Skip to content
Permalink
Browse files Browse the repository at this point in the history
Don't allow reports via API when disabled via web #661
* Check allow_reports setting in Report API
* Also fix PHP errors when missing person params from API request
  • Loading branch information
rjmackay committed Jul 3, 2012
1 parent 3301e48 commit 13ca6f4
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 5 deletions.
17 changes: 15 additions & 2 deletions application/helpers/reports.php
Expand Up @@ -49,9 +49,10 @@ public static function validate(array & $post)
->add_rules('incident_description','required')
->add_rules('incident_date','required','date_mmddyyyy')
->add_rules('incident_hour','required','between[1,12]')
->add_rules('incident_minute','required','between[0,59]');
->add_rules('incident_minute','required','between[0,59]')
->add_rules('incident_ampm','required');

if ($post->incident_ampm != "am" AND $post->incident_ampm != "pm")
if (isset($post->incident_ampm) AND $post->incident_ampm != "am" AND $post->incident_ampm != "pm")
{
$post->add_error('incident_ampm','values');
}
Expand Down Expand Up @@ -117,16 +118,28 @@ public static function validate(array & $post)
{
$post->add_rules('person_first', 'length[2,100]');
}
else
{
$post->person_first = '';
}

if ( ! empty($post->person_last))
{
$post->add_rules('person_last', 'length[2,100]');
}
else
{
$post->person_last = '';
}

if ( ! empty($post->person_email))
{
$post->add_rules('person_email', 'email', 'length[3,100]');
}
else
{
$post->person_email = '';
}

$post->add_rules('location_id','numeric');
$post->add_rules('incident_active', 'between[0,1]');
Expand Down
11 changes: 8 additions & 3 deletions application/libraries/Api_Service.php
Expand Up @@ -202,11 +202,11 @@ public function get_task_name()
* Log user in.
* This method is mainly used for admin tasks performed via the API
*
* @param string $username User's username.
* @param string $password User's password.
* @param bool $admin require admin access?
* @param bool $member require member access?
* @return mixed user_id, FALSE if authentication fails
*/
public function _login($admin = FALSE)
public function _login($admin = FALSE, $member = FALSE)
{
$auth = Auth::instance();

Expand All @@ -218,6 +218,11 @@ public function _login($admin = FALSE)
{
return $auth->get_user()->id;
}
// Check if member perms required, assume admins also have member perms
else if ($member == FALSE OR $auth->has_permission('member_ui') OR $auth->has_permission('admin_ui'))
{
return $auth->get_user()->id;
}
else
{
return FALSE;
Expand Down
7 changes: 7 additions & 0 deletions application/libraries/api/MY_Report_Api_Object.php
Expand Up @@ -28,6 +28,13 @@ public function __construct($api_service)
*/
public function perform_task()
{
// If user doesn't have member perms and allow_reports is disabled, Throw auth error
if ( ! Kohana::config('settings.allow_reports') AND ! $this->api_service->_login(FALSE, TRUE) )
{
$this->set_error_message($this->response(2));
return;
}

$ret_value = $this->_submit();

$this->response_data = $this->response($ret_value, $this->error_string);
Expand Down

0 comments on commit 13ca6f4

Please sign in to comment.