Merge branch 'master' of github.com:ZoneMinder/zoneminder

This commit is contained in:
Isaac Connor 2019-05-24 13:56:30 -04:00
commit 1ddd5b1f74
4 changed files with 42 additions and 11 deletions

View File

@ -79,7 +79,11 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}
,rsyslog | system-log-daemon
,zip
,libpcre3
<<<<<<< HEAD
,libssl | libssl1.0.0 | libssl1.1
=======
,libssl | libssl1.0.0
>>>>>>> 34400419e8384ab7c130b47d46fe90d2337ee5c2
,libcrypt-eksblowfish-perl
,libdata-entropy-perl
Recommends: ${misc:Recommends}

View File

@ -68,6 +68,7 @@ class AppController extends Controller {
# For use throughout the app. If not logged in, this will be null.
global $user;
if ( ZM_OPT_USE_AUTH ) {
require_once __DIR__ .'/../../../includes/auth.php';
@ -94,7 +95,7 @@ class AppController extends Controller {
$only_allow_token_type='access';
}
$ret = validateToken($mToken, $only_allow_token_type);
$ret = validateToken($mToken, $only_allow_token_type, true);
$user = $ret[0];
$retstatus = $ret[1];
if ( !$user ) {
@ -102,7 +103,7 @@ class AppController extends Controller {
return;
}
} else if ( $mAuth ) {
$user = getAuthUser($mAuth);
$user = getAuthUser($mAuth, true);
if ( !$user ) {
throw new UnauthorizedException(__('Invalid Auth Key'));
return;
@ -120,6 +121,10 @@ class AppController extends Controller {
}
} # end if ! login or logout
} # end if ZM_OPT_AUTH
// make sure populated user object has APIs enabled
if ($user['APIEnabled'] == 0 ) {
throw new UnauthorizedException(__('API Disabled'));
return;
}
} # end function beforeFilter()
}

View File

@ -129,7 +129,7 @@ class HostController extends AppController {
if ($mToken) {
// If we have a token, we need to derive username from there
$ret = validateToken($mToken, 'refresh');
$ret = validateToken($mToken, 'refresh', true);
$mUser = $ret[0]['Username'];
} else {

View File

@ -44,7 +44,7 @@ function migrateHash($user, $pass) {
}
// core function used to login a user to PHP. Is also used for cake sessions for the API
function userLogin($username='', $password='', $passwordHashed=false, $apiLogin = false) {
function userLogin($username='', $password='', $passwordHashed=false, $from_api_layer = false) {
global $user;
@ -56,7 +56,7 @@ function userLogin($username='', $password='', $passwordHashed=false, $apiLogin
// if true, a popup will display after login
// lets validate reCaptcha if it exists
// this only applies if it userLogin was not called from API layer
if ( !$apiLogin
if ( !$from_api_layer
&& defined('ZM_OPT_USE_GOOG_RECAPTCHA')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SECRETKEY')
&& defined('ZM_OPT_GOOG_RECAPTCHA_SITEKEY')
@ -109,7 +109,7 @@ function userLogin($username='', $password='', $passwordHashed=false, $apiLogin
// if the API layer asked us to login, make sure the user
// has API enabled (admin may have banned API for this user)
if ( $apiLogin ) {
if ( $from_api_layer ) {
if ( $saved_user_details['APIEnabled'] != 1 ) {
ZM\Error("API disabled for: $username");
$_SESSION['loginFailed'] = true;
@ -199,7 +199,7 @@ function userLogout() {
}
function validateToken ($token, $allowed_token_type='access') {
function validateToken ($token, $allowed_token_type='access', $from_api_layer=false) {
global $user;
$key = ZM_AUTH_HASH_SECRET;
@ -232,6 +232,16 @@ function validateToken ($token, $allowed_token_type='access') {
if ( $saved_user_details ) {
if ($from_api_layer && $saved_user_details['APIEnabled'] == 0) {
// if from_api_layer is true, an additional check will be done
// to make sure APIs are enabled for this user. This is a good place
// to do it, since we are doing a DB dip here.
ZM\Error ("API is disabled for \"$username\"");
unset($user);
return array(false, 'API is disabled for user');
}
$issuedAt = $jwt_payload['iat'];
$minIssuedAt = $saved_user_details['TokenMinExpiry'];
@ -252,7 +262,7 @@ function validateToken ($token, $allowed_token_type='access') {
}
} // end function validateToken($token, $allowed_token_type='access')
function getAuthUser($auth) {
function getAuthUser($auth, $from_api_layer = false) {
if ( ZM_OPT_USE_AUTH && ZM_AUTH_RELAY == 'hashed' && !empty($auth) ) {
$remoteAddr = '';
if ( ZM_AUTH_HASH_IPS ) {
@ -273,7 +283,8 @@ function getAuthUser($auth) {
$sql = 'SELECT * FROM Users WHERE Enabled = 1';
}
foreach ( dbFetchAll($sql, NULL, $values) as $user ) {
foreach ( dbFetchAll($sql, NULL, $values) as $user )
{
$now = time();
for ( $i = 0; $i < ZM_AUTH_HASH_TTL; $i++, $now -= ZM_AUTH_HASH_TTL * 1800 ) { // Try for last two hours
$time = localtime($now);
@ -281,7 +292,18 @@ function getAuthUser($auth) {
$authHash = md5($authKey);
if ( $auth == $authHash ) {
return $user;
if ($from_api_layer && $user['APIEnabled'] == 0) {
// if from_api_layer is true, an additional check will be done
// to make sure APIs are enabled for this user. This is a good place
// to do it, since we are doing a DB dip here.
ZM\Error ("API is disabled for \"".$user['Username']."\"");
unset($user);
return array(false, 'API is disabled for user');
}
else {
return $user;
}
}
} // end foreach hour
} // end foreach user