Skip to content
Permalink
Browse files Browse the repository at this point in the history
Add permissions checking to API/Logs. Fixes unprivileged user being t…
…o add/edit/delete/view logs.
  • Loading branch information
Isaac Connor committed Oct 6, 2022
1 parent cb3fc59 commit 34ffd92
Showing 1 changed file with 29 additions and 0 deletions.
29 changes: 29 additions & 0 deletions web/api/app/Controller/LogsController.php
Expand Up @@ -20,6 +20,17 @@ class LogsController extends AppController {
'paramType' => 'querystring'
);

public function beforeFilter() {
parent::beforeFilter();
global $user;
# We already tested for auth in appController, so we just need to test for specific permission
$canView = (!$user) || ($user['System'] != 'None');
if (!$canView) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
}

/**
* index method
*
Expand Down Expand Up @@ -54,6 +65,12 @@ public function view($id = null) {
* @return void
*/
public function add() {
global $user;
$canAdd = (!$user) || (($user['System'] == 'Edit') || ZM_LOG_INJECT);
if (!$canAdd) {
throw new UnauthorizedException(__('Insufficient privileges'));
return;
}
if ($this->request->is('post')) {
$this->Log->create();
if ($this->Log->save($this->request->data)) {
Expand All @@ -70,6 +87,13 @@ public function add() {
* @return void
*/
public function edit($id = null) {
global $user;
$canEdit = (!$user) || ($user['System'] == 'Edit');
if (!$canEdit) {
throw new UnauthorizedException(__('Insufficient privileges'));
return;
}

if (!$this->Log->exists($id)) {
throw new NotFoundException(__('Invalid log'));
}
Expand All @@ -91,6 +115,11 @@ public function edit($id = null) {
* @return void
*/
public function delete($id = null) {
$canDelete = (!$user) || ($user['System'] == 'Edit');
if (!$canDelete) {
throw new UnauthorizedException(__('Insufficient privileges'));
return;
}
$this->Log->id = $id;
if (!$this->Log->exists()) {
throw new NotFoundException(__('Invalid log'));
Expand Down

0 comments on commit 34ffd92

Please sign in to comment.