permission update, routes, etc.
This commit is contained in:
@@ -34,6 +34,7 @@ namespace Core\API\Permission {
|
||||
use Core\API\Parameter\StringType;
|
||||
use Core\API\PermissionAPI;
|
||||
use Core\Driver\SQL\Column\Column;
|
||||
use Core\Driver\SQL\Condition\CondIn;
|
||||
use Core\Driver\SQL\Condition\CondLike;
|
||||
use Core\Driver\SQL\Query\Insert;
|
||||
use Core\Driver\SQL\Strategy\UpdateStrategy;
|
||||
@@ -168,25 +169,25 @@ namespace Core\API\Permission {
|
||||
return $this->createError("This method cannot be updated.");
|
||||
}
|
||||
|
||||
$groups = $this->getParam("groups");
|
||||
if (!empty($groups)) {
|
||||
sort($groups);
|
||||
$availableGroups = Group::findAll($sql);
|
||||
foreach ($groups as $groupId) {
|
||||
$groupIds = array_unique($this->getParam("groups"));
|
||||
if (!empty($groupIds)) {
|
||||
sort($groupIds);
|
||||
$availableGroups = Group::findAll($sql, new CondIn(new Column("id"), $groupIds));
|
||||
foreach ($groupIds as $groupId) {
|
||||
if (!isset($availableGroups[$groupId])) {
|
||||
return $this->createError("Unknown group id: $groupId");
|
||||
return $this->createError("Group with id=$groupId does not exist.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($description === null) {
|
||||
$updateQuery = $sql->insert("ApiPermission", ["method", "groups", "isCore"])
|
||||
->onDuplicateKeyStrategy(new UpdateStrategy(["method"], ["groups" => $groups]))
|
||||
->addRow($method, $groups, false);
|
||||
->onDuplicateKeyStrategy(new UpdateStrategy(["method"], ["groups" => $groupIds]))
|
||||
->addRow($method, $groupIds, false);
|
||||
} else {
|
||||
$updateQuery = $sql->insert("ApiPermission", ["method", "groups", "isCore", "description"])
|
||||
->onDuplicateKeyStrategy(new UpdateStrategy(["method"], ["groups" => $groups, "description" => $description]))
|
||||
->addRow($method, $groups, false, $description);
|
||||
->onDuplicateKeyStrategy(new UpdateStrategy(["method"], ["groups" => $groupIds, "description" => $description]))
|
||||
->addRow($method, $groupIds, false, $description);
|
||||
}
|
||||
|
||||
$this->success = $updateQuery->execute() !== false;
|
||||
|
||||
@@ -67,19 +67,11 @@ namespace Core\API\Routes {
|
||||
use Core\API\Parameter\Parameter;
|
||||
use Core\API\Parameter\StringType;
|
||||
use Core\API\RoutesAPI;
|
||||
use Core\Driver\SQL\Condition\Compare;
|
||||
use Core\Driver\SQL\Condition\CondBool;
|
||||
use Core\Driver\SQL\Query\Insert;
|
||||
use Core\Driver\SQL\Query\StartTransaction;
|
||||
use Core\Objects\Context;
|
||||
use Core\Objects\DatabaseEntity\Group;
|
||||
use Core\Objects\DatabaseEntity\Route;
|
||||
use Core\Objects\Router\DocumentRoute;
|
||||
use Core\Objects\Router\RedirectPermanentlyRoute;
|
||||
use Core\Objects\Router\RedirectRoute;
|
||||
use Core\Objects\Router\RedirectTemporaryRoute;
|
||||
use Core\Objects\Router\Router;
|
||||
use Core\Objects\Router\StaticFileRoute;
|
||||
|
||||
class Fetch extends RoutesAPI {
|
||||
|
||||
@@ -419,5 +411,39 @@ namespace Core\API\Routes {
|
||||
$insert->addRow(self::getEndpoint(), [Group::ADMIN, Group::SUPPORT], "Allows users to regenerate the routing cache", true);
|
||||
}
|
||||
}
|
||||
|
||||
class Check extends RoutesAPI {
|
||||
public function __construct(Context $context, bool $externalCall) {
|
||||
parent::__construct($context, $externalCall, [
|
||||
"id" => new Parameter("id", Parameter::TYPE_INT),
|
||||
"path" => new StringType("path")
|
||||
]);
|
||||
}
|
||||
|
||||
protected function _execute(): bool {
|
||||
$sql = $this->context->getSQL();
|
||||
$routeId = $this->getParam("id");
|
||||
$route = Route::find($sql, $routeId);
|
||||
if ($route === false) {
|
||||
$this->lastError = $sql->getLastError();
|
||||
return false;
|
||||
} else if ($route === null) {
|
||||
return $this->createError("Route not found");
|
||||
}
|
||||
|
||||
$this->success = true;
|
||||
$path = $this->getParam("path");
|
||||
$this->result["match"] = $route->match($path);
|
||||
return $this->success;
|
||||
}
|
||||
|
||||
public static function getDefaultACL(Insert $insert): void {
|
||||
$insert->addRow("routes/check",
|
||||
[Group::ADMIN, Group::MODERATOR],
|
||||
"Users with this permission can see, if a route is matched with the given path for debugging purposes",
|
||||
true
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -183,14 +183,14 @@ namespace Core\API\User {
|
||||
$groups = [];
|
||||
$sql = $this->context->getSQL();
|
||||
|
||||
// TODO: Currently low-privileged users can request any groups here, so a simple privilege escalation is possible. \
|
||||
// what do? limit access to user/create to admins only?
