diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php index d48f853e3..f363beb09 100644 --- a/web/api/app/Controller/AppController.php +++ b/web/api/app/Controller/AppController.php @@ -60,30 +60,48 @@ class AppController extends Controller { // for role and deny API access in future // Also checking to do this only if ZM_OPT_USE_AUTH is on public function beforeFilter() { - $this->loadModel('Config'); - - $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_API')); - $config = $this->Config->find('first', $options); - $zmOptApi = $config['Config']['Value']; - - if ( $zmOptApi != '1' ) { + if ( ! ZM_OPT_USE_API ) { throw new UnauthorizedException(__('API Disabled')); return; - } - // We need to reject methods that are not authenticated - // besides login and logout - if ( - strcasecmp($this->params->action, 'login') - && - strcasecmp($this->params->action,"logout") - ) { - if ( !$this->Session->read('user.Username') ) { - throw new UnauthorizedException(__('Not Authenticated')); - return; - } else if ( !$this->Session->read('user.Enabled') ) { - throw new UnauthorizedException(__('User is not enabled')); - return; - } - } + } + + # For use throughout the app. If not logged in, this will be null. + global $user; + $user = $this->Session->read('user'); + + if ( ZM_OPT_USE_AUTH ) { + require_once '../../../includes/auth.php'; + + $mUser = $this->request->data('user'); + $mPassword = $this->request->data('pass'); + $mAuth = $this->request->data('auth'); + + if ( $mUser and $mPassword ) { + $user = userLogin($mUser, $mPassword); + if ( !$user ) { + throw new UnauthorizedException(__('User not found or incorrect password')); + return; + } + } else if ( $mAuth ) { + $user = getAuthUser($mAuth); + if ( !$user ) { + throw new UnauthorizedException(__('Invalid Auth Key')); + return; + } + } + + // We need to reject methods that are not authenticated + // besides login and logout + if ( strcasecmp($this->params->action, 'logout') ) { + if ( !( $user and $user['Username'] ) ) { + throw new UnauthorizedException(__('Not Authenticated')); + return; + } else if ( !( $user and $user['Enabled'] ) ) { + throw new UnauthorizedException(__('User is not enabled')); + return; + } + } # end if ! login or logout + } # end if ZM_OPT_AUTH + } # end function beforeFilter() } diff --git a/web/api/app/Controller/EventsController.php b/web/api/app/Controller/EventsController.php index 6b89d7c50..1d9456cc4 100644 --- a/web/api/app/Controller/EventsController.php +++ b/web/api/app/Controller/EventsController.php @@ -1,5 +1,6 @@ Session->Read('eventPermission'); - if ( $canView == 'None' ) { + global $user; + $canView = (!$user) || ($user['Events'] != 'None'); + if ( !$canView ) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } @@ -32,15 +34,16 @@ class EventsController extends AppController { public function index() { $this->Event->recursive = -1; - $allowedMonitors = preg_split('@,@', $this->Session->Read('allowedMonitors'), NULL, PREG_SPLIT_NO_EMPTY); + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; - if ( !empty($allowedMonitors) ) { + if ( $allowedMonitors ) { $mon_options = array('Event.MonitorId' => $allowedMonitors); } else { $mon_options = ''; } - if ( $this->request->params['named'] ) { + if ( $this->request->params['named'] ) { //$this->FilterComponent = $this->Components->load('Filter'); //$conditions = $this->FilterComponent->buildFilter($this->request->params['named']); $conditions = $this->request->params['named']; @@ -85,13 +88,13 @@ class EventsController extends AppController { $events = $this->Paginator->paginate('Event'); // For each event, get the frameID which has the largest score - foreach ($events as $key => $value) { + foreach ( $events as $key => $value ) { $maxScoreFrameId = $this->getMaxScoreAlarmFrameId($value['Event']['Id']); $events[$key]['Event']['MaxScoreFrameId'] = $maxScoreFrameId; } $this->set(compact('events')); - } + } // end public function index() /** * view method @@ -108,9 +111,10 @@ class EventsController extends AppController { throw new NotFoundException(__('Invalid event')); } - $allowedMonitors = preg_split('@,@', $this->Session->Read('allowedMonitors'), NULL, PREG_SPLIT_NO_EMPTY); + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; - if ( !empty($allowedMonitors) ) { + if ( $allowedMonitors ) { $mon_options = array('Event.MonitorId' => $allowedMonitors); } else { $mon_options = ''; @@ -149,7 +153,9 @@ class EventsController extends AppController { */ public function add() { - if ( $this->Session->Read('eventPermission') != 'Edit' ) { + global $user; + $canEdit = (!