Refactoring and security fixes

2021-06-16 23:30:46 +02:00 · 2021-06-16 23:30:46 +02:00 · 9d06de286c
parent 95cb7c8f44
commit 9d06de286c
10 changed files with 113 additions and 39 deletions
--- a/server/core.php
+++ b/server/core.php
@ -434,7 +434,7 @@ class user
        $this->tools->profiler_stop();
    }

-    public function requireRole($role, $adminGranted=true)
+    public function hasRole($role, $adminGranted=true)
    {
        return $this->auth->hasRole($role) || $adminGranted && $role !== Role::DEVELOPER && $this->auth->hasRole(Role::ADMIN) || $role !== Role::DEVELOPER && $this->auth->hasRole(Role::SUPER_ADMIN);
    }
@ -501,7 +501,7 @@ class user

    public function info()
    {
-        return array("autenticated" => $this->authenticated(), "id" => $this->auth->getUserId(), "name" => $this->name(), "full_viewer" => $this->requireRole(Role::FULL_VIEWER), "tester" => $this->requireRole(Role::TESTER), "developer" => $this->requireRole(Role::DEVELOPER));
+        return array("autenticated" => $this->authenticated(), "id" => $this->auth->getUserId(), "name" => $this->name(), "full_viewer" => $this->hasRole(Role::FULL_VIEWER), "tester" => $this->hasRole(Role::TESTER), "developer" => $this->hasRole(Role::DEVELOPER));
    }

    public function login($name, $password, $remember_me)
@ -962,7 +962,7 @@ function init_class($enableDebugger=true, $headers=true)
        //TODO: add Monolog here
    }

-    if($enableDebugger && $user->requireRole(Role::DEVELOPER)) {
+    if($enableDebugger && $user->hasRole(Role::DEVELOPER)) {
        $debugbar = new StandardDebugBar();
        bdump(__DIR__);
        $dir = str_replace("resources\ajax\\", "", __DIR__).DIRECTORY_SEPARATOR.'debug_storage';
--- a/server/debug_open.php
+++ b/server/debug_open.php
@ -2,7 +2,7 @@
 require("core.php");
 init_class();
 if($user->authenticated()){
-    if($user->requireRole(Role::DEVELOPER)){
+    if($user->hasRole(Role::DEVELOPER)){
        if(!isset($_REQUEST["op"]) || !isset($_REQUEST["id"])) $tools->rickroll();
        $openHandler = new DebugBar\OpenHandler($debugbar);
        $response = $openHandler->handle();
--- a/server/resources/ajax/ajax_change_availability.php
+++ b/server/resources/ajax/ajax_change_availability.php
@ -5,7 +5,7 @@ $user->requirelogin(false);
 $user->online_time_update();

 function generate_message($change_user, $action){
-    global $tools, $user;
+    global $user;
    if($action == "activate"){
        $action_string = "Thanks, %s, you have given %s in case of alert.";
    } else {
@ -19,7 +19,19 @@ function generate_message($change_user, $action){
    return sprintf(t($action_string, false), $user->nameById($user->auth->getUserId()), $user_string);
 }

