Refactoring and security fixes
This commit is contained in:
parent
95cb7c8f44
commit
9d06de286c
|
@ -434,7 +434,7 @@ class user
|
|||
$this->tools->profiler_stop();
|
||||
}
|
||||
|
||||
public function requireRole($role, $adminGranted=true)
|
||||
public function hasRole($role, $adminGranted=true)
|
||||
{
|
||||
return $this->auth->hasRole($role) || $adminGranted && $role !== Role::DEVELOPER && $this->auth->hasRole(Role::ADMIN) || $role !== Role::DEVELOPER && $this->auth->hasRole(Role::SUPER_ADMIN);
|
||||
}
|
||||
|
@ -501,7 +501,7 @@ class user
|
|||
|
||||
public function info()
|
||||
{
|
||||
return array("autenticated" => $this->authenticated(), "id" => $this->auth->getUserId(), "name" => $this->name(), "full_viewer" => $this->requireRole(Role::FULL_VIEWER), "tester" => $this->requireRole(Role::TESTER), "developer" => $this->requireRole(Role::DEVELOPER));
|
||||
return array("autenticated" => $this->authenticated(), "id" => $this->auth->getUserId(), "name" => $this->name(), "full_viewer" => $this->hasRole(Role::FULL_VIEWER), "tester" => $this->hasRole(Role::TESTER), "developer" => $this->hasRole(Role::DEVELOPER));
|
||||
}
|
||||
|
||||
public function login($name, $password, $remember_me)
|
||||
|
@ -962,7 +962,7 @@ function init_class($enableDebugger=true, $headers=true)
|
|||
//TODO: add Monolog here
|
||||
}
|
||||
|
||||
if($enableDebugger && $user->requireRole(Role::DEVELOPER)) {
|
||||
if($enableDebugger && $user->hasRole(Role::DEVELOPER)) {
|
||||
$debugbar = new StandardDebugBar();
|
||||
bdump(__DIR__);
|
||||
$dir = str_replace("resources\ajax\\", "", __DIR__).DIRECTORY_SEPARATOR.'debug_storage';
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
require("core.php");
|
||||
init_class();
|
||||
if($user->authenticated()){
|
||||
if($user->requireRole(Role::DEVELOPER)){
|
||||
if($user->hasRole(Role::DEVELOPER)){
|
||||
if(!isset($_REQUEST["op"]) || !isset($_REQUEST["id"])) $tools->rickroll();
|
||||
$openHandler = new DebugBar\OpenHandler($debugbar);
|
||||
$response = $openHandler->handle();
|
||||
|
|
|
@ -5,7 +5,7 @@ $user->requirelogin(false);
|
|||
$user->online_time_update();
|
||||
|
||||
function generate_message($change_user, $action){
|
||||
global $tools, $user;
|
||||
global $user;
|
||||
if($action == "activate"){
|
||||
$action_string = "Thanks, %s, you have given %s in case of alert.";
|
||||
} else {
|
||||
|
@ -19,7 +19,19 @@ function generate_message($change_user, $action){
|
|||
return sprintf(t($action_string, false), $user->nameById($user->auth->getUserId()), $user_string);
|
||||
}
|
||||
|
||||
if(isset($_POST["change_id"]) && $_POST["dispo"] == 1 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
|
||||
if(!isset($_POST["change_id"]) || !isset($_POST["change_id"])){
|
||||
http_response_code(400);
|
||||
echo(json_encode(["message" => t("Bad request.",false)]));
|
||||
exit();
|
||||
}
|
||||
|
||||
if(!$user->hasRole(Role::FULL_VIEWER) && $_POST["change_id"] !== $user->auth->getUserId()){
|
||||
http_response_code(401);
|
||||
echo(json_encode(["message" => t("You are not authorized to perform this action.",false)]));
|
||||
exit();
|
||||
}
|
||||
|
||||
if($_POST["dispo"] == 1 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
|
||||
$db->update(
|
||||
DB_PREFIX."_profiles",
|
||||
["available" => 1, "availability_last_change" => "manual"],
|
||||
|
@ -27,7 +39,7 @@ if(isset($_POST["change_id"]) && $_POST["dispo"] == 1 /* && $_POST["token_list"]
|
|||
);
|
||||
$user->log("Status changed to 'available'", $_POST["change_id"], $user->auth->getUserId());
|
||||
$message = generate_message($_POST["change_id"], "activate");
|
||||
} else if(isset($_POST["change_id"]) && $_POST["dispo"] == 0 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
|
||||
} else if($_POST["dispo"] == 0 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
