From 21746f2f2d30c48c13f846221fe006e842477352 Mon Sep 17 00:00:00 2001 From: Bartek Fabiszewski Date: Wed, 10 Jun 2020 12:04:47 +0200 Subject: [PATCH] Simplified methods for checking access rights --- helpers/auth.php | 41 +++++++++++++++++++++++++++++----------- utils/export.php | 3 +-- utils/getpositions.php | 5 ++--- utils/gettracks.php | 7 ++----- utils/handleposition.php | 5 ++--- 5 files changed, 37 insertions(+), 24 deletions(-) diff --git a/helpers/auth.php b/helpers/auth.php index a4f2e4f..9908efa 100644 --- a/helpers/auth.php +++ b/helpers/auth.php @@ -118,20 +118,18 @@ /** * Check valid pass for given login * - * @param $login - * @param $pass + * @param string $login + * @param string $pass * @return boolean True if valid */ public function checkLogin($login, $pass) { - if (!is_null($login) && !is_null($pass)) { - if (!empty($login) && !empty($pass)) { - $user = new uUser($login); - if ($user->isValid && $user->validPassword($pass)) { - $this->setAuthenticated($user); - $this->sessionCleanup(); - $user->storeInSession(); - return true; - } + if (!empty($login) && !empty($pass)) { + $user = new uUser($login); + if ($user->isValid && $user->validPassword($pass)) { + $this->setAuthenticated($user); + $this->sessionCleanup(); + $user->storeInSession(); + return true; } } return false; @@ -179,4 +177,25 @@ header("Location: $location"); exit(); } + + /** + * Check session user has RW access to resource owned by given user + * + * @param int $ownerId + * @return bool True if has access + */ + public function hasReadWriteAccess($ownerId) { + return $this->isAuthenticated() && ($this->isAdmin() || $this->user->id === $ownerId); + } + + /** + * Check session user has RO access to resource owned by given user + * + * @param int $ownerId + * @return bool True if has access + */ + public function hasReadAccess($ownerId) { + return $this->hasReadWriteAccess($ownerId) || uConfig::getInstance()->publicTracks; + } + } diff --git a/utils/export.php b/utils/export.php index 3c6a3b8..0a018d5 100644 --- a/utils/export.php +++ b/utils/export.php @@ -63,8 +63,7 @@ $type = uUtils::getString('type', 'kml'); $userId = uUtils::getInt('userid'); $trackId = uUtils::getInt('trackid'); -if (!$config->publicTracks && - (!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $userId))) { +if (!$auth->hasReadAccess($userId)) { // unauthorized exit(); } diff --git a/utils/getpositions.php b/utils/getpositions.php index 5045efe..6edeb57 100644 --- a/utils/getpositions.php +++ b/utils/getpositions.php @@ -32,8 +32,7 @@ $last = uUtils::getBool('last'); $positionsArr = []; if ($userId) { - if ($config->publicTracks || - ($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) { + if ($auth->hasReadAccess($userId)) { if ($trackId) { // get all track data $positionsArr = uPosition::getAll($userId, $trackId, $afterId); @@ -46,7 +45,7 @@ if ($userId) { } } } else if ($last) { - if ($config->publicTracks || ($auth->isAuthenticated() && ($auth->isAdmin()))) { + if ($config->publicTracks || ($auth->isAuthenticated() && $auth->isAdmin())) { $positionsArr = uPosition::getLastAllUsers(); } } diff --git a/utils/gettracks.php b/utils/gettracks.php index 4a7e8e2..7e49dd0 100644 --- a/utils/gettracks.php +++ b/utils/gettracks.php @@ -27,11 +27,8 @@ $config = uConfig::getInstance(); $userId = uUtils::getInt('userid'); $tracksArr = []; -if ($userId) { - if ($config->publicTracks || - ($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) { - $tracksArr = uTrack::getAll($userId); - } +if ($userId && $auth->hasReadAccess($userId)) { + $tracksArr = uTrack::getAll($userId); } $result = []; diff --git a/utils/handleposition.php b/utils/handleposition.php index 01c4f41..b82c051 100644 --- a/utils/handleposition.php +++ b/utils/handleposition.php @@ -36,9 +36,8 @@ if (empty($action) || empty($positionId)) { uUtils::exitWithError($lang["servererror"]); } $position = new uPosition($positionId); -if (!$position->isValid || - (!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $position->userId))) { - uUtils::exitWithError($lang["servererror"]); +if (!$position->isValid || !$auth->hasReadWriteAccess($position->userId)) { + uUtils::exitWithError($lang["notauthorized"]); } $data = null;