CSRF bugfix + ACL frontend started

2020-06-27 01:32:32 +02:00 · 2020-06-27 01:32:32 +02:00 · abaf2a9283
commit abaf2a9283
parent bad08af314
6 changed files with 84 additions and 14 deletions
--- a/core/Api/Request.class.php
+++ b/core/Api/Request.class.php
@ -120,7 +120,6 @@ class Request {
      return false;
    }

-    // TODO: Check this!
    if($this->externalCall) {
      $apiKeyAuthorized = false;

@ -136,16 +135,16 @@ class Request {
          header('HTTP 1.1 401 Unauthorized');
          return false;
        }
-      }

-      // CSRF Token
-      if($this->csrfTokenRequired && !$apiKeyAuthorized) {
-        // csrf token required + external call
-        // if it's not a call with API_KEY, check for csrf_token
-        if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) {
-          $this->lastError = "CSRF-Token mismatch";
-          header('HTTP 1.1 403 Forbidden');
-          return false;
+        // CSRF Token
+        if($this->csrfTokenRequired && !$apiKeyAuthorized) {
+          // csrf token required + external call
+          // if it's not a call with API_KEY, check for csrf_token
+          if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) {
+            $this->lastError = "CSRF-Token mismatch";
+            header('HTTP 1.1 403 Forbidden');
+            return false;
+          }
        }
      }

--- a/js/admin.min.js
+++ b/js/admin.min.js
--- a/src/src/index.js
+++ b/src/src/index.js
@ -19,6 +19,7 @@ import Footer from "./footer";
 import EditUser from "./views/edituser";
 import CreateGroup from "./views/addgroup";
 import Settings from "./views/settings";
+import PermissionSettings from "./views/permissions";

 class AdminDashboard extends React.Component {

@ -92,6 +93,7 @@ class AdminDashboard extends React.Component {
                let newProps = {...props, ...this.controlObj};
                return <EditUser {...newProps} />
              }}/>
+              <Route path={"/admin/user/permissions"}><PermissionSettings {...this.controlObj}/></Route>
              <Route path={"/admin/group/add"}><CreateGroup {...this.controlObj} /></Route>
              <Route path={"/admin/logs"}><Logs {...this.controlObj} notifications={this.state.notifications} /></Route>
              <Route path={"/admin/settings"}><Settings {...this.controlObj} /></Route>
--- a/src/src/views/logs.js
+++ b/src/src/views/logs.js
@ -83,7 +83,7 @@ export default class Logs extends React.Component {
            for (let event of dates[date]) {
                let timeString = moment(event.timestamp).fromNow();
                elements.push(
-                    <div>
+                    <div key={"time-entry-" + event.uid}>
                        <Icon icon={event.icon} className={"bg-" + color}/>
                        <div className="timeline-item">
                            <span className="time"><Icon icon={"clock"}/> {timeString}</span>
--- a/src/src/views/permissions.js
+++ b/src/src/views/permissions.js
@ -0,0 +1,49 @@
+import * as React from "react";
+import {Link} from "react-router-dom";
+import Icon from "../elements/icon";
+
+export default class PermissionSettings extends React.Component {
+
+    constructor(props) {
+        super(props);
+
+        this.state = {
+            alerts: [],
+            permissions: [],
+            groups: {}
+        }
+    }
+
+    render() {
+        return <>
+            <div className="content-header">
+                <div className="container-fluid">
+                    <div className="row mb-2">
+                        <div className="col-sm-6">
+                            <h1 className="m-0 text-dark">API Access Control</h1>
+                        </div>
+                        <div className="col-sm-6">
+                            <ol className="breadcrumb float-sm-right">
+                                <li className="breadcrumb-item"><Link to={"/admin/dashboard"}>Home</Link></li>
+                                <li className="breadcrumb-item"><Link to={"/admin/users"}>Users</Link></li>
+                                <li className="breadcrumb-item active">Permissions</li>
+                            </ol>
+                        </div>
+                    </div>
+                </div>
+            </div>
+            <div className={"content"}>
+                <div className={"row"}>
+                    <div className={"col-lg-6 pl-5 pr-5"}>
+                        <form>
+                            <Link to={"/admin/users"} className={"btn btn-info mt-2 mr-2"}>
+                                <Icon icon={"arrow-left"}/>
+                                &nbsp;Back
+                            </Link>
+                        </form>
+                    </div>
+                </div>
+            </div>
+        </>;
+    }
+};
--- a/src/src/views/users.js
+++ b/src/src/views/users.js
@ -144,6 +144,14 @@ export default class UserOverview extends React.Component {
                            {this.createGroupCard()}
                        </div>
                    </div>
+                    <div className={"row"}>
+                        <div className={"col-12"}>
+                            <Link to={"/admin/user/permissions"} className={"btn btn-primary"}>
+                                <Icon icon={"user-check"} className={"mr-2"}/>
+                                Edit Permissions
+                            </Link>
+                        </div>
+                    </div>
                </div>
            </div>
            <ReactTooltip />