web-base/Core/API/PermissionAPI.class.php

261 lines
7.8 KiB
PHP
Raw Normal View History

2020-06-27 01:18:10 +02:00
<?php
2022-11-18 18:06:46 +01:00
namespace Core\API {
2020-06-27 01:18:10 +02:00
2022-11-18 18:06:46 +01:00
use Core\Objects\Context;
2022-11-20 17:13:53 +01:00
use Core\Objects\DatabaseEntity\Group;
2022-06-20 19:52:31 +02:00
2020-07-01 21:10:25 +02:00
abstract class PermissionAPI extends Request {
2022-06-20 19:52:31 +02:00
public function __construct(Context $context, bool $externalCall = false, array $params = array()) {
parent::__construct($context, $externalCall, $params);
}
2021-11-11 14:25:26 +01:00
protected function checkStaticPermission(): bool {
2024-03-27 15:15:46 +01:00
// hardcoded permission checking
2022-06-20 19:52:31 +02:00
$user = $this->context->getUser();
2022-11-20 17:13:53 +01:00
if (!$user || !$user->hasGroup(Group::ADMIN)) {
2020-06-27 01:18:10 +02:00
return $this->createError("Permission denied.");
}
return true;
}
2024-03-27 15:15:46 +01:00
protected function isRestricted(string $method): bool {
return in_array(strtolower($method), ["permission/update", "permission/delete"]);
}
2020-06-27 01:18:10 +02:00
}
}
2022-11-18 18:06:46 +01:00
namespace Core\API\Permission {
2024-03-27 15:15:46 +01:00
use Core\API\Parameter\ArrayType;
2022-11-18 18:06:46 +01:00
use Core\API\Parameter\Parameter;
use Core\API\Parameter\StringType;
use Core\API\PermissionAPI;
use Core\Driver\SQL\Column\Column;
2024-03-27 20:50:57 +01:00
use Core\Driver\SQL\Condition\CondIn;
2022-11-18 18:06:46 +01:00
use Core\Driver\SQL\Condition\CondLike;
2023-01-16 21:47:23 +01:00
use Core\Driver\SQL\Query\Insert;
2022-11-18 18:06:46 +01:00
use Core\Driver\SQL\Strategy\UpdateStrategy;
use Core\Objects\Context;
use Core\Objects\DatabaseEntity\Group;
2020-06-27 01:18:10 +02:00
class Check extends PermissionAPI {
2022-06-20 19:52:31 +02:00
public function __construct(Context $context, bool $externalCall = false) {
parent::__construct($context, $externalCall, array(
2020-06-27 01:18:10 +02:00
'method' => new StringType('method', 323)
));
$this->isPublic = false;
}
2022-02-21 13:01:03 +01:00
public function _execute(): bool {
2020-06-27 01:18:10 +02:00
$method = $this->getParam("method");
2022-06-20 19:52:31 +02:00
$sql = $this->context->getSQL();
2020-06-27 01:18:10 +02:00
$res = $sql->select("groups")
->from("ApiPermission")
2021-11-11 14:25:26 +01:00
->where(new CondLike($method, new Column("method")))
2020-06-27 01:18:10 +02:00
->execute();
$this->success = ($res !== FALSE);
$this->lastError = $sql->getLastError();
if ($this->success) {
2021-11-11 14:25:26 +01:00
if (empty($res) || !is_array($res)) {
2020-06-27 01:18:10 +02:00
return true;
}
$groups = json_decode($res[0]["groups"]);
if (empty($groups)) {
return true;
}
2022-06-20 19:52:31 +02:00
$currentUser = $this->context->getUser();
$userGroups = $currentUser ? $currentUser->getGroups() : [];
if (empty($userGroups) || empty(array_intersect($groups, array_keys($userGroups)))) {
if (!$currentUser) {
$this->result["loggedIn"] = false;
}
2021-12-08 16:53:43 +01:00
http_response_code(401);
2020-06-27 01:18:10 +02:00
return $this->createError("Permission denied.");
}
2023-01-16 21:47:23 +01:00
// user would have required groups, check for 2fa-state
if ($currentUser && !$this->check2FA()) {
http_response_code(401);
return false;
2023-01-16 21:47:23 +01:00
}
2020-06-27 01:18:10 +02:00
}
return $this->success;
}
}
class Fetch extends PermissionAPI {
2022-06-20 19:52:31 +02:00
private ?array $groups;
2020-06-27 01:18:10 +02:00
2022-06-20 19:52:31 +02:00
public function __construct(Context $context, bool $externalCall = false) {
parent::__construct($context, $externalCall, array());
2020-06-27 01:18:10 +02:00
}
2022-06-20 19:52:31 +02:00
private function fetchGroups(): bool {
$sql = $this->context->getSQL();
$this->groups = Group::findAll($sql);
$this->success = ($this->groups !== FALSE);
2020-06-27 01:18:10 +02:00
$this->lastError = $sql->getLastError();
return $this->success;
}
2022-02-21 13:01:03 +01:00
public function _execute(): bool {
2020-06-27 01:18:10 +02:00
if (!$this->fetchGroups()) {
return false;
}
2022-06-20 19:52:31 +02:00
$sql = $this->context->getSQL();
2024-03-29 16:37:42 +01:00
$res = $sql->select("method", "groups", "description", "is_core")
2020-06-27 01:18:10 +02:00
->from("ApiPermission")
->execute();
$this->success = ($res !== FALSE);
$this->lastError = $sql->getLastError();
if ($this->success) {
2024-03-27 14:12:01 +01:00
$permissions = [];
2020-06-27 01:18:10 +02:00
foreach ($res as $row) {
$method = $row["method"];
2020-06-27 22:47:12 +02:00
$description = $row["description"];
