Merge pull request #653 from MyIgel/403-forbidden-exports
Return 403 forbidden on shifts json, atom export and ical export if api key is missing or invalid
This commit is contained in:
commit
b581da01a3
|
@ -1,5 +1,6 @@
|
|||
<?php
|
||||
|
||||
use Engelsystem\Http\Exceptions\HttpForbidden;
|
||||
use Engelsystem\ShiftSignupState;
|
||||
|
||||
/**
|
||||
|
@ -348,17 +349,18 @@ function shift_next_controller()
|
|||
function shifts_json_export_controller()
|
||||
{
|
||||
$request = request();
|
||||
|
||||
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
|
||||
engelsystem_error('Missing key.');
|
||||
}
|
||||
|
||||
$user = auth()->apiUser('key');
|
||||
if (!$user) {
|
||||
engelsystem_error('Key invalid.');
|
||||
|
||||
if (
|
||||
!$request->has('key')
|
||||
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|
||||
|| !$user
|
||||
) {
|
||||
throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']);
|
||||
}
|
||||
|
||||
if (!auth()->can('shifts_json_export')) {
|
||||
engelsystem_error('No privilege for shifts_json_export.');
|
||||
throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']);
|
||||
}
|
||||
|
||||
$shifts = load_ical_shifts();
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Displays a fatal message and stops execution.
|
||||
*
|
||||
* @param string $message
|
||||
*/
|
||||
function engelsystem_error($message)
|
||||
{
|
||||
raw_output($message);
|
||||
}
|
|
@ -60,7 +60,6 @@ $includeFiles = [
|
|||
|
||||
__DIR__ . '/../includes/helper/graph_helper.php',
|
||||
__DIR__ . '/../includes/helper/message_helper.php',
|
||||
__DIR__ . '/../includes/helper/error_helper.php',
|
||||
__DIR__ . '/../includes/helper/email_helper.php',
|
||||
|
||||
__DIR__ . '/../includes/mailer/shifts_mailer.php',
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
<?php
|
||||
|
||||
use Engelsystem\Database\DB;
|
||||
use Engelsystem\Http\Exceptions\HttpForbidden;
|
||||
|
||||
/**
|
||||
* Publically available page to feed the news to feed readers
|
||||
|
@ -8,17 +9,18 @@ use Engelsystem\Database\DB;
|
|||
function user_atom()
|
||||
{
|
||||
$request = request();
|
||||
|
||||
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
|
||||
engelsystem_error('Missing key.');
|
||||
}
|
||||
|
||||
$user = auth()->apiUser('key');
|
||||
if (empty($user)) {
|
||||
engelsystem_error('Key invalid.');
|
||||
|
||||
if (
|
||||
!$request->has('key')
|
||||
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|
||||
|| empty($user)
|
||||
) {
|
||||
throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
|
||||
}
|
||||
|
||||
if (!auth()->can('atom')) {
|
||||
engelsystem_error('No privilege for atom.');
|
||||
throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
|
||||
}
|
||||
|
||||
$news = DB::select('
|
||||
|
|
|
@ -1,22 +1,25 @@
|
|||
<?php
|
||||
|
||||
use Engelsystem\Http\Exceptions\HttpForbidden;
|
||||
|
||||
/**
|
||||
* Controller for ical output of users own shifts or any user_shifts filter.
|
||||
*/
|
||||
function user_ical()
|
||||
{
|
||||
$request = request();
|
||||
|
||||
if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
|
||||
engelsystem_error('Missing key.');
|
||||
}
|
||||
|
||||
$user = auth()->apiUser('key');
|
||||
if (!$user) {
|
||||
engelsystem_error('Key invalid.');
|
||||
|
||||
if (
|
||||
!$request->has('key')
|
||||
|| !preg_match('/^[\da-f]{32}$/', $request->input('key'))
|
||||
|| !$user
|
||||
) {
|
||||
throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
|
||||
}
|
||||
|
||||
if (!auth()->can('ical')) {
|
||||
engelsystem_error('No privilege for ical.');
|
||||
throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
|
||||
}
|
||||
|
||||
$ical_shifts = load_ical_shifts();
|
||||
|
|
Loading…
Reference in New Issue