-if(isset($_POST["change_id"]) && $_POST["dispo"] == 1 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
+if(!isset($_POST["change_id"]) || !isset($_POST["change_id"])){
+    http_response_code(400);
+    echo(json_encode(["message" => t("Bad request.",false)]));
+    exit();
+}
+
+if(!$user->hasRole(Role::FULL_VIEWER) && $_POST["change_id"] !== $user->auth->getUserId()){
+    http_response_code(401);
+    echo(json_encode(["message" => t("You are not authorized to perform this action.",false)]));
+    exit();
+}
+
+if($_POST["dispo"] == 1 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
    $db->update(
        DB_PREFIX."_profiles",
        ["available" => 1, "availability_last_change" => "manual"],
@ -27,7 +39,7 @@ if(isset($_POST["change_id"]) && $_POST["dispo"] == 1 /* && $_POST["token_list"]
    );
    $user->log("Status changed to 'available'", $_POST["change_id"], $user->auth->getUserId());
    $message = generate_message($_POST["change_id"], "activate");
-} else if(isset($_POST["change_id"]) && $_POST["dispo"] == 0 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
+} else if($_POST["dispo"] == 0 /* && $_POST["token_list"] == $_SESSION['token_list'] */){
    $db->update(
        DB_PREFIX."_profiles",
        ["available" => 0, "availability_last_change" => "manual"],
--- a/server/resources/ajax/ajax_list.php
+++ b/server/resources/ajax/ajax_list.php
@ -9,7 +9,7 @@ $result = $db->select("SELECT * FROM `".DB_PREFIX."_profiles` ORDER BY available
 $response = [];
 foreach(!is_null($result) ? $result : [] as $row){
  if(!$user->hidden($row["id"])){
-    if($user->requireRole(Role::FULL_VIEWER)){
+    if($user->hasRole(Role::FULL_VIEWER)){
      $name = $user->nameById($row["id"]);
      $name_encoded = urlencode($user->name());
      $helmet_colour = $row["chief"] ? "red" : "black";
--- a/server/resources/package-lock.json
+++ b/server/resources/package-lock.json
@ -27,8 +27,10 @@
        "leaflet.locatecontrol": "0.73.0",
        "pdfmake": "0.1.71",
        "popper.js": "1.16.1",
+        "promise-polyfill": "^8.2.0",
        "time-input-polyfill": "1.0.10",
-        "toastr": "2.1.4"
+        "toastr": "2.1.4",
+        "whatwg-fetch": "^3.6.2"
      },
      "devDependencies": {
        "@babel/core": "7.14.6",
@ -5070,6 +5072,11 @@
        "node": ">=0.4.0"
      }
    },
+    "node_modules/promise-polyfill": {
+      "version": "8.2.0",
+      "resolved": "https://registry.npmjs.org/promise-polyfill/-/promise-polyfill-8.2.0.tgz",
+      "integrity": "sha512-k/TC0mIcPVF6yHhUvwAp7cvL6I2fFV7TzF1DuGPI8mBh4QQazf36xCKEHKTZKRysEoTQoQdKyP25J8MPJp7j5g=="
+    },
    "node_modules/proxy-from-env": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
@ -6650,6 +6657,11 @@
        "url": "https://opencollective.com/webpack"
      }
    },
+    "node_modules/whatwg-fetch": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.6.2.tgz",
+      "integrity": "sha512-bJlen0FcuU/0EMLrdbJ7zOnW6ITZLrZMIarMUVmdKtsGvZna8vxKYaexICWPfZ8qwf9fzNq+UEIZrnSaApt6RA=="
+    },
    "node_modules/which": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
@ -10536,6 +10548,11 @@
      "integrity": "sha512-7PiHtLll5LdnKIMw100I+8xJXR5gW2QwWYkT6iJva0bXitZKa/XMrSbdmg3r2Xnaidz9Qumd0VPaMrZlF9V9sA==",
      "dev": true
    },
+    "promise-polyfill": {
+      "version": "8.2.0",
+      "resolved": "https://registry.npmjs.org/promise-polyfill/-/promise-polyfill-8.2.0.tgz",
+      "integrity": "sha512-k/TC0mIcPVF6yHhUvwAp7cvL6I2fFV7TzF1DuGPI8mBh4QQazf36xCKEHKTZKRysEoTQoQdKyP25J8MPJp7j5g=="
+    },
    "proxy-from-env": {
      "version": "1.1.0",
      "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
@ -11683,6 +11700,11 @@
        }
      }
    },
+    "whatwg-fetch": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/whatwg-fetch/-/whatwg-fetch-3.6.2.tgz",
+      "integrity": "sha512-bJlen0FcuU/0EMLrdbJ7zOnW6ITZLrZMIarMUVmdKtsGvZna8vxKYaexICWPfZ8qwf9fzNq+UEIZrnSaApt6RA=="
+    },
    "which": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
--- a/server/resources/package.json
+++ b/server/resources/package.json
@ -32,8 +32,10 @@
    "leaflet.locatecontrol": "0.73.0",
    "pdfmake": "0.1.71",
    "popper.js": "1.16.1",
+    "promise-polyfill": "^8.2.0",
    "time-input-polyfill": "1.0.10",
-    "toastr": "2.1.4"
+    "toastr": "2.1.4",
+    "whatwg-fetch": "^3.6.2"
  },
  "devDependencies": {
    "@babel/core": "7.14.6",
--- a/server/resources/src/main.js
+++ b/server/resources/src/main.js
@ -29,7 +29,34 @@ toastr.options = {
  showMethod: "fadeIn",
  hideMethod: "fadeOut"
 };
- 
+
+if(!('fetch' in window)){
+  import(`./polyfills.js`).then((_ ) => {
+    window.Promise = _.Promise;
+    window.fetch = _.fetch;
+  });
+}
+
+function objectToURLParams(list){
+  let params = new URLSearchParams();
+  list.forEach((el) => {
+    params.append(el[0], el[1]);
+  });
+  return params.toString();
+}
+
+function displayResponseMessage(r){
+  console.log(r);
+  let statusCode = r.status;
+  r.json().then(r => {
+    if(statusCode === 200){
+      toastr.success(r.message);
+    } else {
+      toastr.error(r.message);
+    }
+  });
+}
+
 $.fn.loading = function (action = "start", options) {
  const opts = $.extend({}, $.fn.loading.defaults, options);
 