|
||||
$db->update(
|
||||
DB_PREFIX."_profiles",
|
||||
["available" => 0, "availability_last_change" => "manual"],
|
||||
|
|
|
@ -9,7 +9,7 @@ $result = $db->select("SELECT * FROM `".DB_PREFIX."_profiles` ORDER BY available
|
|||
$response = [];
|
||||
foreach(!is_null($result) ? $result : [] as $row){
|
||||
if(!$user->hidden($row["id"])){
|
||||
if($user->requireRole(Role::FULL_VIEWER)){
|
||||
if($user->hasRole(Role::FULL_VIEWER)){
|
||||
$name = $user->nameById($row["id"]);
|
||||
$name_encoded = urlencode($user->name());
|
||||
$helmet_colour = $row["chief"] ? "red" : "black";
|
||||
|
|
|
@ -27,8 +27,10 @@
|
|||
"leaflet.locatecontrol": "0.73.0",
|
||||
"pdfmake": "0.1.71",
|
||||
"popper.js": "1.16.1",
|
||||
"promise-polyfill": "^8.2.0",
|
||||
"time-input-polyfill": "1.0.10",
|
||||
"toastr": "2.1.4"
|
||||
"toastr": "2.1.4",
|
||||
"whatwg-fetch": "^3.6.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@babel/core": "7.14.6",
|
||||
|
@ -5070,6 +5072,11 @@
|
|||
"node": ">=0.4.0"
|
||||
}
|
||||
},
|
||||
"node_modules/promise-polyfill": {
|
||||
"version": "8.2.0",
|
||||
"resolved": "https://registry.npmjs.org/promise-polyfill/-/promise-polyfill-8.2.0.tgz",
|
||||
"integrity": "sha512-k/TC0mIcPVF6yHhUvwAp7cvL6I2fFV7TzF1DuGPI8mBh4QQazf36xCKEHKTZKRysEoTQoQdKyP25J8MPJp7j5g=="
|
||||
},
|
||||
"node_modules/proxy-from-env": {
|
||||
"version": "1.1.0",
|
||||
"resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
|
||||
|
@ -6650,6 +6657,11 @@
|
|||
"url": "https://opencollective.com/webpack"
|
||||
}
|
||||
},
|
||||
"node_modules/whatwg-fetch": {
|
||||
"version": "3.6.2",
|
||||
"resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.6.2.tgz",
|
||||
"integrity": "sha512-bJlen0FcuU/0EMLrdbJ7zOnW6ITZLrZMIarMUVmdKtsGvZna8vxKYaexICWPfZ8qwf9fzNq+UEIZrnSaApt6RA=="
|
||||
},
|
||||
"node_modules/which": {
|
||||
"version": "2.0.2",
|
||||
"resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
|
||||
|
@ -10536,6 +10548,11 @@
|
|||
"integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==",
|
||||
"dev": true
|
||||
},
|
||||
"promise-polyfill": {
|
||||
"version": "8.2.0",
|
||||
"resolved": "https://registry.npmjs.org/promise-polyfill/-/promise-polyfill-8.2.0.tgz",
|
||||
"integrity": "sha512-k/TC0mIcPVF6yHhUvwAp7cvL6I2fFV7TzF1DuGPI8mBh4QQazf36xCKEHKTZKRysEoTQoQdKyP25J8MPJp7j5g=="
|
||||
},
|
||||
"proxy-from-env": {
|
||||
"version": "1.1.0",
|
||||
"resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
|
||||
|
@ -11683,6 +11700,11 @@
|
|||
}
|
||||
}
|
||||
},
|
||||
"whatwg-fetch": {
|
||||
"version": "3.6.2",
|
||||
"resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.6.2.tgz",
|
||||
"integrity": "sha512-bJlen0FcuU/0EMLrdbJ7zOnW6ITZLrZMIarMUVmdKtsGvZna8vxKYaexICWPfZ8qwf9fzNq+UEIZrnSaApt6RA=="
|
||||
},
|
||||
"which": {
|
||||
"version": "2.0.2",
|
||||
"resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
|
||||
|
|
|
@ -32,8 +32,10 @@
|
|||
"leaflet.locatecontrol": "0.73.0",
|
||||
"pdfmake": "0.1.71",
|
||||
"popper.js": "1.16.1",
|
||||
"promise-polyfill": "^8.2.0",
|
||||
"time-input-polyfill": "1.0.10",
|
||||
"toastr": "2.1.4"
|
||||
"toastr": "2.1.4",
|
||||
"whatwg-fetch": "^3.6.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@babel/core": "7.14.6",
|
||||
|
|
|
@ -29,7 +29,34 @@ toastr.options = {
|
|||
showMethod: "fadeIn",
|
||||
hideMethod: "fadeOut"
|
||||
};
|
||||
|
||||
|
||||
if(!('fetch' in window)){
|
||||
import(`./polyfills.js`).then((_ ) => {
|
||||
window.Promise = _.Promise;
|
||||
window.fetch = _.fetch;
|
||||
});
|
||||
}
|
||||
|
||||
function objectToURLParams(list){
|
||||
let params = new URLSearchParams();
|
||||
list.forEach((el) => {
|
||||
params.append(el[0], el[1]);
|
||||
});
|
||||
return params.toString();
|
||||
}
|
||||
|
||||
function displayResponseMessage(r){
|
||||