$user) || ($user['Events'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -173,7 +179,9 @@ class EventsController extends AppController { */ public function edit($id = null) { - if ( $this->Session->Read('eventPermission') != 'Edit' ) { + global $user; + $canEdit = (!$user) || ($user['Events'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -204,7 +212,9 @@ class EventsController extends AppController { * @return void */ public function delete($id = null) { - if ( $this->Session->Read('eventPermission') != 'Edit' ) { + global $user; + $canEdit = (!$user) || ($user['Events'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -257,9 +267,9 @@ class EventsController extends AppController { $moreconditions = ''; foreach ($this->request->params['named'] as $name => $param) { $moreconditions = $moreconditions . ' AND '.$name.$param; - } + } - $query = $this->Event->query("select MonitorId, COUNT(*) AS Count from Events WHERE (StartTime >= (DATE_SUB(NOW(), interval $interval)) $moreconditions) GROUP BY MonitorId;"); + $query = $this->Event->query("SELECT MonitorId, COUNT(*) AS Count FROM Events WHERE (StartTime >= (DATE_SUB(NOW(), interval $interval)) $moreconditions) GROUP BY MonitorId;"); foreach ($query as $result) { $results[$result['Events']['MonitorId']] = $result[0]['Count']; @@ -336,7 +346,7 @@ class EventsController extends AppController { $thumbData['Width'] = (int)$thumbWidth; $thumbData['Height'] = (int)$thumbHeight; - return( $thumbData ); + return $thumbData; } public function archive($id = null) { diff --git a/web/api/app/Controller/HostController.php b/web/api/app/Controller/HostController.php index 5b7c849fe..6dd9e5211 100644 --- a/web/api/app/Controller/HostController.php +++ b/web/api/app/Controller/HostController.php @@ -8,9 +8,9 @@ class HostController extends AppController { public function daemonCheck($daemon=false, $args=false) { $string = Configure::read('ZM_PATH_BIN').'/zmdc.pl check'; if ( $daemon ) { - $string .= " $daemon"; - if ( $args ) - $string .= " $args"; + $string .= " $daemon"; + if ( $args ) + $string .= " $args"; } $result = exec($string); $result = preg_match('/running/', $result); @@ -29,95 +29,9 @@ class HostController extends AppController { '_serialize' => array('load') )); } - - function login() { - $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_AUTH')); - $config = $this->Config->find('first', $options); - $zmOptAuth = $config['Config']['Value']; - - if ( $zmOptAuth == '1' ) { - - require_once "../../../includes/auth.php"; - global $user; - $user = $this->Session->read('user'); - - - - $mUser = $this->request->data('user'); - $mPassword = $this->request->data('pass'); - $mAuth = $this->request->data('auth'); - - - if ( $mUser and $mPassword) { - $user = userLogin($mUser, $mPassword); - if ( !$user ) { - throw new UnauthorizedException(__('User not found or incorrect password')); - return; - } - } - - elseif ( $mAuth ) { - $user = getAuthUser($mAuth); - if ( ! $user ) { - throw new UnauthorizedException(__('User not found or incorrect password')); - return; - } - } - else { - throw new UnauthorizedException(__('missing credentials')); - } - - if ( 0 and $user ) { - # We have to redo the session variables because cakephp's Session code will overwrite the normal php session - # Actually I'm not sure that is true. Getting indeterminate behaviour - Logger::Debug("user.Username: " . $this->Session->read('user.Username')); - if ( ! $this->Session->Write('user', $user) ) - $this->log("Error writing session var user"); - Logger::Debug("user.Username: " . $this->Session->read('user.Username')); - if ( ! $this->Session->Write('user.Username', $user['Username']) ) - $this->log("Error writing session var user.Username"); - if ( ! $this->Session->Write('password', $user['Password']) ) - $this->log("Error writing session var user.Username"); - if ( ! $this->Session->Write('user.Enabled', $user['Enabled']) ) - $this->log("Error writing session var user.Enabled"); - if ( ! $this->Session->Write('remoteAddr', $_SERVER['REMOTE_ADDR']) ) - $this->log("Error writing session var remoteAddr"); - } - - - - // I don't think this is really needed - the Username part - // Enabled check is ok - if ( !