Merge pull request #1196 from pliablepixels/api-more-security
Api more security
This commit is contained in:
commit
37212dcf2e
|
@ -357,7 +357,23 @@ our @options =
|
|||
type => $types{boolean},
|
||||
category => "system",
|
||||
},
|
||||
# PP - Google reCaptcha settings
|
||||
{
|
||||
name => "ZM_OPT_USE_API",
|
||||
default => "yes",
|
||||
description => "Enable ZoneMinder APIs",
|
||||
help => qqq("
|
||||
ZoneMinder now features a new API using which 3rd party
|
||||
applications can interact with ZoneMinder data. It is
|
||||
STRONGLY recommended that you enable authentication along
|
||||
with APIs. Note that the APIs return sensitive data like
|
||||
Monitor access details which are configured as JSON objects.
|
||||
Which is why we recommend you enabling authentication, especially
|
||||
if you are exposing your ZM instance on the Internet.
|
||||
"),
|
||||
type => $types{boolean},
|
||||
category => "system",
|
||||
},
|
||||
# PP - Google reCaptcha settings
|
||||
{
|
||||
name => "ZM_OPT_USE_GOOG_RECAPTCHA",
|
||||
default => "no",
|
||||
|
@ -411,6 +427,7 @@ our @options =
|
|||
category => "system",
|
||||
},
|
||||
|
||||
|
||||
{
|
||||
name => "ZM_DIR_EVENTS",
|
||||
default => "events",
|
||||
|
|
|
@ -34,7 +34,7 @@ class AppController extends Controller {
|
|||
use CrudControllerTrait;
|
||||
|
||||
public $components = [
|
||||
'Session', // PP - We are going to use SessionHelper to check PHP session vars
|
||||
'Session', // We are going to use SessionHelper to check PHP session vars
|
||||
'RequestHandler',
|
||||
'Crud.Crud' => [
|
||||
'actions' => [
|
||||
|
@ -49,7 +49,7 @@ class AppController extends Controller {
|
|||
]
|
||||
];
|
||||
|
||||
//PP - Global beforeFilter function
|
||||
// Global beforeFilter function
|
||||
//Zoneminder sets the username session variable
|
||||
// to the logged in user. If this variable is set
|
||||
// then you are logged in
|
||||
|
@ -58,14 +58,62 @@ class AppController extends Controller {
|
|||
// Also checking to do this only if ZM_OPT_USE_AUTH is on
|
||||
public function beforeFilter() {
|
||||
$this->loadModel('Config');
|
||||
|
||||
$options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_API'));
|
||||
$config = $this->Config->find('first', $options);
|
||||
$zmOptApi = $config['Config']['Value'];
|
||||
|
||||
if ($zmOptApi !='1')
|
||||
{
|
||||
throw new UnauthorizedException(__('API Disabled'));
|
||||
return;
|
||||
}
|
||||
|
||||
$options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_AUTH'));
|
||||
$config = $this->Config->find('first', $options);
|
||||
$zmOptAuth = $config['Config']['Value'];
|
||||
if (!$this->Session->Read('user.Username') && ($zmOptAuth=='1'))
|
||||
{
|
||||
throw new NotFoundException(__('Not Authenticated'));
|
||||
throw new UnauthorizedException(__('Not Authenticated'));
|
||||
return;
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->loadModel('User');
|
||||
$loggedinUser = $this->Session->Read('user.Username');
|
||||
$isEnabled = $this->Session->Read('user.Enabled');
|
||||
// this will likely never happen as if its
|
||||
// not enabled, login will fail and Not Auth will be returned
|
||||
// however, keeping this here for now
|
||||
if ($isEnabled != "1" && $zmOptAuth=="1")
|
||||
{
|
||||
throw new UnauthorizedException(__('User is not enabled'));
|
||||
return;
|
||||
}
|
||||
|
||||
if ($zmOptAuth=='1')
|
||||
{
|
||||
$options = array ('conditions' => array ('User.Username' => $loggedinUser));
|
||||
$userMonitors = $this->User->find('first', $options);
