From 5ab81670f267e82b483125f4003447bbf3f462bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20M=C3=BCller?= <p.mueller@pcsg.de>
Date: Wed, 1 Feb 2017 12:10:32 +0100
Subject: [PATCH] feat: Permission-Abfrage bei Ajax-Requests
---
ajax/deleteKeys.php | 16 ++++++++++++++--
ajax/generateKey.php | 23 ++++++++++++++++-------
ajax/getKey.php | 18 ++++++++++++++----
ajax/getKeys.php | 18 +++++++++++++++---
ajax/regenerateRecoveryKeys.php | 18 ++++++++++++++----
5 files changed, 73 insertions(+), 20 deletions(-)
diff --git a/ajax/deleteKeys.php b/ajax/deleteKeys.php
index 468bf33..8f09a07 100644
--- a/ajax/deleteKeys.php
+++ b/ajax/deleteKeys.php
@@ -11,10 +11,22 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_deleteKeys',
function ($userId, $titles) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $titles = Orthos::clearArray(json_decode($titles, true));
+ $Users = QUI::getUsers();
+ $AuthUser = $Users->get((int)$userId);
+ $titles = Orthos::clearArray(json_decode($titles, true));
+ $SessionUser = QUI::getUserBySession();
// @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
diff --git a/ajax/generateKey.php b/ajax/generateKey.php
index 208bf19..66364ab 100644
--- a/ajax/generateKey.php
+++ b/ajax/generateKey.php
@@ -15,16 +15,25 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_generateKey',
function ($userId, $title) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $title = Orthos::clear($title);
- $CreateUser = QUI::getUserBySession();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
+ $title = Orthos::clear($title);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$Google2FA = new Google2FA();
-
- $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
+ $secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
if (empty($secrets)) {
$secrets = array();
@@ -43,7 +52,7 @@ function ($userId, $title) {
$secrets[$title] = array(
'key' => Security::encrypt($Google2FA->generateSecretKey(32)),
'recoveryKeys' => Auth::generateRecoveryKeys(),
- 'createUserId' => $CreateUser->getId(),
+ 'createUserId' => $SessionUser->getId(),
'createDate' => date('Y-m-d H:i:s')
);
diff --git a/ajax/getKey.php b/ajax/getKey.php
index 622ef80..96a2890 100644
--- a/ajax/getKey.php
+++ b/ajax/getKey.php
@@ -15,11 +15,21 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_getKey',
function ($userId, $title) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $title = Orthos::clear($title);
- $keyData = array();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
+ $title = Orthos::clear($title);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$Google2FA = new Google2FA();
diff --git a/ajax/getKeys.php b/ajax/getKeys.php
index 98bb68c..16a5cc2 100644
--- a/ajax/getKeys.php
+++ b/ajax/getKeys.php
@@ -9,10 +9,22 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_getKeys',
function ($userId) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $keys = array();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
+
+ $keys = array();
try {
$secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
diff --git a/ajax/regenerateRecoveryKeys.php b/ajax/regenerateRecoveryKeys.php
index 71f6190..01e8ebb 100644
--- a/ajax/regenerateRecoveryKeys.php
+++ b/ajax/regenerateRecoveryKeys.php
@@ -15,11 +15,21 @@
QUI::$Ajax->registerFunction(
'package_quiqqer_authgoogle2fa_ajax_regenerateRecoveryKeys',
function ($userId, $title) {
- $AuthUser = QUI::getUsers()->get((int)$userId);
- $title = Orthos::clear($title);
- $EditUser = QUI::getUserBySession();
+ $Users = QUI::getUsers();
+ $SessionUser = QUI::getUserBySession();
+ $AuthUser = $Users->get((int)$userId);
+ $title = Orthos::clear($title);
- // @todo Check user edit permission of session user
+ if ($Users->isNobodyUser($SessionUser)) {
+ throw new QUI\Permissions\Exception(
+ QUI::getLocale()->get(
+ 'quiqqer/system',
+ 'exception.lib.user.no.edit.rights'
+ )
+ );
+ }
+
+ $SessionUser->checkEditPermission();
try {
$secrets = json_decode($AuthUser->getAttribute('quiqqer.auth.google2fa.secrets'), true);
--
GitLab