$user['Username'] ) { - throw new UnauthorizedException(__('Not Authenticated')); - return; - } else if ( !$user['Enabled'] ) { - throw new UnauthorizedException(__('User is not enabled')); - return; - } - - - $this->Session->Write('allowedMonitors',$user['MonitorIds']); - $this->Session->Write('streamPermission',$user['Stream']); - $this->Session->Write('eventPermission',$user['Events']); - $this->Session->Write('controlPermission',$user['Control']); - $this->Session->Write('systemPermission',$user['System']); - $this->Session->Write('monitorPermission',$user['Monitors']); - } else { - // if auth is not on, you can do everything - //$userMonitors = $this->User->find('first', $options); - $this->Session->Write('allowedMonitors',''); - $this->Session->Write('streamPermission','View'); - $this->Session->Write('eventPermission','Edit'); - $this->Session->Write('controlPermission','Edit'); - $this->Session->Write('systemPermission','Edit'); - $this->Session->Write('monitorPermission','Edit'); - } - - $cred = $this->_getCredentials(); $ver = $this->_getVersion(); $this->set(array( @@ -130,8 +44,7 @@ class HostController extends AppController { 'version', 'apiversion' ))); - - } + } // end function login() // clears out session function logout() { @@ -143,7 +56,7 @@ class HostController extends AppController { '_serialize' => array('result') )); - } + } // end function logout() private function _getCredentials() { $credentials = ''; @@ -167,8 +80,7 @@ class HostController extends AppController { } } return array($credentials, $appendPassword); - - } + } // end function _getCredentials function getCredentials() { // ignore debug warnings from other functions @@ -180,8 +92,6 @@ class HostController extends AppController { '_serialize' => array('credentials', 'append_password') ) ); } - - // If $mid is set, only return disk usage for that monitor // Else, return an array of total disk usage, and per-monitor diff --git a/web/api/app/Controller/MonitorsController.php b/web/api/app/Controller/MonitorsController.php index 05756ede0..5ce4bb476 100644 --- a/web/api/app/Controller/MonitorsController.php +++ b/web/api/app/Controller/MonitorsController.php @@ -21,8 +21,10 @@ class MonitorsController extends AppController { public function beforeFilter() { parent::beforeFilter(); - $canView = $this->Session->Read('monitorPermission'); - if ($canView == 'None') { + global $user; + # We already tested for auth in appController, so we just need to test for specific permission + $canView = (!$user) || ($user['Monitors'] != 'None'); + if ( !$canView ) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } @@ -44,8 +46,9 @@ class MonitorsController extends AppController { $conditions = array(); } - $allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY); - if (!empty($allowedMonitors)) { + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; + if ( $allowedMonitors ) { $conditions['Monitor.Id' ] = $allowedMonitors; } $find_array = array('conditions'=>$conditions,'contain'=>array('Group')); @@ -88,8 +91,9 @@ class MonitorsController extends AppController { if ( !$this->Monitor->exists($id) ) { throw new NotFoundException(__('Invalid monitor')); } - $allowedMonitors=preg_split('@,@', $this->Session->Read('allowedMonitors'), NULL, PREG_SPLIT_NO_EMPTY); - if ( !empty($allowedMonitors) ) { + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; + if ( $allowedMonitors ) { $restricted = array('Monitor.' . $this->Monitor->primaryKey => $allowedMonitors); } else { $restricted = ''; @@ -115,7 +119,9 @@ class MonitorsController extends AppController { public function add() { if ( $this->request->is('post') ) { - if ( $this->Session->Read('systemPermission') != 'Edit' ) { + global $user; + $canAdd = (!$user) || ($user['System'] == 'Edit' ); + if ( !$canAdd ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -148,7 +154,9 @@ class MonitorsController extends AppController { if ( !$this->Monitor->exists($id) ) { throw new NotFoundException(__('Invalid monitor')); } - if ( $this->Session->Read('monitorPermission') != 'Edit' ) { + global $user; + $canEdit = (!