|
||||
$this->Session->Write('allowedMonitors',$userMonitors['User']['MonitorIds']);
|
||||
$this->Session->Write('streamPermission',$userMonitors['User']['Stream']);
|
||||
$this->Session->Write('eventPermission',$userMonitors['User']['Events']);
|
||||
$this->Session->Write('controlPermission',$userMonitors['User']['Control']);
|
||||
$this->Session->Write('systemPermission',$userMonitors['User']['System']);
|
||||
$this->Session->Write('monitorPermission',$userMonitors['User']['Monitors']);
|
||||
}
|
||||
else // if auth is not on, you can do everything
|
||||
{
|
||||
//$userMonitors = $this->User->find('first', $options);
|
||||
$this->Session->Write('allowedMonitors','');
|
||||
$this->Session->Write('streamPermission','View');
|
||||
$this->Session->Write('eventPermission','Edit');
|
||||
$this->Session->Write('controlPermission','Edit');
|
||||
$this->Session->Write('systemPermission','Edit');
|
||||
$this->Session->Write('monitorPermission','Edit');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -48,7 +48,7 @@ class ImageComponent extends Component {
|
|||
$imageFile = $config['ZM_DIR_EVENTS']."/".$imagePath;
|
||||
//$thumbFile = ZM_DIR_EVENTS."/".$thumbPath;
|
||||
$thumbFile = $thumbPath;
|
||||
// PP: This segment of code results in errors when trying to get Events API
|
||||
// This segment of code results in errors when trying to get Events API
|
||||
// This actually seems to be generating images for the angular UI web view
|
||||
// and should not be a part of the API anyway
|
||||
// I've commented it so events APIs continue to work
|
||||
|
|
|
@ -15,7 +15,7 @@ class ConfigsController extends AppController {
|
|||
public $components = array('RequestHandler');
|
||||
|
||||
/**
|
||||
* PP - resolves the issue of not returning all config parameters
|
||||
* resolves the issue of not returning all config parameters
|
||||
* refer https://github.com/ZoneMinder/ZoneMinder/issues/953
|
||||
* index method
|
||||
*
|
||||
|
|
|
@ -14,6 +14,17 @@ class EventsController extends AppController {
|
|||
*/
|
||||
public $components = array('RequestHandler', 'Scaler', 'Image', 'Paginator');
|
||||
|
||||
public function beforeFilter() {
|
||||
parent::beforeFilter();
|
||||
$canView = $this->Session->Read('eventPermission');
|
||||
if ($canView =='None')
|
||||
{
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* index method
|
||||
*
|
||||
|
@ -23,6 +34,18 @@ class EventsController extends AppController {
|
|||
public function index() {
|
||||
$this->Event->recursive = -1;
|
||||
|
||||
$allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY);
|
||||
|
||||
if (!empty($allowedMonitors))
|
||||
{
|
||||
$mon_options = array('Event.MonitorId' => $allowedMonitors);
|
||||
}
|
||||
else
|
||||
{
|
||||
$mon_options='';
|
||||
}
|
||||
|
||||
|
||||
if ($this->request->params['named']) {
|
||||
$this->FilterComponent = $this->Components->load('Filter');
|
||||
$conditions = $this->FilterComponent->buildFilter($this->request->params['named']);
|
||||
|
@ -39,7 +62,7 @@ class EventsController extends AppController {
|
|||
$this->Paginator->settings = array(
|
||||
// https://github.com/ZoneMinder/ZoneMinder/issues/995
|
||||
// 'limit' => $limit['ZM_WEB_EVENTS_PER_PAGE'],
|
||||
// PP - 25 events per page which is what the above
|
||||
// 25 events per page which is what the above
|
||||
// default is, is way too low for an API
|
||||
// changing this to 100 so we don't kill ZM
|
||||
// with many event APIs. In future, we can
|
||||
|
