Projekte/web-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Property Visibilities

Browse Source
This commit is contained in:
Roman
2023-01-07 15:34:05 +01:00
parent 99bfd7e505
commit d115d8b970
30 changed files with 241 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Core/API/Request.class.php
View File

@@ -213,8 +213,8 @@ abstract class Request {
// CSRF Token
if ($this->csrfTokenRequired && $session) {
// csrf token required + external call
// if it's not a call with API_KEY, check for csrf_token
$csrfToken = $values["csrf_token"] ?? $_SERVER["HTTP_XSRF_TOKEN"] ?? null;
// if it's not a call with API_KEY, check for csrfToken
$csrfToken = $values["csrfToken"] ?? $_SERVER["HTTP_XSRF_TOKEN"] ?? null;
if (!$csrfToken || strcmp($csrfToken, $session->getCsrfToken()) !== 0) {
$this->lastError = "CSRF-Token mismatch";
http_response_code(403);

2
Core/API/Traits/Pagination.trait.php
View File

@@ -85,7 +85,7 @@ trait Pagination {
if ($orderBy) {
$handler = $baseQuery->getHandler();
$baseTable = $handler->getTableName();
$sortColumn = DatabaseEntityHandler::getColumnName($orderBy);
$sortColumn = DatabaseEntityHandler::buildColumnName($orderBy);
$fullyQualifiedColumn = "$baseTable.$sortColumn";
$selectedColumns = $baseQuery->getSelectValues();

35
Core/API/UserAPI.class.php
View File

@@ -225,7 +225,6 @@ namespace Core\API\User {
$currentUser->hasGroup(Group::SUPPORT));
$orderBy = $this->getParam("orderBy");
$publicAttributes = ["id", "name", "fullName", "profilePicture", "email"]; // TODO: , "groupNames"];
$condition = null;
if (!$fullInfo) {
@@ -234,7 +233,7 @@ namespace Core\API\User {
new CondBool("User.confirmed")
);
if ($orderBy && !in_array($orderBy, $publicAttributes)) {
if ($orderBy && !$currentUser->canAccess(User::class, $orderBy)) {
return $this->createError("Insufficient permissions for sorting by field '$orderBy'");
}
}
@@ -255,19 +254,8 @@ namespace Core\API\User {
$users = User::findBy($userQuery);
if ($users !== false && $users !== null) {
$this->result["users"] = [];
foreach ($users as $userId => $user) {
$serialized = $user->jsonSerialize();
if (!$fullInfo && $userId !== $currentUser->getId()) {
foreach (array_keys($serialized) as $attr) {
if (!in_array($attr, $publicAttributes)) {
unset ($serialized[$attr]);
}
}
}
$this->result["users"][] = $serialized;
foreach ($users as $user) {
$this->result["users"][] = $user->jsonSerialize();
}
} else {
return $this->createError("Error fetching users: " . $sql->getLastError());
@@ -305,20 +293,10 @@ namespace Core\API\User {
$currentUser->hasGroup(Group::ADMIN) ||
$currentUser->hasGroup(Group::SUPPORT));
if (!$fullInfo) {
if (!$queriedUser["confirmed"]) {
return $this->createError("No permissions to access this user");
}
$publicAttributes = ["id", "name", "fullName", "profilePicture", "email", "groups"];
foreach (array_keys($queriedUser) as $attr) {
if (!in_array($attr, $publicAttributes)) {
unset($queriedUser[$attr]);
}
}
if (!$fullInfo && !$queriedUser["confirmed"]) {
return $this->createError("No permissions to access this user");
}
unset($queriedUser["session"]); // strip session information
$this->result["user"] = $queriedUser;
}
@@ -358,6 +336,7 @@ namespace Core\API\User {
$this->result["permissions"] = $permissions;
$this->result["user"] = $currentUser->jsonSerialize();
$this->result["session"] = $this->context->getSession()->jsonSerialize();
}
return $this->success;
@@ -575,7 +554,7 @@ namespace Core\API\User {
$tfaToken = $user->getTwoFactorToken();
$this->result["loggedIn"] = true;
$this->result["logoutIn"] = $session->getExpiresSeconds();
$this->result["csrf_token"] = $session->getCsrfToken();
$this->result["csrfToken"] = $session->getCsrfToken();
if ($tfaToken && $tfaToken->isConfirmed()) {
$this->result["2fa"] = ["type" => $tfaToken->getType()];
if ($tfaToken instanceof KeyBasedTwoFactorToken) {