$user) || ($user['Monitors'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -215,7 +223,7 @@ class MonitorsController extends AppController { } public function sourceTypes() { - $sourceTypes = $this->Monitor->query("describe Monitors Type;"); + $sourceTypes = $this->Monitor->query('describe Monitors Type;'); preg_match('/^enum\((.*)\)$/', $sourceTypes[0]['COLUMNS']['Type'], $matches); foreach( explode(',', $matches[1]) as $value ) { @@ -264,7 +272,6 @@ class MonitorsController extends AppController { $config = $this->Config->find('first', $options); $zmOptAuth = $config['Config']['Value']; - $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_AUTH_RELAY')); $config = $this->Config->find('first', $options); $zmAuthRelay = $config['Config']['Value']; @@ -315,7 +322,7 @@ class MonitorsController extends AppController { $monitor = Set::extract('/Monitor/.', $monitor); // Pass -d for local, otherwise -m - if ($monitor[0]['Type'] == 'Local') { + if ( $monitor[0]['Type'] == 'Local' ) { $args = '-d '. $monitor[0]['Device']; } else { $args = '-m '. $monitor[0]['Id']; @@ -324,7 +331,7 @@ class MonitorsController extends AppController { // Build the command, and execute it $zm_path_bin = Configure::read('ZM_PATH_BIN'); $command = escapeshellcmd("$zm_path_bin/zmdc.pl status $daemon $args"); - $status = exec( $command ); + $status = exec($command); // If 'not' is present, the daemon is not running, so return false // https://github.com/ZoneMinder/ZoneMinder/issues/799#issuecomment-108996075 @@ -360,9 +367,9 @@ class MonitorsController extends AppController { $zm_path_bin = Configure::read('ZM_PATH_BIN'); - foreach ($daemons as $daemon) { + foreach ( $daemons as $daemon ) { $args = ''; - if ( $daemon == 'zmc' and $monitor['Type'] == 'Local') { + if ( $daemon == 'zmc' and $monitor['Type'] == 'Local' ) { $args = '-d ' . $monitor['Device']; } else { $args = '-m ' . $id; @@ -372,5 +379,4 @@ class MonitorsController extends AppController { $status = exec( $shellcmd ); } } - } // end class MonitorsController diff --git a/web/api/app/Controller/ServersController.php b/web/api/app/Controller/ServersController.php index 88a5bec90..778ed2fa9 100644 --- a/web/api/app/Controller/ServersController.php +++ b/web/api/app/Controller/ServersController.php @@ -8,7 +8,6 @@ App::uses('AppController', 'Controller'); */ class ServersController extends AppController { - /** * Components * @@ -16,18 +15,15 @@ class ServersController extends AppController { */ public $components = array('Paginator', 'RequestHandler'); - -public function beforeFilter() { - parent::beforeFilter(); - $canView = $this->Session->Read('streamPermission'); - if ($canView =='None') { - throw new UnauthorizedException(__('Insufficient Privileges')); - return; + public function beforeFilter() { + parent::beforeFilter(); + $canView = (!$user) || ($user['system'] != 'None'); + if ( !$canView ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } } -} - - /** * index method * @@ -36,7 +32,7 @@ public function beforeFilter() { public function index() { $this->Server->recursive = 0; - $options=''; + $options = ''; $servers = $this->Server->find('all',$options); $this->set(array( 'servers' => $servers, @@ -76,16 +72,17 @@ public function beforeFilter() { * @return void */ public function add() { - if ($this->request->is('post')) { + if ( $this->request->is('post') ) { - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); return; } $this->Server->create(); - if ($this->Server->save($this->request->data)) { + if ( $this->Server->save($this->request->data) ) { # Might be nice to send it a start request #$this->daemonControl($this->Server->id, 'start', $this->request->data); return $this->flash(__('The server has been saved.'), array('action' => 'index')); @@ -103,15 +100,17 @@ public function beforeFilter() { public function edit($id = null) { $this->Server->id = $id; - if (!$this->Server->exists($id)) { - throw new NotFoundException(__('Invalid server')); - } - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); return; } - if ($this->Server->save($this->request->data)) { + + if ( !$this->Server->exists($id) ) { + throw new NotFoundException(__('Invalid server')); + } + if ( $this->Server->save($this->request->data) ) { $message = 'Saved'; } else { $message = 'Error'; @@ -133,20 +132,22 @@ public function beforeFilter() { * @return void */ public function delete($id = null) { - $this->Server->id = $id; - if (!