From 8c35d4d1b0e57c68c553b18fc6521afb62b4da46 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 10:32:37 -0400 Subject: [PATCH 01/13] Populate a global from the session on every request. Use the object instead of using allowedMonitors in session. --- web/api/app/Controller/AppController.php | 30 ++++++------- web/api/app/Controller/HostController.php | 42 ++++++------------- web/api/app/Controller/MonitorsController.php | 3 +- 3 files changed, 31 insertions(+), 44 deletions(-) diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php index d83ce0825..f4447a47c 100644 --- a/web/api/app/Controller/AppController.php +++ b/web/api/app/Controller/AppController.php @@ -66,23 +66,25 @@ class AppController extends Controller { $config = $this->Config->find('first', $options); $zmOptApi = $config['Config']['Value']; - if ($zmOptApi !='1') { + if ( $zmOptApi != '1' ) { throw new UnauthorizedException(__('API Disabled')); return; + } else { + global $user; + $user = $this->Session->read('user'); } - // We need to reject methods that are not authenticated - // besides login and logout - if ( strcasecmp($this->params->action, "login") && - strcasecmp($this->params->action,"logout")) { - if (!$this->Session->read('user.Username')) { - throw new UnauthorizedException(__('Not Authenticated')); - return; - } else if (!$this->Session->read('user.Enabled')) { - throw new UnauthorizedException(__('User is not enabled')); - return; - } - - } + // We need to reject methods that are not authenticated + // besides login and logout + if ( strcasecmp($this->params->action, 'login') && + strcasecmp($this->params->action, 'logout')) { + if ( !$this->Session->read('user.Username') ) { + throw new UnauthorizedException(__('Not Authenticated')); + return; + } else if ( !$this->Session->read('user.Enabled') ) { + throw new UnauthorizedException(__('User is not enabled')); + return; + } + } # end if ! login or logout } # end function beforeFilter() } diff --git a/web/api/app/Controller/HostController.php b/web/api/app/Controller/HostController.php index 5b7c849fe..54ced3ec7 100644 --- a/web/api/app/Controller/HostController.php +++ b/web/api/app/Controller/HostController.php @@ -8,9 +8,9 @@ class HostController extends AppController { public function daemonCheck($daemon=false, $args=false) { $string = Configure::read('ZM_PATH_BIN').'/zmdc.pl check'; if ( $daemon ) { - $string .= " $daemon"; - if ( $args ) - $string .= " $args"; + $string .= " $daemon"; + if ( $args ) + $string .= " $args"; } $result = exec($string); $result = preg_match('/running/', $result); @@ -29,8 +29,6 @@ class HostController extends AppController { '_serialize' => array('load') )); } - - function login() { @@ -42,33 +40,27 @@ class HostController extends AppController { require_once "../../../includes/auth.php"; global $user; - $user = $this->Session->read('user'); + # $user is loaded from Session in AppController - - $mUser = $this->request->data('user'); $mPassword = $this->request->data('pass'); $mAuth = $this->request->data('auth'); - - if ( $mUser and $mPassword) { + if ( $mUser and $mPassword ) { $user = userLogin($mUser, $mPassword); if ( !$user ) { throw new UnauthorizedException(__('User not found or incorrect password')); return; } - } - - elseif ( $mAuth ) { + } else if ( $mAuth ) { $user = getAuthUser($mAuth); - if ( ! $user ) { + if ( !$user ) { throw new UnauthorizedException(__('User not found or incorrect password')); return; } - } - else { - throw new UnauthorizedException(__('missing credentials')); - } + } else { + throw new UnauthorizedException(__('missing credentials')); + } if ( 0 and $user ) { # We have to redo the session variables because cakephp's Session code will overwrite the normal php session @@ -87,8 +79,6 @@ class HostController extends AppController { $this->log("Error writing session var remoteAddr"); } - - // I don't think this is really needed - the Username part // Enabled check is ok if ( !$user['Username'] ) { @@ -99,7 +89,6 @@ class HostController extends AppController { return; } - $this->Session->Write('allowedMonitors',$user['MonitorIds']); $this->Session->Write('streamPermission',$user['Stream']); $this->Session->Write('eventPermission',$user['Events']); @@ -117,7 +106,6 @@ class HostController extends AppController { $this->Session->Write('monitorPermission','Edit'); } - $cred = $this->_getCredentials(); $ver = $this->_getVersion(); $this->set(array( @@ -130,8 +118,7 @@ class HostController extends AppController { 'version', 'apiversion' ))); - - } + } // end function login() // clears out session function logout() { @@ -143,7 +130,7 @@ class HostController extends AppController { '_serialize' => array('result') )); - } + } // end function