CSRF bugfix + ACL frontend started

This commit is contained in:
Roman Hergenreder 2020-06-27 01:32:32 +02:00
parent bad08af314
commit abaf2a9283
6 changed files with 84 additions and 14 deletions

@ -120,7 +120,6 @@ class Request {
return false;
}
// TODO: Check this!
if($this->externalCall) {
$apiKeyAuthorized = false;
@ -136,16 +135,16 @@ class Request {
header('HTTP 1.1 401 Unauthorized');
return false;
}
}
// CSRF Token
if($this->csrfTokenRequired && !$apiKeyAuthorized) {
// csrf token required + external call
// if it's not a call with API_KEY, check for csrf_token
if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) {
$this->lastError = "CSRF-Token mismatch";
header('HTTP 1.1 403 Forbidden');
return false;
// CSRF Token
if($this->csrfTokenRequired && !$apiKeyAuthorized) {
// csrf token required + external call
// if it's not a call with API_KEY, check for csrf_token
if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) {
$this->lastError = "CSRF-Token mismatch";
header('HTTP 1.1 403 Forbidden');
return false;
}
}
}

18
js/admin.min.js vendored

File diff suppressed because one or more lines are too long

@ -19,6 +19,7 @@ import Footer from "./footer";
import EditUser from "./views/edituser";
import CreateGroup from "./views/addgroup";
import Settings from "./views/settings";
import PermissionSettings from "./views/permissions";
class AdminDashboard extends React.Component {
@ -92,6 +93,7 @@ class AdminDashboard extends React.Component {
let newProps = {...props, ...this.controlObj};
return <EditUser {...newProps} />
}}/>
<Route path={"/admin/user/permissions"}><PermissionSettings {...this.controlObj}/></Route>
<Route path={"/admin/group/add"}><CreateGroup {...this.controlObj} /></Route>
<Route path={"/admin/logs"}><Logs {...this.controlObj} notifications={this.state.notifications} /></Route>
<Route path={"/admin/settings"}><Settings {...this.controlObj} /></Route>

@ -83,7 +83,7 @@ export default class Logs extends React.Component {
for (let event of dates[date]) {
let timeString = moment(event.timestamp).fromNow();
elements.push(
<div>
<div key={"time-entry-" + event.uid}>
<Icon icon={event.icon} className={"bg-" + color}/>
<div className="timeline-item">
<span className="time"><Icon icon={"clock"}/> {timeString}</span>

@ -0,0 +1,49 @@
import * as React from "react";
import {Link} from "react-router-dom";
import Icon from "../elements/icon";
export default class PermissionSettings extends React.Component {
constructor(props) {
super(props);
this.state = {
alerts: [],
permissions: [],
groups: {}
}
}
render() {
return <>
<div className="content-header">
<div className="container-fluid">
<div className="row mb-2">
<div className="col-sm-6">
<h1 className="m-0 text-dark">API Access Control</h1>
</div>
<div className="col-sm-6">
<ol className="breadcrumb float-sm-right">
<li className="breadcrumb-item"><Link to={"/admin/dashboard"}>Home</Link></li>
<li className="breadcrumb-item"><Link to={"/admin/users"}>Users</Link></li>
<li className="breadcrumb-item active">Permissions</li>
</ol>
</div>
</div>
</div>
</div>
<div className={"content"}>
<div className={"row"}>
<div className={"col-lg-6 pl-5 pr-5"}>
<form>
<Link to={"/admin/users"} className={"btn btn-info mt-2 mr-2"}>
<Icon icon={"arrow-left"}/>
&nbsp;Back
</Link>
</form>
</div>
</div>
</div>
</>;
}
};

@ -144,6 +144,14 @@ export default class UserOverview extends React.Component {
{this.createGroupCard()}
</div>
</div>
<div className={"row"}>
<div className={"col-12"}>
<Link to={"/admin/user/permissions"} className={"btn btn-primary"}>
<Icon icon={"user-check"} className={"mr-2"}/>
Edit Permissions
</Link>
</div>
</div>
</div>
</div>
<ReactTooltip />