Security improvements
This commit is contained in:
parent
3ce30f0ef1
commit
c41e9bbd62
|
@ -10,9 +10,7 @@ try {
|
|||
$server_side = ["status" => "error", "status_msg" => $e];
|
||||
}
|
||||
try {
|
||||
$server_info = $_SERVER;
|
||||
unset($server_info["DOCUMENT_ROOT"], $server_info["REQUEST_URI"], $server_info["SCRIPT_NAME"], $server_info["PHP_SELF"], $server_info["REMOTE_ADDR"], $server_info["REMOTE_PORT"], $server_info["SERVER_SOFTWARE"], $server_info["SERVER_NAME"], $server_info["SERVER_PORT"], $server_info["SCRIPT_FILENAME"]);
|
||||
$client_side = ["status" => "ok", "status_msg" => null, "info" => $server_info, "ip" => $tools->get_ip()];
|
||||
$client_side = ["status" => "ok", "status_msg" => null, "ip" => $tools->get_ip()];
|
||||
} catch (Exception $e) {
|
||||
$server_side = ["status" => "error", "status_msg" => $e];
|
||||
}
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
require_once 'core.php';
|
||||
|
||||
init_class(false);
|
||||
header('Content-Type: application/json');
|
||||
error_reporting(-1);
|
||||
|
||||
list($cronJobDay, $cronJobTime) = explode(";", get_option("cron_job_time"));
|
||||
|
@ -153,8 +152,13 @@ if($start) {
|
|||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
require("error_page.php");
|
||||
show_error_page(405, "Method not allowed", "Allowed methods: POST");
|
||||
exit();
|
||||
}
|
||||
|
||||
header('Content-Type: application/json');
|
||||
echo(json_encode(
|
||||
[
|
||||
"start" => $start,
|
||||
|
|
|
@ -3,6 +3,13 @@ require_once 'ui.php';
|
|||
use Brick\PhoneNumber\PhoneNumber;
|
||||
use Brick\PhoneNumber\PhoneNumberFormat;
|
||||
use Brick\PhoneNumber\PhoneNumberParseException;
|
||||
|
||||
if(!$user->hasRole(Role::SUPER_ADMIN)){
|
||||
require("error_page.php");
|
||||
show_error_page(401, t("You are not authorized to perform this action.",false), "");
|
||||
exit();
|
||||
}
|
||||
|
||||
function debug(){
|
||||
echo("<pre>"); var_dump($_POST); echo("</pre>"); exit();
|
||||
}
|
||||
|
|
|
@ -78,11 +78,12 @@
|
|||
allertaJS.main.loadTable({tablePage: "list", useCustomTableEngine: "default", callback: allertaJS.main.loadListListCallback});
|
||||
</script>
|
||||
</div>
|
||||
|
||||
{% if hasRole("SUPER_ADMIN") %}
|
||||
<br><br>
|
||||
<p style="text-align: center;">
|
||||
<a class='pjax_disable' id='add' href="edit_user.php?add">{{ 'Add user'|t }}</a>
|
||||
</p>
|
||||
{% endif %}
|
||||
<br>
|
||||
<br>
|
||||
{% endblock %}
|
|
@ -136,6 +136,26 @@ $function_yesOrNo = new \Twig\TwigFunction(
|
|||
}, ['is_safe' => ['html']]
|
||||
);
|
||||
$twig->addFunction($function_yesOrNo);
|
||||
|
||||
$function_hasRole = new \Twig\TwigFunction(
|
||||
'hasRole', function ($role) {
|
||||
global $user;
|
||||
|
||||
$GUEST = \Delight\Auth\Role::AUTHOR;
|
||||
$BASIC_VIEWER = \Delight\Auth\Role::COLLABORATOR;
|
||||
$FULL_VIEWER = \Delight\Auth\Role::CONSULTANT;
|
||||
$EDITOR = \Delight\Auth\Role::CONSUMER;
|
||||
$SUPER_EDITOR = \Delight\Auth\Role::CONTRIBUTOR;
|
||||
$DEVELOPER = \Delight\Auth\Role::DEVELOPER;
|
||||
$TESTER = \Delight\Auth\Role::CREATOR;
|
||||
$EXTERNAL_VIEWER = \Delight\Auth\Role::REVIEWER;
|
||||
$ADMIN = \Delight\Auth\Role::ADMIN;
|
||||
$SUPER_ADMIN = \Delight\Auth\Role::SUPER_ADMIN;
|
||||
|
||||
return $user->hasRole($$role);
|
||||
}
|
||||
);
|
||||
$twig->addFunction($function_hasRole);
|
||||
p_stop();
|
||||
|
||||
$template = null;
|
||||
|
|
Loading…
Reference in New Issue