logout() private function _getCredentials() { $credentials = ''; @@ -167,8 +154,7 @@ class HostController extends AppController { } } return array($credentials, $appendPassword); - - } + } // end function _getCredentials function getCredentials() { // ignore debug warnings from other functions @@ -180,8 +166,6 @@ class HostController extends AppController { '_serialize' => array('credentials', 'append_password') ) ); } - - // If $mid is set, only return disk usage for that monitor // Else, return an array of total disk usage, and per-monitor diff --git a/web/api/app/Controller/MonitorsController.php b/web/api/app/Controller/MonitorsController.php index 5801c1e9e..1e659b39e 100644 --- a/web/api/app/Controller/MonitorsController.php +++ b/web/api/app/Controller/MonitorsController.php @@ -43,7 +43,8 @@ class MonitorsController extends AppController { $conditions = array(); } - $allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY); + global $user; + $allowedMonitors=preg_split ('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY); if (!empty($allowedMonitors)) { $conditions['Monitor.Id' ] = $allowedMonitors; } From caa8adae5eca48a05badb1baef98c95fcec0b598 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 10:40:18 -0400 Subject: [PATCH 02/13] fix when gets loaded. --- web/api/app/Controller/AppController.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php index f4447a47c..4ec56e43b 100644 --- a/web/api/app/Controller/AppController.php +++ b/web/api/app/Controller/AppController.php @@ -69,10 +69,12 @@ class AppController extends Controller { if ( $zmOptApi != '1' ) { throw new UnauthorizedException(__('API Disabled')); return; - } else { - global $user; - $user = $this->Session->read('user'); - } + } + + # For use throughout the app. If not logged in, this will be null. + global $user; + $user = $this->Session->read('user'); + // We need to reject methods that are not authenticated // besides login and logout if ( strcasecmp($this->params->action, 'login') && From 08d3f98e5e6d8091f1331ef237a6722e03164b1d Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 11:49:40 -0400 Subject: [PATCH 03/13] use for auth, and add Monitor Edit checks to Zone add/delete/edit --- web/api/app/Controller/ZonesController.php | 262 +++++++++++---------- 1 file changed, 138 insertions(+), 124 deletions(-) diff --git a/web/api/app/Controller/ZonesController.php b/web/api/app/Controller/ZonesController.php index 5fbadc2ed..2eacb5dc8 100644 --- a/web/api/app/Controller/ZonesController.php +++ b/web/api/app/Controller/ZonesController.php @@ -7,148 +7,162 @@ App::uses('AppController', 'Controller'); */ class ZonesController extends AppController { -/** - * Components - * - * @var array - */ -public $components = array('RequestHandler'); + /** + * Components + * + * @var array + */ + public $components = array('RequestHandler'); -public function beforeFilter() { - parent::beforeFilter(); - $canView = $this->Session->Read('monitorPermission'); - if ($canView =='None') - { - throw new UnauthorizedException(__('Insufficient Privileges')); - return; - } + public function beforeFilter() { + parent::beforeFilter(); -} + global $user; + $canView = (!$user) || $user['Monitors'] != 'None'; + if ( !$canView ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } + } -// Find all zones which belong to a MonitorId -public function forMonitor($id = null) { + // Find all zones which belong to a MonitorId + public function forMonitor($id = null) { $this->loadModel('Monitor'); - if (!$this->Monitor->exists($id)) { - throw new NotFoundException(__('Invalid monitor')); + if ( !$this->Monitor->exists($id) ) { + throw new NotFoundException(__('Invalid monitor')); } $this->Zone->recursive = -1; $zones = $this->Zone->find('all', array( - 'conditions' => array('MonitorId' => $id) + 'conditions' => array('MonitorId' => $id) )); $this->set(array( - 'zones' => $zones, - '_serialize' => array('zones') + 'zones' => $zones, + '_serialize' => array('zones') )); -} -public function index() { + } + public function index() { $this->Zone->recursive = -1; - - $allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY); - if (!empty($allowedMonitors)) - { - $mon_options = array('Zones.MonitorId' => $allowedMonitors); - } - else - { - $mon_options=''; + + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'],NULL, PREG_SPLIT_NO_EMPTY) : null; + if ( $allowedMonitors ) { + $mon_options = array('Zones.MonitorId' => $allowedMonitors); + } else { + $mon_options = ''; } $zones = $this->Zone->find('all',$mon_options); $this->set(array( - 'zones' => $zones, - '_serialize' => array('zones') + 'zones' => $zones, + '_serialize' => array('zones') )); -} -/** - * add method - * - * @return void - */ - public function add() { - if ($this->request->is('post')) { - $this->Zone->create(); - if ($this->Zone->save($this->request->data)) { - return $this->flash(__('The zone has been saved.'), array('action' => 'index')); - } - } - $monitors = $this->Zone->Monitor->find('list'); - $this->set(compact('monitors')); + } + /** + * add method + * + * @return void + */ + public function add() { + if ( $this->request->is('post') ) { + + global $user; + $canEdit = (!