|
||||
$requestedGroups = array_unique($this->getParam("groups"));
|
||||
if (!empty($requestedGroups)) {
|
||||
$groups = Group::findAll($sql, new CondIn(new Column("id"), $requestedGroups));
|
||||
$availableGroups = Group::findAll($sql, new CondIn(new Column("id"), $requestedGroups));
|
||||
foreach ($requestedGroups as $groupId) {
|
||||
if (!isset($groups[$groupId])) {
|
||||
if (!isset($availableGroups[$groupId])) {
|
||||
return $this->createError("Group with id=$groupId does not exist.");
|
||||
} else if ($groupId === Group::ADMIN && !$this->context->getUser()->hasGroup(Group::ADMIN)) {
|
||||
return $this->createError("You cannot create users with administrator groups.");
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -632,7 +632,7 @@ namespace Core\API\User {
|
||||
public function __construct(Context $context, bool $externalCall = false) {
|
||||
$parameters = array(
|
||||
"username" => new StringType("username", 32),
|
||||
'email' => new Parameter('email', Parameter::TYPE_EMAIL),
|
||||
"email" => new Parameter("email", Parameter::TYPE_EMAIL),
|
||||
"password" => new StringType("password"),
|
||||
"confirmPassword" => new StringType("confirmPassword"),
|
||||
);
|
||||
@@ -746,7 +746,7 @@ namespace Core\API\User {
|
||||
'fullName' => new StringType('fullName', 64, true, NULL),
|
||||
'email' => new Parameter('email', Parameter::TYPE_EMAIL, true, NULL),
|
||||
'password' => new StringType('password', -1, true, NULL),
|
||||
'groups' => new Parameter('groups', Parameter::TYPE_ARRAY, true, NULL),
|
||||
'groups' => new ArrayType('groups', Parameter::TYPE_INT, true, true, NULL),
|
||||
'confirmed' => new Parameter('confirmed', Parameter::TYPE_BOOLEAN, true, NULL)
|
||||
));
|
||||
|
||||
@@ -777,19 +777,18 @@ namespace Core\API\User {
|
||||
|
||||
$groupIds = array();
|
||||
if (!is_null($groups)) {
|
||||
$param = new Parameter('groupId', Parameter::TYPE_INT);
|
||||
|
||||
foreach ($groups as $groupId) {
|
||||
if (!$param->parseParam($groupId)) {
|
||||
$value = print_r($groupId, true);
|
||||
return $this->createError("Invalid Type for groupId in parameter groups: '$value' (Required: " . $param->getTypeName() . ")");
|
||||
}
|
||||
|
||||
$groupIds[] = $param->value;
|
||||
}
|
||||
|
||||
$groupIds = array_unique($groups);
|
||||
if ($id === $currentUser->getId() && !in_array(Group::ADMIN, $groupIds)) {
|
||||
return $this->createError("Cannot remove Administrator group from own user.");
|
||||
} else if (in_array(Group::ADMIN, $groupIds) && !$currentUser->hasGroup(Group::ADMIN)) {
|
||||
return $this->createError("You cannot add the administrator group to other users.");
|
||||
}
|
||||
|
||||
$availableGroups = Group::findAll($sql, new CondIn(new Column("id"), $groupIds));
|
||||
foreach ($groupIds as $groupId) {
|
||||
if (!isset($availableGroups[$groupId])) {
|
||||
return $this->createError("Group with id=$groupId does not exist.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user