console.log(r);
|
||||
let statusCode = r.status;
|
||||
r.json().then(r => {
|
||||
if(statusCode === 200){
|
||||
toastr.success(r.message);
|
||||
} else {
|
||||
toastr.error(r.message);
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
$.fn.loading = function (action = "start", options) {
|
||||
const opts = $.extend({}, $.fn.loading.defaults, options);
|
||||
|
||||
|
@ -290,38 +317,38 @@ export function reloadTable(){
|
|||
}
|
||||
|
||||
export function activate(id, token_list) {
|
||||
$.ajax({
|
||||
url: "resources/ajax/ajax_change_availability.php",
|
||||
method: "POST",
|
||||
data: {
|
||||
change_id: id,
|
||||
dispo: 1,
|
||||
token_list: token_list
|
||||
fetch("resources/ajax/ajax_change_availability.php", {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Accept': 'application/json',
|
||||
'Content-Type': 'application/x-www-form-urlencoded'
|
||||
},
|
||||
dataType: "json",
|
||||
success: function (data) {
|
||||
console.log(data);
|
||||
toastr.success(data.message);
|
||||
allertaJS.main.reloadTable();
|
||||
}
|
||||
body: objectToURLParams([
|
||||
["change_id", id],
|
||||
["dispo", 1],
|
||||
["token_list", token_list]
|
||||
])
|
||||
}).then(r => {
|
||||
displayResponseMessage(r);
|
||||
allertaJS.main.reloadTable();
|
||||
});
|
||||
}
|
||||
|
||||
export function deactivate(id, token_list) {
|
||||
$.ajax({
|
||||
url: "resources/ajax/ajax_change_availability.php",
|
||||
method: "POST",
|
||||
data: {
|
||||
change_id: id,
|
||||
dispo: 0,
|
||||
token_list: token_list
|
||||
fetch("resources/ajax/ajax_change_availability.php", {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Accept': 'application/json',
|
||||
'Content-Type': 'application/x-www-form-urlencoded'
|
||||
},
|
||||
dataType: "json",
|
||||
success: function (data) {
|
||||
console.log(data);
|
||||
toastr.success(data.message);
|
||||
allertaJS.main.reloadTable();
|
||||
}
|
||||
body: objectToURLParams([
|
||||
["change_id", id],
|
||||
["dispo", 0],
|
||||
["token_list", token_list]
|
||||
])
|
||||
}).then(r => {
|
||||
displayResponseMessage(r);
|
||||
allertaJS.main.reloadTable();
|
||||
});
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
import Promise from 'promise-polyfill';
|
||||
import {fetch as fetchPolyfill} from 'whatwg-fetch'
|
||||
|
||||
export {
|
||||
Promise,
|
||||
fetchPolyfill as fetch
|
||||
};
|
|
@ -126,5 +126,7 @@ return [
|
|||
"Remove selections" => "Remove selections",
|
||||
"JavaScript is disabled or it's not supported in your browser but it's required for using Allerta-VVF. If you want to continue, please enable JS <a href='?JSless=1'>or use the JS-less version</a>." => "JavaScript is disabled or it's not supported in your browser but it's required for using Allerta-VVF. If you want to continue, please enable JS <a href='?JSless=1'>or use the JS-less version</a>.",
|
||||
"yes" => "yes",
|
||||
"no" => "no"
|
||||
"no" => "no",
|
||||
"You are not authorized to perform this action." => "You are not authorized to perform this action.",
|
||||
"Bad request." => "Bad request."
|
||||
];
|
||||
|
|
|
@ -126,5 +126,7 @@ return [
|
|||
"Remove selections" => "Rimuovi selezioni",
|
||||
"JavaScript is disabled or it's not supported in your browser but it's required for using Allerta-VVF. If you want to continue, please enable JS <a href='?JSless=1'>or use the JS-less version</a>." => "JavaScript è disabilitato o non è supportato dal tuo browser, ma è richiesto per utilizzare Allerta-VVF. Per continuare, abilita JS <a href='?JSless=1'>o usa la versione senza JS</a>.",
|
||||
"yes" => "si",
|
||||
"no" => "no"
|
||||
"no" => "no",
|
||||
"You are not authorized to perform this action." => "Non sei autorizzato ad eseguire questa azione.",
|
||||
"Bad request." => "Errore nella richiesta."
|
||||
];
|
||||
|
|
Loading…
Reference in New Issue