$user) || $user['Monitors'] == 'Edit'; + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } + + $this->Zone->create(); + if ( $this->Zone->save($this->request->data) ) { + return $this->flash(__('The zone has been saved.'), array('action' => 'index')); + } + } + $monitors = $this->Zone->Monitor->find('list'); + $this->set(compact('monitors')); + } + + /** + * edit method + * + * @throws NotFoundException + * @param string $id + * @return void + */ + public function edit($id = null) { + $this->Zone->id = $id; + + if ( !$this->Zone->exists($id) ) { + throw new NotFoundException(__('Invalid zone')); + } + if ( $this->request->is(array('post', 'put')) ) { + global $user; + $canEdit = (!$user) || $user['Monitors'] == 'Edit'; + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } + if ( $this->Zone->save($this->request->data) ) { + return $this->flash(__('The zone has been saved.'), array('action' => 'index')); + } + } else { + $options = array('conditions' => array('Zone.' . $this->Zone->primaryKey => $id)); + $this->request->data = $this->Zone->find('first', $options); + } + $monitors = $this->Zone->Monitor->find('list'); + $this->set(compact('monitors')); + } + + /** + * delete method + * + * @throws NotFoundException + * @param string $id + * @return void + */ + public function delete($id = null) { + $this->Zone->id = $id; + if ( !$this->Zone->exists() ) { + throw new NotFoundException(__('Invalid zone')); + } + $this->request->allowMethod('post', 'delete'); + global $user; + $canEdit = (!$user) || $user['Monitors'] == 'Edit'; + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } + if ( $this->Zone->delete() ) { + return $this->flash(__('The zone has been deleted.'), array('action' => 'index')); + } else { + return $this->flash(__('The zone could not be deleted. Please, try again.'), array('action' => 'index')); + } + } + + public function createZoneImage( $id = null ) { + $this->loadModel('Monitor'); + $this->Monitor->id = $id; + if ( !$this->Monitor->exists() ) { + throw new NotFoundException(__('Invalid zone')); } -/** - * edit method - * - * @throws NotFoundException - * @param string $id - * @return void - */ - public function edit($id = null) { - $this->Zone->id = $id; + $this->loadModel('Config'); + $zm_dir_images = $this->Config->find('list', array( + 'conditions' => array('Name' => 'ZM_DIR_IMAGES'), + 'fields' => array('Name', 'Value') + )); - if (!$this->Zone->exists($id)) { - throw new NotFoundException(__('Invalid zone')); - } - if ($this->request->is(array('post', 'put'))) { - if ($this->Zone->save($this->request->data)) { - return $this->flash(__('The zone has been saved.'), array('action' => 'index')); - } - } else { - $options = array('conditions' => array('Zone.' . $this->Zone->primaryKey => $id)); - $this->request->data = $this->Zone->find('first', $options); - } - $monitors = $this->Zone->Monitor->find('list'); - $this->set(compact('monitors')); - } + $zm_dir_images = $zm_dir_images['ZM_DIR_IMAGES']; + $zm_path_web = Configure::read('ZM_PATH_WEB'); + $zm_path_bin = Configure::read('ZM_PATH_BIN'); + $images_path = "$zm_path_web/$zm_dir_images"; -/** - * delete method - * - * @throws NotFoundException - * @param string $id - * @return void - */ - public function delete($id = null) { - $this->Zone->id = $id; - if (!$this->Zone->exists()) { - throw new NotFoundException(__('Invalid zone')); - } - $this->request->allowMethod('post', 'delete'); - if ($this->Zone->delete()) { - return $this->flash(__('The zone has been deleted.'), array('action' => 'index')); - } else { - return $this->flash(__('The zone could not be deleted. Please, try again.'), array('action' => 'index')); - } - } + chdir($images_path); + $command = escapeshellcmd("$zm_path_bin/zmu -z -m $id"); + system( $command, $status ); - - public function createZoneImage( $id = null ) { - $this->loadModel('Monitor'); - $this->Monitor->id = $id; - if (!