$this->Server->exists()) { - throw new NotFoundException(__('Invalid server')); - } - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); return; } + + $this->Server->id = $id; + if ( !$this->Server->exists() ) { + throw new NotFoundException(__('Invalid server')); + } $this->request->allowMethod('post', 'delete'); #$this->daemonControl($this->Server->id, 'stop'); - if ($this->Server->delete()) { + if ( $this->Server->delete() ) { return $this->flash(__('The server has been deleted.'), array('action' => 'index')); } else { return $this->flash(__('The server could not be deleted. Please, try again.'), array('action' => 'index')); diff --git a/web/api/app/Controller/StatesController.php b/web/api/app/Controller/StatesController.php index 051837b27..29201d2c1 100644 --- a/web/api/app/Controller/StatesController.php +++ b/web/api/app/Controller/StatesController.php @@ -12,30 +12,28 @@ class StatesController extends AppController { public $components = array('RequestHandler'); public function beforeFilter() { - parent::beforeFilter(); - $canView = $this->Session->Read('systemPermission'); - if ($canView =='None') - { - throw new UnauthorizedException(__('Insufficient Privileges')); - return; - } - + parent::beforeFilter(); + global $user; + $canView = (!$user) || ($user['System'] != 'None'); + if ( !$canView ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } } - /** * index method * * @return void */ - public function index() { - $this->State->recursive = 0; - $states = $this->State->find('all'); - $this->set(array( - 'states' => $states, - '_serialize' => array('states') - )); - } +public function index() { + $this->State->recursive = 0; + $states = $this->State->find('all'); + $this->set(array( + 'states' => $states, + '_serialize' => array('states') + )); +} /** * view method @@ -44,35 +42,35 @@ public function beforeFilter() { * @param string $id * @return void */ - public function view($id = null) { - if (!$this->State->exists($id)) { - throw new NotFoundException(__('Invalid state')); - } - $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); - $this->set('state', $this->State->find('first', $options)); - } +public function view($id = null) { + if ( !$this->State->exists($id) ) { + throw new NotFoundException(__('Invalid state')); + } + $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); + $this->set('state', $this->State->find('first', $options)); +} /** * add method * * @return void */ - public function add() { - - if ($this->request->is('post')) { +public function add() { - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } + if ($this->request->is('post')) { - $this->State->create(); - if ($this->State->save($this->request->data)) { - return $this->flash(__('The state has been saved.'), array('action' => 'index')); - } - } - } + if ($this->Session->Read('systemPermission') != 'Edit') + { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } + + $this->State->create(); + if ($this->State->save($this->request->data)) { + return $this->flash(__('The state has been saved.'), array('action' => 'index')); + } + } +} /** * edit method @@ -81,26 +79,27 @@ public function beforeFilter() { * @param string $id * @return void */ - public function edit($id = null) { - if (!$this->State->exists($id)) { - throw new NotFoundException(__('Invalid state')); - } +public function edit($id = null) { + if (!$this->State->exists($id)) { + throw new NotFoundException(__('Invalid state')); + } - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } - if ($this->request->is(array('post', 'put'))) { - if ($this->State->save($this->request->data)) { - return $this->flash(__('The state has been saved.'), array('action' => 'index')); - } - } else { - $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); - $this->request->data = $this->State->find('first', $options); - } - } + if ( $this->request->is(array('post', 'put')) ) { + if ( $this->State->save($this->request->data) ) { + return $this->flash(__('The state has been saved.'), array('action' => 'index')); + } + } else { + $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); + $this->request->data = $this->State->find('first', $options); + } +} /** * delete method @@ -109,48 +108,50 @@ public function beforeFilter() { * @param string $id * @return void */ - public function delete($id = null) { - $this->State->id = $id; - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } +public function delete($id = null) { + $this->State->id = $id; + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } - if (!