@ -49,14 +72,14 @@ class EventsController extends AppController {
|
|||
'limit' => '100',
|
||||
'order' => array('StartTime', 'MaxScore'),
|
||||
'paramType' => 'querystring',
|
||||
'conditions' => $conditions
|
||||
'conditions' => array (array($conditions, $mon_options))
|
||||
);
|
||||
$events = $this->Paginator->paginate('Event');
|
||||
|
||||
// For each event, get its thumbnail data (path, width, height)
|
||||
foreach ($events as $key => $value) {
|
||||
// PP - $thumbData = $this->createThumbnail($value['Event']['Id']);
|
||||
$thumbData ="";
|
||||
//$thumbData = $this->createThumbnail($value['Event']['Id']);
|
||||
$thumbData = "";
|
||||
$events[$key]['thumbData'] = $thumbData;
|
||||
|
||||
}
|
||||
|
@ -71,41 +94,55 @@ class EventsController extends AppController {
|
|||
* @param string $id
|
||||
* @return void
|
||||
*/
|
||||
public function view($id = null) {
|
||||
$this->loadModel('Config');
|
||||
$configs = $this->Config->find('list', array(
|
||||
'fields' => array('Name', 'Value'),
|
||||
'conditions' => array('Name' => array('ZM_DIR_EVENTS'))
|
||||
));
|
||||
public function view($id = null)
|
||||
{
|
||||
$this->loadModel('Config');
|
||||
$configs = $this->Config->find('list', array(
|
||||
'fields' => array('Name', 'Value'),
|
||||
'conditions' => array('Name' => array('ZM_DIR_EVENTS'))
|
||||
));
|
||||
|
||||
$this->Event->recursive = 1;
|
||||
if (!$this->Event->exists($id)) {
|
||||
throw new NotFoundException(__('Invalid event'));
|
||||
}
|
||||
$options = array('conditions' => array('Event.' . $this->Event->primaryKey => $id));
|
||||
$event = $this->Event->find('first', $options);
|
||||
$this->Event->recursive = 1;
|
||||
if (!$this->Event->exists($id)) {
|
||||
throw new NotFoundException(__('Invalid event'));
|
||||
}
|
||||
|
||||
$path = $configs['ZM_DIR_EVENTS'].'/'.$this->Image->getEventPath($event).'/';
|
||||
$event['Event']['BasePath'] = $path;
|
||||
$allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY);
|
||||
|
||||
# Get the previous and next events for any monitor
|
||||
$this->Event->id = $id;
|
||||
if (!empty($allowedMonitors))
|
||||
{
|
||||
$mon_options = array('Event.MonitorId' => $allowedMonitors);
|
||||
}
|
||||
else
|
||||
{
|
||||
$mon_options='';
|
||||
}
|
||||
|
||||
$options = array('conditions' => array(array('Event.' . $this->Event->primaryKey => $id), $mon_options));
|
||||
$event = $this->Event->find('first', $options);
|
||||
|
||||
$path = $configs['ZM_DIR_EVENTS'].'/'.$this->Image->getEventPath($event).'/';
|
||||
$event['Event']['BasePath'] = $path;
|
||||
|
||||
# Get the previous and next events for any monitor
|
||||
$this->Event->id = $id;
|
||||
$event_neighbors = $this->Event->find('neighbors');
|
||||
$event['Event']['Next'] = $event_neighbors['next']['Event']['Id'];
|
||||
$event['Event']['Next'] = $event_neighbors['next']['Event']['Id'];
|
||||
$event['Event']['Prev'] = $event_neighbors['prev']['Event']['Id'];
|
||||
|
||||
# Also get the previous and next events for the same monitor
|
||||
$event_monitor_neighbors = $this->Event->find('neighbors', array(
|
||||
# Also get the previous and next events for the same monitor
|
||||
$event_monitor_neighbors = $this->Event->find('neighbors', array(
|
||||
'conditions'=>array('Event.MonitorId'=>$event['Event']['MonitorId'])
|
||||
));
|
||||
$event['Event']['NextOfMonitor'] = $event_monitor_neighbors['next']['Event']['Id'];
|
||||
$event['Event']['PrevOfMonitor'] = $event_monitor_neighbors['prev']['Event']['Id'];
|
||||
));
|
||||
$event['Event']['NextOfMonitor'] = $event_monitor_neighbors['next']['Event']['Id'];
