Permission check finally works. Working on securing controllers.
このコミットが含まれているのは:
コミット
5dd674e088
|
@ -8,8 +8,9 @@ use JWTAuth;
|
|||
use Tymon\JWTAuth\Exceptions\JWTException;
|
||||
use Validator;
|
||||
use DB, Hash, Mail, Illuminate\Support\Facades\Password;
|
||||
use Illuminate\Cookie\CookieJar;
|
||||
use Symfony\Component\HttpFoundation\Cookie;
|
||||
|
||||
use App\Http\Controllers\UserController;
|
||||
use App\Http\Controllers\PermissionController;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
|
||||
|
@ -20,39 +21,61 @@ class AuthController extends Controller {
|
|||
* @param Request $request
|
||||
* @return \Illuminate\Http\JsonResponse
|
||||
*/
|
||||
private $objUser;
|
||||
private $objPermission;
|
||||
|
||||
public function __construct() {
|
||||
$this->objUser = new UserController();
|
||||
$this->objPermission = new PermissionController();
|
||||
}
|
||||
|
||||
public function checkLegit($uid) {
|
||||
// Get user ID.
|
||||
$perm = $this->objUser->getUser($uid);
|
||||
public function checkLegit($u, $p) {
|
||||
if (!isset($u) || !isset($p)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
$check = DB::table('users')
|
||||
->select('id')
|
||||
->where('username', $u)
|
||||
->where('password', $p)
|
||||
->first(
|
||||
'id'
|
||||
);
|
||||
|
||||
return $check->id;
|
||||
}
|
||||
|
||||
public function getPermissions($user, $pass) {
|
||||
$check = $this->checkLegit($user, $pass);
|
||||
|
||||
$perm = DB::table('usr_perm_id')
|
||||
->select('perm_id')
|
||||
->where('user_id', $check)
|
||||
->first(
|
||||
'perm_id'
|
||||
);
|
||||
|
||||
$perm = json_decode(json_encode($perm), true);
|
||||
|
||||
// Does the user ID exist? Grand the appropriate rights. Otherwise, use guest.
|
||||
if ($uid != 0) {
|
||||
if ($check != 0) {
|
||||
// Page permissions.
|
||||
$grouppermblg = $this->objPermission->getPermissionGroup('blg', $perm[0]->perm_id);
|
||||
$userpermblg = $this->objPermission->getPermissionUser('blg', $uid);
|
||||
$grouppermblg = $this->objPermission->getPermissionGroup('blg', $perm['perm_id']);
|
||||
$userpermblg = $this->objPermission->getPermissionUser('blg', $check);
|
||||
|
||||
// Board permissions.
|
||||
$grouppermfor = $this->objPermission->getPermissionGroup('for', $perm[0]->perm_id);
|
||||
$userpermfor = $this->objPermission->getPermissionUser('for', $uid);
|
||||
$grouppermfor = $this->objPermission->getPermissionGroup('for', $perm['perm_id']);
|
||||
$userpermfor = $this->objPermission->getPermissionUser('for', $check);
|
||||
|
||||
// Store permissions.
|
||||
$grouppermstr = $this->objPermission->getPermissionGroup('str', $perm[0]->perm_id);
|
||||
$userpermstr = $this->objPermission->getPermissionUser('str', $uid);
|
||||
$grouppermstr = $this->objPermission->getPermissionGroup('str', $perm['perm_id']);
|
||||
$userpermstr = $this->objPermission->getPermissionUser('str', $check);
|
||||
|
||||
// User permissions.
|
||||
$grouppermusr = $this->objPermission->getPermissionGroup('usr', $perm[0]->perm_id);
|
||||
$userpermusr = $this->objPermission->getPermissionUser('usr', $uid);
|
||||
$grouppermusr = $this->objPermission->getPermissionGroup('usr', $perm['perm_id']);
|
||||
$userpermusr = $this->objPermission->getPermissionUser('usr', $check);
|
||||
|
||||
// Image permissions.
|
||||
// $grouppermimg = $this->objPermission->getPermissionGroup('img', $perm[0]->perm_id);
|
||||
// $userpermimg = $this->objPermission->getPermissionUser('img', $uid);
|
||||
// $grouppermimg = $this->objPermission->getPermissionGroup('img', $perm['perm_id']);
|
||||
// $userpermimg = $this->objPermission->getPermissionUser('img', $check);
|
||||
|
||||
// Now provide an array of user overwritten permissions if it exists. Otherwise, give its group permissions.