$this->State->exists()) { - throw new NotFoundException(__('Invalid state')); - } - $this->request->allowMethod('post', 'delete'); - if ($this->State->delete()) { - return $this->flash(__('The state has been deleted.'), array('action' => 'index')); - } else { - return $this->flash(__('The state could not be deleted. Please, try again.'), array('action' => 'index')); - } - } + if (!$this->State->exists()) { + throw new NotFoundException(__('Invalid state')); + } + $this->request->allowMethod('post', 'delete'); + if ($this->State->delete()) { + return $this->flash(__('The state has been deleted.'), array('action' => 'index')); + } else { + return $this->flash(__('The state could not be deleted. Please, try again.'), array('action' => 'index')); + } +} - public function change() { - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } +public function change() { + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } - $newState = $this->request->params['pass'][0]; - $blah = $this->packageControl($newState); + $newState = $this->request->params['pass'][0]; + $blah = $this->packageControl($newState); - $this->set(array( - 'blah' => $blah, - '_serialize' => array('blah') - )); - } + $this->set(array( + 'blah' => $blah, + '_serialize' => array('blah') + )); +} - public function packageControl( $command ) { - $zm_path_bin = Configure::read('ZM_PATH_BIN'); - $string = $zm_path_bin.'/zmpkg.pl '.escapeshellarg( $command ); - $status = exec( $string ); +public function packageControl( $command ) { + $zm_path_bin = Configure::read('ZM_PATH_BIN'); + $string = $zm_path_bin.'/zmpkg.pl '.escapeshellarg( $command ); + $status = exec( $string ); - return $status; - } + return $status; +} } diff --git a/web/api/app/Controller/ZonesController.php b/web/api/app/Controller/ZonesController.php index 64cd7b144..74a87f353 100644 --- a/web/api/app/Controller/ZonesController.php +++ b/web/api/app/Controller/ZonesController.php @@ -16,8 +16,10 @@ class ZonesController extends AppController { public function beforeFilter() { parent::beforeFilter(); - $canView = $this->Session->Read('monitorPermission'); - if ( $canView =='None' ) { + + global $user; + $canView = (!$user) || $user['Monitors'] != 'None'; + if ( !$canView ) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } @@ -38,12 +40,12 @@ class ZonesController extends AppController { '_serialize' => array('zones') )); } - public function index() { $this->Zone->recursive = -1; - $allowedMonitors = preg_split('@,@', $this->Session->Read('allowedMonitors'), NULL, PREG_SPLIT_NO_EMPTY); - if ( !empty($allowedMonitors) ) { + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'],NULL, PREG_SPLIT_NO_EMPTY) : null; + if ( $allowedMonitors ) { $mon_options = array('Zones.MonitorId' => $allowedMonitors); } else { $mon_options = ''; @@ -62,6 +64,14 @@ class ZonesController extends AppController { */ public function add() { if ( $this->request->is('post') ) { + + global $user; + $canEdit = (!$user) || $user['Monitors'] == 'Edit'; + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } + $this->Zone->create(); if ( $this->Zone->save($this->request->data) ) { return $this->flash(__('The zone has been saved.'), array('action' => 'index')); @@ -85,6 +95,12 @@ class ZonesController extends AppController { throw new NotFoundException(__('Invalid zone')); } if ( $this->request->is(array('post', 'put')) ) { + global $user; + $canEdit = (!$user) || $user['Monitors'] == 'Edit'; + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } if ( $this->Zone->save($this->request->data) ) { return $this->flash(__('The zone has been saved.'), array('action' => 'index')); } @@ -109,6 +125,12 @@ class ZonesController extends AppController { throw new NotFoundException(__('Invalid zone')); } $this->request->allowMethod('post', 'delete'); + global $user; + $canEdit = (!$user) || $user['Monitors'] == 'Edit'; + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } if ( $this->Zone->delete() ) { return $this->flash(__('The zone has been deleted.'), array('action' => 'index')); } else { @@ -144,4 +166,4 @@ class ZonesController extends AppController { '_serialize' => array('status') )); } -} +} // end class