|
||||
$event['Event']['PrevOfMonitor'] = $event_monitor_neighbors['prev']['Event']['Id'];
|
||||
|
||||
$this->set(array(
|
||||
'event' => $event,
|
||||
'_serialize' => array('event')
|
||||
));
|
||||
}
|
||||
|
||||
$this->set(array(
|
||||
'event' => $event,
|
||||
'_serialize' => array('event')
|
||||
));
|
||||
}
|
||||
|
||||
/**
|
||||
* add method
|
||||
|
@ -113,6 +150,13 @@ class EventsController extends AppController {
|
|||
* @return void
|
||||
*/
|
||||
public function add() {
|
||||
|
||||
if ($this->Session->Read('eventPermission') != 'Edit')
|
||||
{
|
||||
throw new UnauthorizedException(__('Insufficient privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
if ($this->request->is('post')) {
|
||||
$this->Event->create();
|
||||
if ($this->Event->save($this->request->data)) {
|
||||
|
@ -131,6 +175,13 @@ class EventsController extends AppController {
|
|||
* @return void
|
||||
*/
|
||||
public function edit($id = null) {
|
||||
|
||||
if ($this->Session->Read('eventPermission') != 'Edit')
|
||||
{
|
||||
throw new UnauthorizedException(__('Insufficient privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
$this->Event->id = $id;
|
||||
|
||||
if (!$this->Event->exists($id)) {
|
||||
|
@ -157,15 +208,19 @@ class EventsController extends AppController {
|
|||
* @return void
|
||||
*/
|
||||
public function delete($id = null) {
|
||||
if ($this->Session->Read('eventPermission') != 'Edit')
|
||||
{
|
||||
throw new UnauthorizedException(__('Insufficient privileges'));
|
||||
return;
|
||||
}
|
||||
$this->Event->id = $id;
|
||||
if (!$this->Event->exists()) {
|
||||
throw new NotFoundException(__('Invalid event'));
|
||||
}
|
||||
$this->request->allowMethod('post', 'delete');
|
||||
if ($this->Event->delete()) {
|
||||
// PP - lets make sure the frame table entry is removed too
|
||||
$this->loadModel('Frame');
|
||||
$this->Frame->delete();
|
||||
//$this->loadModel('Frame');
|
||||
//$this->Event->Frame->delete();
|
||||
return $this->flash(__('The event has been deleted.'), array('action' => 'index'));
|
||||
} else {
|
||||
return $this->flash(__('The event could not be deleted. Please, try again.'), array('action' => 'index'));
|
||||
|
|
|
@ -101,7 +101,10 @@ class HostController extends AppController {
|
|||
|
||||
function getVersion() {
|
||||
$version = Configure::read('ZM_VERSION');
|
||||
$apiversion = Configure::read('ZM_API_VERSION');
|
||||
// not going to use the ZM_API_VERSION
|
||||
// requires recompilation and dependency on ZM upgrade
|
||||
//$apiversion = Configure::read('ZM_API_VERSION');
|
||||
$apiversion = '1.0';
|
||||
|
||||
$this->set(array(
|
||||
'version' => $version,
|
||||
|
|
|
@ -16,6 +16,19 @@ class MonitorsController extends AppController {
|
|||
*/
|
||||
public $components = array('Paginator', 'RequestHandler');
|
||||
|
||||
|
||||
public function beforeFilter() {
|
||||
parent::beforeFilter();
|
||||
$canView = $this->Session->Read('monitorPermission');
|
||||
if ($canView =='None')
|
||||
{
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* index method
|
||||
*
|
||||
|
@ -23,7 +36,17 @@ class MonitorsController extends AppController {
|
|||
*/
|
||||
public function index() {
|
||||
$this->Monitor->recursive = 0;
|
||||
$monitors = $this->Monitor->find('all');
|
||||
$allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY);
|
||||
|
||||
if (!empty($allowedMonitors))
|
||||
{
|
||||
$options = array('conditions'=>array('Monitor.Id'=> $allowedMonitors));
|
||||
}
|
||||
