feat: Permission-Abfrage bei Ajax-Requests

5ab81670 · Patrick Müller · faa524d2 · 5ab81670 · 5ab81670 · 5ab81670
Commit 5ab81670 erstellt vor 8 Jahren von Patrick Müller
--- a/ajax/deleteKeys.php
+++ b/ajax/deleteKeys.php
@@ -11,10 +11,22 @@
 QUI::$Ajax->registerFunction(
    'package_quiqqer_authgoogle2fa_ajax_deleteKeys',
    function ($userId, $titles) {
-        $AuthUser = QUI::getUsers()->get((int)$userId);
-        $titles   = Orthos::clearArray(json_decode($titles, true));
+        $Users       = QUI::getUsers();
+        $AuthUser    = $Users->get((int)$userId);
+        $titles      = Orthos::clearArray(json_decode($titles, true));
+        $SessionUser = QUI::getUserBySession();

        // @todo Check user edit permission of session user
+        if ($Users->isNobodyUser($SessionUser)) {
+            throw new QUI\Permissions\Exception(
+                QUI::getLocale()->get(
+                    'quiqqer/system',
+                    'exception.lib.user.no.edit.rights'
+                )
+            );
+        }
+
+        $SessionUser->checkEditPermission();

        try {
            $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);

--- a/ajax/generateKey.php
+++ b/ajax/generateKey.php
@@ -15,16 +15,25 @@
 QUI::$Ajax->registerFunction(
    'package_quiqqer_authgoogle2fa_ajax_generateKey',
    function ($userId, $title) {
-        $AuthUser   = QUI::getUsers()->get((int)$userId);
-        $title      = Orthos::clear($title);
-        $CreateUser = QUI::getUserBySession();
+        $Users       = QUI::getUsers();
+        $SessionUser = QUI::getUserBySession();
+        $AuthUser    = $Users->get((int)$userId);
+        $title       = Orthos::clear($title);

-        // @todo Check user edit permission of session user
+        if ($Users->isNobodyUser($SessionUser)) {
+            throw new QUI\Permissions\Exception(
+                QUI::getLocale()->get(
+                    'quiqqer/system',
+                    'exception.lib.user.no.edit.rights'
+                )
+            );
+        }
+
+        $SessionUser->checkEditPermission();

        try {
            $Google2FA = new Google2FA();
-
-            $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
+            $secrets   = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);

            if (empty($secrets)) {
                $secrets = array();
@@ -43,7 +52,7 @@ function ($userId, $title) {
            $secrets[$title] = array(
                'key'          => Security::encrypt($Google2FA->generateSecretKey(32)),
                'recoveryKeys' => Auth::generateRecoveryKeys(),
-                'createUserId' => $CreateUser->getId(),
+                'createUserId' => $SessionUser->getId(),
                'createDate'   => date('Y-m-d H:i:s')
            );


--- a/ajax/getKey.php
+++ b/ajax/getKey.php
@@ -15,11 +15,21 @@
 QUI::$Ajax->registerFunction(
    'package_quiqqer_authgoogle2fa_ajax_getKey',
    function ($userId, $title) {
-        $AuthUser = QUI::getUsers()->get((int)$userId);
-        $title    = Orthos::clear($title);
-        $keyData  = array();
+        $Users       = QUI::getUsers();
+        $SessionUser = QUI::getUserBySession();
+        $AuthUser    = $Users->get((int)$userId);
+        $title       = Orthos::clear($title);

-        // @todo Check user edit permission of session user
+        if ($Users->isNobodyUser($SessionUser)) {
+            throw new QUI\Permissions\Exception(
+                QUI::getLocale()->get(
+                    'quiqqer/system',
+                    'exception.lib.user.no.edit.rights'
+                )
+            );
+        }
+
+        $SessionUser->checkEditPermission();

        try {
            $Google2FA = new Google2FA();

--- a/ajax/getKeys.php
+++ b/ajax/getKeys.php
@@ -9,10 +9,22 @@
 QUI::$Ajax->registerFunction(
    'package_quiqqer_authgoogle2fa_ajax_getKeys',
    function ($userId) {
-        $AuthUser = QUI::getUsers()->get((int)$userId);
-        $keys     = array();
+        $Users       = QUI::getUsers();
+        $SessionUser = QUI::getUserBySession();
+        $AuthUser    = $Users->get((int)$userId);

-        // @todo Check user edit permission of session user
+        if ($Users->isNobodyUser($SessionUser)) {
+            throw new QUI\Permissions\Exception(
+                QUI::getLocale()->get(
+                    'quiqqer/system',
+                    'exception.lib.user.no.edit.rights'
+                )
+            );
+        }
+
+        $SessionUser->checkEditPermission();
+
+        $keys = array();

        try {
            $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);

--- a/ajax/regenerateRecoveryKeys.php
+++ b/ajax/regenerateRecoveryKeys.php
@@ -15,11 +15,21 @@
 QUI::$Ajax->registerFunction(
    'package_quiqqer_authgoogle2fa_ajax_regenerateRecoveryKeys',
    function ($userId, $title) {
-        $AuthUser = QUI::getUsers()->get((int)$userId);
-        $title    = Orthos::clear($title);
-        $EditUser = QUI::getUserBySession();
+        $Users       = QUI::getUsers();
+        $SessionUser = QUI::getUserBySession();
+        $AuthUser    = $Users->get((int)$userId);
+        $title       = Orthos::clear($title);

-        // @todo Check user edit permission of session user
+        if ($Users->isNobodyUser($SessionUser)) {
+            throw new QUI\Permissions\Exception(
+                QUI::getLocale()->get(
+                    'quiqqer/system',
+                    'exception.lib.user.no.edit.rights'
+                )
+            );
+        }
+
+        $SessionUser->checkEditPermission();

        try {
            $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);