_error('No privilege for atom.');
|
throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$news = DB::select('
|
$news = DB::select('
|
||||||
|
|
|
@ -1,22 +1,25 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
use Engelsystem\Http\Exceptions\HttpForbidden;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Controller for ical output of users own shifts or any user_shifts filter.
|
* Controller for ical output of users own shifts or any user_shifts filter.
|
||||||
*/
|
*/
|
||||||
function user_ical()
|
function user_ical()
|
||||||
{
|
{
|
||||||
$request = request();
|
$request = request();
|
||||||
|
|
||||||
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
|
|
||||||
engelsystem_error('Missing key.');
|
|
||||||
}
|
|
||||||
|
|
||||||
$user = auth()->apiUser('key');
|
$user = auth()->apiUser('key');
|
||||||
if (!$user) {
|
|
||||||
engelsystem_error('Key invalid.');
|
if (
|
||||||
|
!$request->has('key')
|
||||||
|
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|
||||||
|
|| !$user
|
||||||
|
) {
|
||||||
|
throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!auth()->can('ical')) {
|
if (!auth()->can('ical')) {
|
||||||
engelsystem_error('No privilege for ical.');
|
throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$ical_shifts = load_ical_shifts();
|
$ical_shifts = load_ical_shifts();
|
||||||
|
|
Loading…
Reference in New Issue