else
|
||||
{
|
||||
$options='';
|
||||
}
|
||||
$monitors = $this->Monitor->find('all',$options);
|
||||
$this->set(array(
|
||||
'monitors' => $monitors,
|
||||
'_serialize' => array('monitors')
|
||||
|
@ -42,7 +65,21 @@ class MonitorsController extends AppController {
|
|||
if (!$this->Monitor->exists($id)) {
|
||||
throw new NotFoundException(__('Invalid monitor'));
|
||||
}
|
||||
$options = array('conditions' => array('Monitor.' . $this->Monitor->primaryKey => $id));
|
||||
$allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY);
|
||||
if (!empty($allowedMonitors))
|
||||
{
|
||||
$restricted = array('Monitor.' . $this->Monitor->primaryKey => $allowedMonitors);
|
||||
}
|
||||
else
|
||||
{
|
||||
$restricted = '';
|
||||
}
|
||||
|
||||
$options = array('conditions' => array(
|
||||
array('Monitor.' . $this->Monitor->primaryKey => $id),
|
||||
$restricted
|
||||
)
|
||||
);
|
||||
$monitor = $this->Monitor->find('first', $options);
|
||||
$this->set(array(
|
||||
'monitor' => $monitor,
|
||||
|
@ -57,6 +94,13 @@ class MonitorsController extends AppController {
|
|||
*/
|
||||
public function add() {
|
||||
if ($this->request->is('post')) {
|
||||
|
||||
if ($this->Session->Read('systemPermission') != 'Edit')
|
||||
{
|
||||
throw new UnauthotizedException(__('Insufficient privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
$this->Monitor->create();
|
||||
if ($this->Monitor->save($this->request->data)) {
|
||||
$this->daemonControl($this->Monitor->id, 'start', $this->request->data);
|
||||
|
@ -78,7 +122,11 @@ class MonitorsController extends AppController {
|
|||
if (!$this->Monitor->exists($id)) {
|
||||
throw new NotFoundException(__('Invalid monitor'));
|
||||
}
|
||||
|
||||
if ($this->Session->Read('systemPermission') != 'Edit')
|
||||
{
|
||||
throw new UnauthorizedException(__('Insufficient privileges'));
|
||||
return;
|
||||
}
|
||||
if ($this->Monitor->save($this->request->data)) {
|
||||
$message = 'Saved';
|
||||
} else {
|
||||
|
@ -89,9 +137,8 @@ class MonitorsController extends AppController {
|
|||
'message' => $message,
|
||||
'_serialize' => array('message')
|
||||
));
|
||||
// PP - restart this monitor after change
|
||||
$this->daemonControl($this->Monitor->id, 'restart', $this->request->data);
|
||||
|
||||
// - restart this monitor after change
|
||||
$this->daemonControl($this->Monitor->id, 'restart', $this->request->data);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -106,6 +153,11 @@ class MonitorsController extends AppController {
|
|||
if (!$this->Monitor->exists()) {
|
||||
throw new NotFoundException(__('Invalid monitor'));
|
||||
}
|
||||
if ($this->Session->Read('systemPermission') != 'Edit')
|
||||
{
|
||||
throw new UnauthorizedException(__('Insufficient privileges'));
|
||||
return;
|
||||
}
|
||||
$this->request->allowMethod('post', 'delete');
|
||||
|
||||
$this->daemonControl($this->Monitor->id, 'stop');
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
<?php
|
||||
App::uses('AppModel', 'Model');
|
||||
|
||||
/**
|
||||
* User Model
|
||||
*
|
||||
*/
|
||||
class User extends AppModel {
|
||||
|
||||
/**
|
||||
* Use table
|
||||
*
|
||||
* @var mixed False or table name
|
||||
*/
|
||||
public $useTable = 'Users';
|
||||
|
||||
/**
|
||||
* Primary key field
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
public $primaryKey = 'Id';
|
||||
|
||||
/**
|
||||
* Display field
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
public $displayField = 'Name';
|
||||
|
||||
}
|
Loading…
Reference in New Issue