Skip to content

Commit

Permalink
fix api security issue. layout update
Browse files Browse the repository at this point in the history
  • Loading branch information
Praesidiarius committed Feb 2, 2020
1 parent a9b04ba commit 00a2f19
Show file tree
Hide file tree
Showing 9 changed files with 74 additions and 90 deletions.
2 changes: 1 addition & 1 deletion composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"description": "onePlace User Module",
"type": "oneplace-module",
"license": "BSD-3-Clause",
"version": "1.0.6",
"version": "1.0.7",
"keywords": [
"laminas",
"mvc",
Expand Down
48 changes: 14 additions & 34 deletions src/Module.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ class Module
/**
* Module Version
*
* @since 1.0.6
* @since 1.0.7
*/
const VERSION = '1.0.6';
const VERSION = '1.0.7';

/**
* Load module config file
Expand All @@ -46,35 +46,6 @@ public function getConfig() : array
return include __DIR__ . '/../config/module.config.php';
}

/**
* Init module, add hooks
*
* @param ModuleManager $moduleManager
* @since 1.0.0
*/
public function init(ModuleManager $moduleManager)
{
// Remember to keep the init() method as lightweight as possible
$events = $moduleManager->getEventManager();
$events->attach('loadModules.post', [$this, 'modulesLoaded']);
}

/**
* Final configuration after all modules are loaded
*
* @param Event $e
* @since 1.0.0
*/
public function modulesLoaded(Event $e)
{
// This method is called once all modules are loaded.
$moduleManager = $e->getTarget();
$loadedModules = $moduleManager->getLoadedModules();

// To get the configuration from another module named 'FooModule'
$config = $moduleManager->getModule('OnePlace\User')->getConfig();
}

/**
* On Bootstrap - is executed on every page request
*
Expand Down Expand Up @@ -146,9 +117,18 @@ function($e) {
*/
$bIsApiController = stripos($aRouteInfo['controller'],'ApiController');
if(isset($_REQUEST['authkey']) && $bIsApiController !== false) {
# todo: replace with database based authkey list so keys can be revoked
if($_REQUEST['authkey'] == 'DEVRANDOMKEY') {
$bLoggedIn = true;
try {
# Do Authtoken login
$oKeysTbl = new TableGateway('core_api_key',$oDbAdapter);
$oKeyActive = $oKeysTbl->select(['token'=>$_REQUEST['authkey']]);
if(count($oKeyActive) > 0) {
$oKey = $oKeyActive->current();
if(password_verify($_REQUEST['authtoken'],$oKey->token_key)) {
$bLoggedIn = true;
}
}
} catch(\RuntimeException $e) {

}
}

Expand Down
2 changes: 0 additions & 2 deletions view/one-place/user/user/add.phtml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
<h1>Add new user</h1>

<?= $this->partial('partial/basicform', ['sFormName'=>$sFormName]); ?>
4 changes: 2 additions & 2 deletions view/one-place/user/user/edit.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@
<script>
$(function() {
$('.plc-user-permissions-selectall').on('click',function() {
$(this).parent('div').find('ul').find('input').each(function() {
$(this).parent('div').parent('div').find('.plc-user-permission-list').find('input').each(function() {
$(this).prop( "checked", true );
});
return false;
});
$('.plc-user-permissions-unselectall').on('click',function() {
$(this).parent('div').find('ul').find('input').each(function() {
$(this).parent('div').parent('div').find('.plc-user-permission-list').find('input').each(function() {
$(this).prop( "checked", false );
});
return false;
Expand Down
4 changes: 0 additions & 4 deletions view/one-place/user/user/index.phtml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
<?php
use Application\Controller\CoreController;
?>
<h1>User Index</h1>
<?php if($iSeatsLeft != -1) { ?>
<?php if($iSeatsLeft == 0) { ?>
<div class="alert alert-danger">You have no seats left. <a href="/store/list/seats">add more seats</a> to your licence</div>
Expand Down
2 changes: 0 additions & 2 deletions view/one-place/user/user/view.phtml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1 @@
<h2>View User</h2>

