Projekte/web-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CSRF bugfix + ACL frontend started

Browse Source
This commit is contained in:
Roman Hergenreder 2020-06-27 01:32:32 +02:00
parent bad08af314
commit abaf2a9283
6 changed files with 84 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
core/Api/Request.class.php
View File

@ -120,7 +120,6 @@ class Request {
return false; return false;
} }
// TODO: Check this!
if($this->externalCall) { if($this->externalCall) {
$apiKeyAuthorized = false; $apiKeyAuthorized = false;
@ -136,16 +135,16 @@ class Request {
header('HTTP 1.1 401 Unauthorized'); header('HTTP 1.1 401 Unauthorized');
return false; return false;
} }
}
// CSRF Token // CSRF Token
if($this->csrfTokenRequired && !$apiKeyAuthorized) { if($this->csrfTokenRequired && !$apiKeyAuthorized) {
// csrf token required + external call // csrf token required + external call
// if it's not a call with API_KEY, check for csrf_token // if it's not a call with API_KEY, check for csrf_token
if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) { if (!isset($values["csrf_token"]) || strcmp($values["csrf_token"], $this->user->getSession()->getCsrfToken()) !== 0) {
$this->lastError = "CSRF-Token mismatch"; $this->lastError = "CSRF-Token mismatch";
header('HTTP 1.1 403 Forbidden'); header('HTTP 1.1 403 Forbidden');
return false; return false;
}
} }
} }

18
js/admin.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
src/src/index.js
View File

@ -19,6 +19,7 @@ import Footer from "./footer";
import EditUser from "./views/edituser"; import EditUser from "./views/edituser";
import CreateGroup from "./views/addgroup"; import CreateGroup from "./views/addgroup";
import Settings from "./views/settings"; import Settings from "./views/settings";
import PermissionSettings from "./views/permissions";
class AdminDashboard extends React.Component { class AdminDashboard extends React.Component {
@ -92,6 +93,7 @@ class AdminDashboard extends React.Component {
let newProps = {...props, ...this.controlObj}; let newProps = {...props, ...this.controlObj};
return <EditUser {...newProps} /> return <EditUser {...newProps} />
}}/> }}/>
<Route path={"/admin/user/permissions"}><PermissionSettings {...this.controlObj}/></Route>
<Route path={"/admin/group/add"}><CreateGroup {...this.controlObj} /></Route> <Route path={"/admin/group/add"}><CreateGroup {...this.controlObj} /></Route>
<Route path={"/admin/logs"}><Logs {...this.controlObj} notifications={this.state.notifications} /></Route> <Route path={"/admin/logs"}><Logs {...this.controlObj} notifications={this.state.notifications} /></Route>
<Route path={"/admin/settings"}><Settings {...this.controlObj} /></Route> <Route path={"/admin/settings"}><Settings {...this.controlObj} /></Route>

2
src/src/views/logs.js
View File

@ -83,7 +83,7 @@ export default class Logs extends React.Component {
for (let event of dates[date]) { for (let event of dates[date]) {
let timeString = moment(event.timestamp).fromNow(); let timeString = moment(event.timestamp).fromNow();
elements.push( elements.push(
<div> <div key={"time-entry-" + event.uid}>
<Icon icon={event.icon} className={"bg-" + color}/> <Icon icon={event.icon} className={"bg-" + color}/>
<div className="timeline-item"> <div className="timeline-item">
<span className="time"><Icon icon={"clock"}/> {timeString}</span> <span className="time"><Icon icon={"clock"}/> {timeString}</span>

49
src/src/views/permissions.js Normal file
View File

@ -0,0 +1,49 @@
import * as React from "react";
import {Link} from "react-router-dom";
import Icon from "../elements/icon";
export default class PermissionSettings extends React.Component {
constructor(props) {
super(props);
this.state = {
alerts: [],
permissions: [],
groups: {}
}
}
render() {
return <>
<div className="content-header">
<div className="container-fluid">
<div className="row mb-2">
<div className="col-sm-6">
<h1 className="m-0 text-dark">API Access Control</h1>
</div>
<div className="col-sm-6">
<ol className="breadcrumb float-sm-right">
<li className="breadcrumb-item"><Link to={"/admin/dashboard"}>Home</Link></li>
<li className="breadcrumb-item"><Link to={"/admin/users"}>Users</Link></li>
<li className="breadcrumb-item active">Permissions</li>
</ol>
</div>
</div>
</div>
</div>
<div className={"content"}>
<div className={"row"}>
<div className={"col-lg-6 pl-5 pr-5"}>
<form>
<Link to={"/admin/users"} className={"btn btn-info mt-2 mr-2"}>
<Icon icon={"arrow-left"}/>
&nbsp;Back
</Link>
</form>
</div>
</div>
</div>
</>;
}
};

8
src/src/views/users.js
View File

@ -144,6 +144,14 @@ export default class UserOverview extends React.Component {
{this.createGroupCard()} {this.createGroupCard()}
</div> </div>
</div> </div>
<div className={"row"}>
<div className={"col-12"}>
<Link to={"/admin/user/permissions"} className={"btn btn-primary"}>
<Icon icon={"user-check"} className={"mr-2"}/>
Edit Permissions
</Link>
</div>
</div>
</div> </div>
</div> </div>
<ReactTooltip /> <ReactTooltip />