Simplified methods for checking access rights

This commit is contained in:
Bartek Fabiszewski 2020-06-10 12:04:47 +02:00
parent 1f1d731e84
commit 21746f2f2d
5 changed files with 37 additions and 24 deletions

View File

@ -118,20 +118,18 @@
/** /**
* Check valid pass for given login * Check valid pass for given login
* *
* @param $login * @param string $login
* @param $pass * @param string $pass
* @return boolean True if valid * @return boolean True if valid
*/ */
public function checkLogin($login, $pass) { public function checkLogin($login, $pass) {
if (!is_null($login) && !is_null($pass)) { if (!empty($login) && !empty($pass)) {
if (!empty($login) && !empty($pass)) { $user = new uUser($login);
$user = new uUser($login); if ($user->isValid && $user->validPassword($pass)) {
if ($user->isValid && $user->validPassword($pass)) { $this->setAuthenticated($user);
$this->setAuthenticated($user); $this->sessionCleanup();
$this->sessionCleanup(); $user->storeInSession();
$user->storeInSession(); return true;
return true;
}
} }
} }
return false; return false;
@ -179,4 +177,25 @@
header("Location: $location"); header("Location: $location");
exit(); exit();
} }
/**
* Check session user has RW access to resource owned by given user
*
* @param int $ownerId
* @return bool True if has access
*/
public function hasReadWriteAccess($ownerId) {
return $this->isAuthenticated() && ($this->isAdmin() || $this->user->id === $ownerId);
}
/**
* Check session user has RO access to resource owned by given user
*
* @param int $ownerId
* @return bool True if has access
*/
public function hasReadAccess($ownerId) {
return $this->hasReadWriteAccess($ownerId) || uConfig::getInstance()->publicTracks;
}
} }

View File

@ -63,8 +63,7 @@ $type = uUtils::getString('type', 'kml');
$userId = uUtils::getInt('userid'); $userId = uUtils::getInt('userid');
$trackId = uUtils::getInt('trackid'); $trackId = uUtils::getInt('trackid');
if (!$config->publicTracks && if (!$auth->hasReadAccess($userId)) {
(!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $userId))) {
// unauthorized // unauthorized
exit(); exit();
} }

View File

@ -32,8 +32,7 @@ $last = uUtils::getBool('last');
$positionsArr = []; $positionsArr = [];
if ($userId) { if ($userId) {
if ($config->publicTracks || if ($auth->hasReadAccess($userId)) {
($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
if ($trackId) { if ($trackId) {
// get all track data // get all track data
$positionsArr = uPosition::getAll($userId, $trackId, $afterId); $positionsArr = uPosition::getAll($userId, $trackId, $afterId);
@ -46,7 +45,7 @@ if ($userId) {
} }
} }
} else if ($last) { } else if ($last) {
if ($config->publicTracks || ($auth->isAuthenticated() && ($auth->isAdmin()))) { if ($config->publicTracks || ($auth->isAuthenticated() && $auth->isAdmin())) {
$positionsArr = uPosition::getLastAllUsers(); $positionsArr = uPosition::getLastAllUsers();
} }
} }

View File

@ -27,11 +27,8 @@ $config = uConfig::getInstance();
$userId = uUtils::getInt('userid'); $userId = uUtils::getInt('userid');
$tracksArr = []; $tracksArr = [];
if ($userId) { if ($userId && $auth->hasReadAccess($userId)) {
if ($config->publicTracks || $tracksArr = uTrack::getAll($userId);
($auth->isAuthenticated() && ($auth->isAdmin() || $auth->user->id === $userId))) {
$tracksArr = uTrack::getAll($userId);
}
} }
$result = []; $result = [];

View File

@ -36,9 +36,8 @@ if (empty($action) || empty($positionId)) {
uUtils::exitWithError($lang["servererror"]); uUtils::exitWithError($lang["servererror"]);
} }
$position = new uPosition($positionId); $position = new uPosition($positionId);
if (!$position->isValid || if (!$position->isValid || !$auth->hasReadWriteAccess($position->userId)) {
(!$auth->isAuthenticated() || (!$auth->isAdmin() && $auth->user->id !== $position->userId))) { uUtils::exitWithError($lang["notauthorized"]);
uUtils::exitWithError($lang["servererror"]);
} }
$data = null; $data = null;