Permission check finally works. Working on securing controllers.

2018-04-12 18:02:24 +09:00 · 2018-04-12 18:02:24 +09:00 · 5dd674e088
--- a/app/Http/Controllers/AuthController.php
+++ b/app/Http/Controllers/AuthController.php
@ -8,8 +8,9 @@ use JWTAuth;
 use Tymon\JWTAuth\Exceptions\JWTException;
 use Validator;
 use DB, Hash, Mail, Illuminate\Support\Facades\Password;
+use Illuminate\Cookie\CookieJar;
+use Symfony\Component\HttpFoundation\Cookie;

-use App\Http\Controllers\UserController;
 use App\Http\Controllers\PermissionController;
 use Illuminate\Support\Facades\Log;

@ -20,39 +21,61 @@ class AuthController extends Controller {
     * @param Request $request
     * @return \Illuminate\Http\JsonResponse
     */
-    private $objUser;
    private $objPermission;

    public function __construct() {
-        $this->objUser = new UserController();
        $this->objPermission = new PermissionController();
    }

-    public function checkLegit($uid) {
-        // Get user ID.
-        $perm = $this->objUser->getUser($uid);
+    public function checkLegit($u, $p) {
+        if (!isset($u) || !isset($p)) {
+            return 0;
+        }
+
+        $check = DB::table('users')
+            ->select('id')
+            ->where('username', $u)
+            ->where('password', $p)
+            ->first(
+                'id'
+            );
+
+        return $check->id;
+    }
+
+    public function getPermissions($user, $pass) {
+        $check = $this->checkLegit($user, $pass);
+
+        $perm = DB::table('usr_perm_id')
+            ->select('perm_id')
+            ->where('user_id', $check)
+            ->first(
+                'perm_id'
+            );
+
+        $perm = json_decode(json_encode($perm), true);

        // Does the user ID exist? Grand the appropriate rights. Otherwise, use guest.
-        if ($uid != 0) {
+        if ($check != 0) {
            // Page permissions.
-            $grouppermblg = $this->objPermission->getPermissionGroup('blg', $perm[0]->perm_id);
-            $userpermblg = $this->objPermission->getPermissionUser('blg', $uid);
+            $grouppermblg = $this->objPermission->getPermissionGroup('blg', $perm['perm_id']);
+            $userpermblg = $this->objPermission->getPermissionUser('blg', $check);

            // Board permissions.
-            $grouppermfor = $this->objPermission->getPermissionGroup('for', $perm[0]->perm_id);
-            $userpermfor = $this->objPermission->getPermissionUser('for', $uid);
+            $grouppermfor = $this->objPermission->getPermissionGroup('for', $perm['perm_id']);
+            $userpermfor = $this->objPermission->getPermissionUser('for', $check);

            // Store permissions.
-            $grouppermstr = $this->objPermission->getPermissionGroup('str', $perm[0]->perm_id);
-            $userpermstr = $this->objPermission->getPermissionUser('str', $uid);
+            $grouppermstr = $this->objPermission->getPermissionGroup('str', $perm['perm_id']);
+            $userpermstr = $this->objPermission->getPermissionUser('str', $check);

            // User permissions.
-            $grouppermusr = $this->objPermission->getPermissionGroup('usr', $perm[0]->perm_id);
-            $userpermusr = $this->objPermission->getPermissionUser('usr', $uid);
+            $grouppermusr = $this->objPermission->getPermissionGroup('usr', $perm['perm_id']);
+            $userpermusr = $this->objPermission->getPermissionUser('usr', $check);

            // Image permissions.
-            // $grouppermimg = $this->objPermission->getPermissionGroup('img', $perm[0]->perm_id);
-            // $userpermimg = $this->objPermission->getPermissionUser('img', $uid);
+            // $grouppermimg = $this->objPermission->getPermissionGroup('img', $perm['perm_id']);
+            // $userpermimg = $this->objPermission->getPermissionUser('img', $check);

            // Now provide an array of user overwritten permissions if it exists. Otherwise, give its group permissions.
            $blgarr = array();
@ -230,7 +253,7 @@ class AuthController extends Controller {
     * @param Request $request
     * @return \Illuminate\Http\JsonResponse
     */
-    public function login(Request $request) {
+    public function login(CookieJar $cookieJar, Request $request) {
        if (!empty($request)) {
            $checkName = DB::table('users')
                ->select('*')
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@ -11,53 +11,14 @@ use Illuminate\Support\Facades\Log;
 use Tymon\JWTAuth\Facades\JWTAuth;
 use Tymon\JWTAuth\Exceptions\JWTException;

-use App\Http\Controllers\PermissionController;
+use App\Http\Controllers\AuthController;

 class UserController extends Controller {
-    /* private $objPermission;
+    private $objAuth;

    public function __construct() {
-        $this->objPermission = new PermissionController();
-    } */
-
-    /* public function checkLegit($uid) {
-        // Get user ID.
-        $perm = $this->getUser($uid);
-
-        // Does the user ID exist? Grand the appropriate rights. Otherwise, use guest.
-        if ($uid != 0) {
-            $grouppermusr = $this->objPermission->getPermissionGroup('usr', $perm[0]->perm_id);
-            $userpermusr = $this->objPermission->getPermissionUser('usr', $uid);
-
-            // Now provide an array of user overwritten permissions if it exists. Otherwise, give its group permissions.
-            $usrarr = array();
-
-            if (!empty($userpermusr[0])) {
-                $usrarr = (array)$userpermusr[0];
-            }
-            else {
-                $usrarr = (array)$grouppermusr[0];
-            }
-
-            $usrarr = array_combine(
-                array_map(function($k){ return 'usr_'.$k; }, array_keys($usrarr)),
-                $usrarr
-            );
-
-            return $usrarr;
-        }
-        else {
-            $grouppermusr = $this->objPermission->getPermissionGroup('usr', 6);
-
-            // Since guests don't have user overwritten permissions, simply return the group permissions.
-            (array)$grouppermusr[0] = array_combine(
-                array_map(function($k){ return 'usr_'.$k; }, array_keys((array)$grouppermusr[0])),
-                (array)$grouppermusr[0]
-            );
-
-            return (array)$grouppermusr[0];
-        }
-    } */
+        $this->objAuth = new AuthController();
+    }

    // User
    public function getUsersOnline() { // /api/rpc/user/user/getusersonline
@ -117,7 +78,7 @@ class UserController extends Controller {
            ));
    }

-    public function getUser($id, $uid=0) { // /api/rpc/user/user/getuser/id/uid
+    public function getUser($id, Request $request) { // /api/rpc/user/user/getuser/id/uid
        $getting = array(
            'users.id',
            'username',
@ -137,17 +98,19 @@ class UserController extends Controller {
            'country'
        );

-        /* if ($this->checkLegit($uid)[0]->usr_showemail == 1) {
+        $valid = $this->objAuth->getPermissions($request->username, $request->password);
+
+        if ($valid['usr_emailshow'] == 1) {
            array_push($getting, 'email');
        }

-        if ($this->checkLegit($uid)[0]->usr_ipshow == 1) {
+        if ($valid['usr_ipshow'] == 1) {
            array_push($getting, 'ip_address');
        }

-        if ($this->checkLegit($uid)[0]->usr_canwarn == 1) {
+        if ($valid['usr_canwarn'] == 1) {
            array_push($getting, 'strikes');
-        } */
+        }

        return DB::table('users')
            ->join('usr_details', 'usr_details.user_id', '=', 'users.id')