Use 403 forbidden on shifts json, atom export and ical export

2019-09-18 14:09:30 +02:00 · 2019-09-18 14:09:30 +02:00 · fc773b25b3
parent c9ebaa972c
commit fc773b25b3
5 changed files with 31 additions and 36 deletions
--- a/includes/controller/shifts_controller.php
+++ b/includes/controller/shifts_controller.php
@ -1,5 +1,6 @@
 <?php
 use Engelsystem\Http\Exceptions\HttpForbidden;
 use Engelsystem\ShiftSignupState;
 /**
@ -348,17 +349,18 @@ function shift_next_controller()
 function shifts_json_export_controller()
 {
    $request = request();
    if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
        engelsystem_error('Missing key.');
    }
    $user = auth()->apiUser('key');
-    if (!$user) {
+
-        engelsystem_error('Key invalid.');
+    if (
        !$request->has('key')
        || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
        || !$user
    ) {
        throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']);
    }
    if (!auth()->can('shifts_json_export')) {
-        engelsystem_error('No privilege for shifts_json_export.');
+        throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']);
    }
    $shifts = load_ical_shifts();
--- a/includes/helper/error_helper.php
+++ b/includes/helper/error_helper.php
@ -1,11 +0,0 @@
 <?php
 /**
 * Displays a fatal message and stops execution.
 *
 * @param string $message
 */
 function engelsystem_error($message)
 {
    raw_output($message);
 }
--- a/includes/includes.php
+++ b/includes/includes.php
@ -60,7 +60,6 @@ $includeFiles = [
    __DIR__ . '/../includes/helper/graph_helper.php',
    __DIR__ . '/../includes/helper/message_helper.php',
    __DIR__ . '/../includes/helper/error_helper.php',
    __DIR__ . '/../includes/helper/email_helper.php',
    __DIR__ . '/../includes/mailer/shifts_mailer.php',
--- a/includes/pages/user_atom.php
+++ b/includes/pages/user_atom.php
@ -1,6 +1,7 @@
 <?php
 use Engelsystem\Database\DB;
 use Engelsystem\Http\Exceptions\HttpForbidden;
 /**
 * Publically available page to feed the news to feed readers
@ -8,17 +9,18 @@ use Engelsystem\Database\DB;
 function user_atom()
 {
    $request = request();
    if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
        engelsystem_error('Missing key.');
    }
    $user = auth()->apiUser('key');
-    if (empty($user)) {
+
-        engelsystem_error('Key invalid.');
+    if (
        !$request->has('key')
        || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
        || empty($user)
    ) {
        throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
    }
    if (!auth()->can('atom')) {
-        engelsystem_error('No privilege for atom.');
+        throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
    }
    $news = DB::select('
--- a/includes/pages/user_ical.php
+++ b/includes/pages/user_ical.php
@ -1,22 +1,25 @@
 <?php
 use Engelsystem\Http\Exceptions\HttpForbidden;
 /**
 * Controller for ical output of users own shifts or any user_shifts filter.
 */
 function user_ical()
 {
    $request = request();
    if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
        engelsystem_error('Missing key.');
    }
    $user = auth()->apiUser('key');
-    if (!$user) {
+
-        engelsystem_error('Key invalid.');
+    if (
        !$request->has('key')
        || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
        || !$user
    ) {
        throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
    }
    if (!auth()->can('ical')) {
-        engelsystem_error('No privilege for ical.');
+        throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
    }
    $ical_shifts = load_ical_shifts();