|
||||
$blgarr = array();
|
||||
|
@ -230,7 +253,7 @@ class AuthController extends Controller {
|
|||
* @param Request $request
|
||||
* @return \Illuminate\Http\JsonResponse
|
||||
*/
|
||||
public function login(Request $request) {
|
||||
public function login(CookieJar $cookieJar, Request $request) {
|
||||
if (!empty($request)) {
|
||||
$checkName = DB::table('users')
|
||||
->select('*')
|
||||
|
|
|
@ -11,53 +11,14 @@ use Illuminate\Support\Facades\Log;
|
|||
use Tymon\JWTAuth\Facades\JWTAuth;
|
||||
use Tymon\JWTAuth\Exceptions\JWTException;
|
||||
|
||||
use App\Http\Controllers\PermissionController;
|
||||
use App\Http\Controllers\AuthController;
|
||||
|
||||
class UserController extends Controller {
|
||||
/* private $objPermission;
|
||||
private $objAuth;
|
||||
|
||||
public function __construct() {
|
||||
$this->objPermission = new PermissionController();
|
||||
} */
|
||||
|
||||
/* public function checkLegit($uid) {
|
||||
// Get user ID.
|
||||
$perm = $this->getUser($uid);
|
||||
|
||||
// Does the user ID exist? Grand the appropriate rights. Otherwise, use guest.
|
||||
if ($uid != 0) {
|
||||
$grouppermusr = $this->objPermission->getPermissionGroup('usr', $perm[0]->perm_id);
|
||||
$userpermusr = $this->objPermission->getPermissionUser('usr', $uid);
|
||||
|
||||
// Now provide an array of user overwritten permissions if it exists. Otherwise, give its group permissions.
|
||||
$usrarr = array();
|
||||
|
||||
if (!empty($userpermusr[0])) {
|
||||
$usrarr = (array)$userpermusr[0];
|
||||
}
|
||||
else {
|
||||
$usrarr = (array)$grouppermusr[0];
|
||||
}
|
||||
|
||||
$usrarr = array_combine(
|
||||
array_map(function($k){ return 'usr_'.$k; }, array_keys($usrarr)),
|
||||
$usrarr
|
||||
);
|
||||
|
||||
return $usrarr;
|
||||
}
|
||||
else {
|
||||
$grouppermusr = $this->objPermission->getPermissionGroup('usr', 6);
|
||||
|
||||
// Since guests don't have user overwritten permissions, simply return the group permissions.
|
||||
(array)$grouppermusr[0] = array_combine(
|
||||
array_map(function($k){ return 'usr_'.$k; }, array_keys((array)$grouppermusr[0])),
|
||||
(array)$grouppermusr[0]
|
||||
);
|
||||
|
||||
return (array)$grouppermusr[0];
|
||||
}
|
||||
} */
|
||||
$this->objAuth = new AuthController();
|
||||
}
|
||||
|
||||
// User
|
||||
public function getUsersOnline() { // /api/rpc/user/user/getusersonline
|
||||
|
@ -117,7 +78,7 @@ class UserController extends Controller {
|
|||
));
|
||||
}
|
||||
|
||||
public function getUser($id, $uid=0) { // /api/rpc/user/user/getuser/id/uid
|
||||
public function getUser($id, Request $request) { // /api/rpc/user/user/getuser/id/uid
|
||||
$getting = array(
|
||||
'users.id',
|
||||
'username',
|
||||
|
@ -137,17 +98,19 @@ class UserController extends Controller {
|
|||
'country'
|
||||
);
|
||||
|
||||
/* if ($this->checkLegit($uid)[0]->usr_showemail == 1) {
|
||||
$valid = $this->objAuth->getPermissions($request->username, $request->password);
|
||||
|
||||
if ($valid['usr_emailshow'] == 1) {
|
||||
array_push($getting, 'email');
|
||||
}
|
||||
|
||||
if ($this->checkLegit($uid)[0]->usr_ipshow == 1) {
|
||||
if ($valid['usr_ipshow'] == 1) {
|
||||
array_push($getting, 'ip_address');
|
||||
}
|
||||
|
||||
if ($this->checkLegit($uid)[0]->usr_canwarn == 1) {
|
||||
if ($valid['usr_canwarn'] == 1) {
|
||||
array_push($getting, 'strikes');
|
||||
} */
|
||||
}
|
||||
|
||||
return DB::table('users')
|
||||
->join('usr_details', 'usr_details.user_id', '=', 'users.id')
|
||||
|
|
新しいイシューから参照