Simplified methods for checking access rights

helpers/auth.php

@@ -118,12 +118,11 @@
     /**
      * Check valid pass for given login
      *
-     * @param $login
+     * @param string $login
-     * @param $pass
+     * @param string $pass
      * @return boolean True if valid
      */
     public function checkLogin($login, $pass) {
-      if (!is_null($login) && !is_null($pass)) {
       if (!empty($login) && !empty($pass)) {
         $user = new uUser($login);
         if ($user->isValid && $user->validPassword($pass)) {
@@ -133,7 +132,6 @@
           return true;
         }
       }
-      }
       return false;
     }
 
@@ -179,4 +177,25 @@
       header("Location: $location");
       exit();
     }
+
+    /**
+     * Check session user has RW access to resource owned by given user
+     *
+     * @param int $ownerId
+     * @return bool True if has access
+     */
+    public function hasReadWriteAccess($ownerId) {
+      return $this->isAuthenticated() && ($this->isAdmin() || $this->user->id === $ownerId);
+    }
+
+    /**
+     * Check session user has RO access to resource owned by given user
+     *
+     * @param int $ownerId
+     * @return bool True if has access
+     */
+    public function hasReadAccess($ownerId) {
+      return $this->hasReadWriteAccess($ownerId) || uConfig::getInstance()->publicTracks;
+    }
+
   }

utils/export.php

@@ -63,8 +63,7 @@ $type = uUtils::getString('type', 'kml');
 $userId = uUtils::getInt('userid');
 $trackId = uUtils::getInt('trackid');
 
-if (!$config->publicTracks &&
+if (!$auth->hasReadAccess($userId)) {
-    (!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $userId))) {
   // unauthorized
   exit();
 }

utils/getpositions.php

@@ -32,8 +32,7 @@ $last = uUtils::getBool('last');
 
 $positionsArr = [];
 if ($userId) {
-  if ($config->publicTracks ||
+  if ($auth->hasReadAccess($userId)) {
-      ($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
     if ($trackId) {
       // get all track data
       $positionsArr = uPosition::getAll($userId, $trackId, $afterId);
@@ -46,7 +45,7 @@ if ($userId) {
     }
   }
 } else if ($last) {
-  if ($config->publicTracks || ($auth->isAuthenticated() && ($auth->isAdmin()))) {
+  if ($config->publicTracks || ($auth->isAuthenticated() && $auth->isAdmin())) {
     $positionsArr = uPosition::getLastAllUsers();
   }
 }

utils/gettracks.php

@@ -27,12 +27,9 @@ $config = uConfig::getInstance();
 $userId = uUtils::getInt('userid');
 
 $tracksArr = [];
-if ($userId) {
+if ($userId && $auth->hasReadAccess($userId)) {
-  if ($config->publicTracks ||
-      ($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
   $tracksArr = uTrack::getAll($userId);
 }
-}
 
 $result = [];
 if ($tracksArr === false) {

utils/handleposition.php

@@ -36,9 +36,8 @@ if (empty($action) || empty($positionId)) {
   uUtils::exitWithError($lang["servererror"]);
 }
 $position = new uPosition($positionId);
-if (!$position->isValid ||
+if (!$position->isValid || !$auth->hasReadWriteAccess($position->userId)) {
-  (!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $position->userId))) {
+  uUtils::exitWithError($lang["notauthorized"]);
-  uUtils::exitWithError($lang["servererror"]);
 }
 
 $data = null;