@ -290,38 +317,38 @@ export function reloadTable(){
 }

 export function activate(id, token_list) {
-  $.ajax({
-    url: "resources/ajax/ajax_change_availability.php",
-    method: "POST",
-    data: {
-      change_id: id,
-      dispo: 1,
-      token_list: token_list
+  fetch("resources/ajax/ajax_change_availability.php", {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/x-www-form-urlencoded'
    },
-    dataType: "json",
-    success: function (data) {
-      console.log(data);
-      toastr.success(data.message);
-      allertaJS.main.reloadTable();
-    }
+    body: objectToURLParams([
+      ["change_id", id],
+      ["dispo", 1],
+      ["token_list", token_list]
+    ])
+  }).then(r => {
+    displayResponseMessage(r);
+    allertaJS.main.reloadTable();
  });
 }
 
 export function deactivate(id, token_list) {
-  $.ajax({
-    url: "resources/ajax/ajax_change_availability.php",
-    method: "POST",
-    data: {
-      change_id: id,
-      dispo: 0,
-      token_list: token_list
+  fetch("resources/ajax/ajax_change_availability.php", {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/x-www-form-urlencoded'
    },
-    dataType: "json",
-    success: function (data) {
-      console.log(data);
-      toastr.success(data.message);
-      allertaJS.main.reloadTable();
-    }
+    body: objectToURLParams([
+      ["change_id", id],
+      ["dispo", 0],
+      ["token_list", token_list]
+    ])
+  }).then(r => {
+    displayResponseMessage(r);
+    allertaJS.main.reloadTable();
  });
 }

--- a/server/resources/src/polyfills.js
+++ b/server/resources/src/polyfills.js
@ -0,0 +1,7 @@
+import Promise from 'promise-polyfill';
+import {fetch as fetchPolyfill} from 'whatwg-fetch'
+
+export {
+    Promise,
+    fetchPolyfill as fetch
+};
--- a/server/translations/en/base.php
+++ b/server/translations/en/base.php
@ -126,5 +126,7 @@ return [
    "Remove selections" => "Remove selections",
    "JavaScript is disabled or it's not supported in your browser but it's required for using Allerta-VVF. If you want to continue, please enable JS <a href='?JSless=1'>or use the JS-less version</a>." => "JavaScript is disabled or it's not supported in your browser but it's required for using Allerta-VVF. If you want to continue, please enable JS <a href='?JSless=1'>or use the JS-less version</a>.",
    "yes" => "yes",
-    "no" => "no"
+    "no" => "no",
+    "You are not authorized to perform this action." => "You are not authorized to perform this action.",
+    "Bad request." => "Bad request."
 ];
--- a/server/translations/it/base.php
+++ b/server/translations/it/base.php
@ -126,5 +126,7 @@ return [
    "Remove selections" => "Rimuovi selezioni",
    "JavaScript is disabled or it's not supported in your browser but it's required for using Allerta-VVF. If you want to continue, please enable JS <a href='?JSless=1'>or use the JS-less version</a>." => "JavaScript è disabilitato o non è supportato dal tuo browser, ma è richiesto per utilizzare Allerta-VVF. Per continuare, abilita JS <a href='?JSless=1'>o usa la versione senza JS</a>.",
    "yes" => "si",
-    "no" => "no"
+    "no" => "no",
+    "You are not authorized to perform this action." => "Non sei autorizzato ad eseguire questa azione.",
+    "Bad request." => "Errore nella richiesta."
 ];