<?= $this->partial('partial/viewform', ['sFormName'=>$sFormName,'oItem'=>$oUser]); ?>
12 changes: 8 additions & 4 deletions view/partial/permissions-add.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,15 @@
$sModule = str_replace(['\\'],['-'],$sModule); ?>
<li class="list-group-item">
<div class="row">
<div class="col-md-4">
<?=$sModule?>
<div class="col-md-3">
<?=str_replace(['OnePlace-','Controller-'],['',''],$sModule)?>
</div>
<div class="col-md-8">
<div class="row">
<div class="col-md-2">
<a href="#" class="btn btn-light plc-user-permissions-selectall">Select all</a>
<a href="#" class="btn btn-light plc-user-permissions-unselectall">Unselect all</a>
</div>
<div class="col-md-7">
<div class="row plc-user-permission-list">
<?php
foreach($aPermissonsByModules[$sModule] as $oPerm) {
$sModule = str_replace(['\\'],['-'],$sModule);
Expand Down
64 changes: 34 additions & 30 deletions view/partial/permissions-edit.phtml
View file
Original file line number Diff line number Diff line change
@@ -1,37 +1,41 @@
<ul class="list-group">
<?php
# Get Partial Data
$aPermissonsByModules = $this->aPartialData['aPermissions'];
$aUserPermissions = $this->aPartialData['aUserPermissions'];
# Get Partial Data
$aPermissonsByModules = $this->aPartialData['aPermissions'];
$aUserPermissions = $this->aPartialData['aUserPermissions'];

# Print List with all Modules and Permissions
foreach(array_keys($aPermissonsByModules) as $sModule) {
$sModule = str_replace(['\\'],['-'],$sModule); ?>
<li class="list-group-item">
<div class="row">
<div class="col-md-4">
<?=$sModule?>
</div>
<div class="col-md-8">
<div class="row">
<?php
foreach($aPermissonsByModules[$sModule] as $oPerm) {
$sModule = str_replace(['\\'],['-'],$sModule);
$bHasPerm = false;
if(array_key_exists($sModule,$aUserPermissions)) {
if(array_key_exists($oPerm->permission_key,$aUserPermissions[$sModule])) {
$bHasPerm = true;
}
} ?>
<div class="col-md-4">
<input type="checkbox"<?=($bHasPerm) ? ' checked' : ''?> name="<?=$this->sFormName?>-permissions[]" value="<?=$oPerm->permission_key?>-<?=$sModule?>" />
<?=$oPerm->label?>
# Print List with all Modules and Permissions
foreach(array_keys($aPermissonsByModules) as $sModule) {
$sModule = str_replace(['\\'],['-'],$sModule); ?>
<li class="list-group-item">
<div class="row">
<div class="col-md-3">
<?=str_replace(['OnePlace-','Controller-'],['',''],$sModule)?>
</div>
<div class="col-md-2">
<a href="#" class="btn btn-light plc-user-permissions-selectall">Select all</a>
<a href="#" class="btn btn-light plc-user-permissions-unselectall">Unselect all</a>
</div>
<div class="col-md-7">
<div class="row plc-user-permission-list">
<?php
foreach($aPermissonsByModules[$sModule] as $oPerm) {
$sModule = str_replace(['\\'],['-'],$sModule);
$bHasPerm = false;
if(array_key_exists($sModule,$aUserPermissions)) {
if(array_key_exists($oPerm->permission_key,$aUserPermissions[$sModule])) {
$bHasPerm = true;
}
} ?>
<div class="col-md-4">
<input type="checkbox"<?=($bHasPerm) ? ' checked' : ''?> name="<?=$this->sFormName?>-permissions[]" value="<?=$oPerm->permission_key?>-<?=$sModule?>" />
<?=$oPerm->label?>
</div>
<?php } ?>
</div>
<?php } ?>
</div>
</div>
</div>
</li>
<?php
} ?>
</li>
<?php
} ?>
</ul>
26 changes: 15 additions & 11 deletions view/partial/permissions-view.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,20 +9,24 @@ foreach(array_keys($aPermissonsByModules) as $sModule) { ?>
<li class="list-group-item">
<div class="row">
<div class="col-md-4">
<?=$sModule?>
<?=str_replace(['OnePlace-','Controller-'],['',''],$sModule)?>
</div>
<div class="col-md-8">
<?php foreach($aPermissonsByModules[$sModule] as $oPerm) {
$bHasPerm = false;
if(array_key_exists($sModule,$aUserPermissions)) {
if(array_key_exists($oPerm->permission_key,$aUserPermissions[$sModule])) {
$bHasPerm = true;
<div class="row">
<?php foreach($aPermissonsByModules[$sModule] as $oPerm) {
$bHasPerm = false;
if(array_key_exists($sModule,$aUserPermissions)) {
if(array_key_exists($oPerm->permission_key,$aUserPermissions[$sModule])) {
$bHasPerm = true;
}
}
}
?>
<?=($bHasPerm) ? ' <i class="fas fa-check"></i>' : ''?>
<?=$oPerm->label?>,
<?php } ?>
?>
<div class="col-md-4">
<?=($bHasPerm) ? ' <i class="fas fa-check"></i>' : ''?>
<?=$oPerm->label?>,
</div>
<?php } ?>
</div>
</div>
</div>
</li>
Expand Down

0 comments on commit 00a2f19

Please sign in to comment.