2020-06-27 01:18:10 +02:00
$groups = json_decode($row["groups"]);
2024-03-29 16:37:42 +01:00
$isCore = $row["is_core"];
2024-03-27 14:12:01 +01:00
$permissions[] = [
2020-06-27 22:47:12 +02:00
"method" => $method,
"groups" => $groups,
2024-03-27 14:12:01 +01:00
"description" => $description,
2024-03-29 16:37:42 +01:00
"is_core" => $isCore
2024-03-27 14:12:01 +01:00
];
2020-06-27 01:18:10 +02:00
}
$this->result["permissions"] = $permissions;
$this->result["groups"] = $this->groups;
}
return $this->success;
}
2023-01-16 21:47:23 +01:00
public static function getDefaultACL(Insert $insert): void {
2024-03-27 14:12:01 +01:00
$insert->addRow(self::getEndpoint(), [Group::ADMIN], "Allows users to fetch API permissions", true);
2023-01-16 21:47:23 +01:00
}
2020-06-27 01:18:10 +02:00
}
2024-03-27 15:15:46 +01:00
class Update extends PermissionAPI {
2022-06-20 19:52:31 +02:00
public function __construct(Context $context, bool $externalCall = false) {
2024-03-27 15:15:46 +01:00
parent::__construct($context, $externalCall, [
"method" => new StringType("method", 32, false),
"groups" => new ArrayType("groups", Parameter::TYPE_INT, true, false),
"description" => new StringType("description", 128, true, null),
]);
2020-06-27 01:18:10 +02:00
}
2024-03-27 15:15:46 +01:00
protected function _execute(): bool {
2020-06-27 01:18:10 +02:00
if (!$this->checkStaticPermission()) {
return false;
}
2022-06-20 19:52:31 +02:00
$sql = $this->context->getSQL();
2024-03-27 15:15:46 +01:00
$method = $this->getParam("method");
$description = $this->getParam("description");
if ($this->isRestricted($method)) {
return $this->createError("This method cannot be updated.");
}
2024-03-27 20:50:57 +01:00
$groupIds = array_unique($this->getParam("groups"));
if (!empty($groupIds)) {
sort($groupIds);
$availableGroups = Group::findAll($sql, new CondIn(new Column("id"), $groupIds));
foreach ($groupIds as $groupId) {
2024-03-27 15:15:46 +01:00
if (!isset($availableGroups[$groupId])) {
2024-03-27 20:50:57 +01:00
return $this->createError("Group with id=$groupId does not exist.");
2024-03-27 15:15:46 +01:00
}
2020-06-27 22:47:12 +02:00
}
}
2024-03-27 15:15:46 +01:00
if ($description === null) {
2024-03-29 16:37:42 +01:00
$updateQuery = $sql->insert("ApiPermission", ["method", "groups", "is_core"])
2024-03-27 20:50:57 +01:00
->onDuplicateKeyStrategy(new UpdateStrategy(["method"], ["groups" => $groupIds]))
->addRow($method, $groupIds, false);
2024-03-27 15:15:46 +01:00
} else {
2024-03-29 16:37:42 +01:00
$updateQuery = $sql->insert("ApiPermission", ["method", "groups", "is_core", "description"])
2024-03-27 20:50:57 +01:00
->onDuplicateKeyStrategy(new UpdateStrategy(["method"], ["groups" => $groupIds, "description" => $description]))
->addRow($method, $groupIds, false, $description);
2020-06-27 22:47:12 +02:00
}
2024-03-27 15:15:46 +01:00
$this->success = $updateQuery->execute() !== false;
$this->lastError = $sql->getLastError();
return $this->success;
}
public static function getDefaultACL(Insert $insert): void {
$insert->addRow(
self::getEndpoint(), [Group::ADMIN],
"Allows users to modify API permissions. This is restricted to the administrator and cannot be changed",
true
);
}
}
class Delete extends PermissionAPI {
public function __construct(Context $context, bool $externalCall = false) {
parent::__construct($context, $externalCall, [
"method" => new StringType("method", 32, false),
]);
}
protected function _execute(): bool {
if (!$this->checkStaticPermission()) {
return false;
}
$sql = $this->context->getSQL();
$method = $this->getParam("method");
if ($this->isRestricted($method)) {
return $this->createError("This method cannot be deleted.");
}
$res = $sql->select("method")
->from("ApiPermission")
->whereEq("method", $method)
->execute();
2020-06-27 01:18:10 +02:00
2024-03-27 15:15:46 +01:00
$this->success = $res !== false;
$this->lastError = $sql->getLastError();
if ($this->success) {
if (!$res) {
return $this->createError("This method was not configured yet");
} else {
$res = $sql->delete("ApiPermission")
->whereEq("method", $method)
->execute();
$this->success = $res !== false;
$this->lastError = $sql->getLastError();
}
2020-06-27 22:47:12 +02:00
}
2020-06-27 01:18:10 +02:00
return $this->success;
}
2023-01-16 21:47:23 +01:00
public static function getDefaultACL(Insert $insert): void {
2024-03-27 14:12:01 +01:00
$insert->addRow(
self::getEndpoint(), [Group::ADMIN],
2024-03-27 15:15:46 +01:00
"Allows users to delete API permissions. This is restricted to the administrator and cannot be changed",
2024-03-27 14:12:01 +01:00
true
);
2023-01-16 21:47:23 +01:00
}
2020-06-27 01:18:10 +02:00
}
}