$this->Monitor->exists()) { - throw new NotFoundException(__('Invalid zone')); - } - - - $this->loadModel('Config'); - $zm_dir_images = $this->Config->find('list', array( - 'conditions' => array('Name' => 'ZM_DIR_IMAGES'), - 'fields' => array('Name', 'Value') - )); - - $zm_dir_images = $zm_dir_images['ZM_DIR_IMAGES']; - $zm_path_web = Configure::read('ZM_PATH_WEB'); - $zm_path_bin = Configure::read('ZM_PATH_BIN'); - $images_path = "$zm_path_web/$zm_dir_images"; - - chdir($images_path); - - $command = escapeshellcmd("$zm_path_bin/zmu -z -m $id"); - system( $command, $status ); - - $this->set(array( - 'status' => $status, - '_serialize' => array('status') - )); - - } -} + $this->set(array( + 'status' => $status, + '_serialize' => array('status') + )); + } +} // end class From 3255a2829fb99fbc9a3f4ae07dd9f4cf180ef10f Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 12:01:40 -0400 Subject: [PATCH 04/13] add back the ZM_OPT_USE_AUTH test for being logged in in AppController --- web/api/app/Controller/AppController.php | 26 +++++++++++++----------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php index 4ec56e43b..44dc3bc32 100644 --- a/web/api/app/Controller/AppController.php +++ b/web/api/app/Controller/AppController.php @@ -75,18 +75,20 @@ class AppController extends Controller { global $user; $user = $this->Session->read('user'); - // We need to reject methods that are not authenticated - // besides login and logout - if ( strcasecmp($this->params->action, 'login') && - strcasecmp($this->params->action, 'logout')) { - if ( !$this->Session->read('user.Username') ) { - throw new UnauthorizedException(__('Not Authenticated')); - return; - } else if ( !$this->Session->read('user.Enabled') ) { - throw new UnauthorizedException(__('User is not enabled')); - return; - } - } # end if ! login or logout + if ( ZM_OPT_USE_AUTH ) { + // We need to reject methods that are not authenticated + // besides login and logout + if ( strcasecmp($this->params->action, 'login') && + strcasecmp($this->params->action, 'logout')) { + if ( !( $user and $user['Username'] ) ) { + throw new UnauthorizedException(__('Not Authenticated')); + return; + } else if ( !( $user and $user['Enabled'] ) ) { + throw new UnauthorizedException(__('User is not enabled')); + return; + } + } # end if ! login or logout + } # end if ZM_OPT_AUTH } # end function beforeFilter() } From 00cfb100db84439635b33940bf7fa76c2afcb900 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 12:02:03 -0400 Subject: [PATCH 05/13] Update permissions code to use --- web/api/app/Controller/EventsController.php | 73 +++++++++++---------- 1 file changed, 39 insertions(+), 34 deletions(-) diff --git a/web/api/app/Controller/EventsController.php b/web/api/app/Controller/EventsController.php index fd0c4ef98..052c83b16 100644 --- a/web/api/app/Controller/EventsController.php +++ b/web/api/app/Controller/EventsController.php @@ -1,5 +1,6 @@ Session->Read('eventPermission'); - if ($canView =='None') { + global $user; + $canView = (!$user) || ($user['Events'] != 'None'); + if ( !$canView ) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } @@ -32,15 +34,16 @@ class EventsController extends AppController { public function index() { $this->Event->recursive = -1; - $allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY); + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; - if (!empty($allowedMonitors)) { + if ( $allowedMonitors ) { $mon_options = array('Event.MonitorId' => $allowedMonitors); } else { - $mon_options=''; + $mon_options = ''; } - if ($this->request->params['named']) { + if ( $this->request->params['named'] ) { //$this->FilterComponent = $this->Components->load('Filter'); //$conditions = $this->FilterComponent->buildFilter($this->request->params['named']); $conditions = $this->request->params['named']; @@ -61,7 +64,7 @@ class EventsController extends AppController { 'order' => array('StartTime'), 'paramType' => 'querystring', ); - if ( isset( $conditions['GroupId'] ) ) { + if ( isset($conditions['GroupId']) ) { $settings['joins'] = array( array( 'table' => 'Groups_Monitors', @@ -85,13 +88,13 @@ class EventsController extends AppController { $events = $this->Paginator->paginate('Event'); // For each event, get the frameID which has the largest score - foreach ($events as $key => $value) { + foreach ( $events as $key => $value ) { $maxScoreFrameId = $this->getMaxScoreAlarmFrameId($value['Event']['Id']); $events[$key]['Event']['MaxScoreFrameId'] = $maxScoreFrameId; } $this->set(compact('events')); - } + } // end public function index() /** * view method @@ -108,12 +111,13 @@ class EventsController extends AppController { throw new NotFoundException(__('Invalid event')); } - $allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY); + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; - if (!empty($allowedMonitors)) { + if ( $allowedMonitors ) { $mon_options = array('Event.MonitorId' => $allowedMonitors); } else { - $mon_options=''; + $mon_options = ''; } $options = array('conditions' => array(array('Event.' . $this->Event->primaryKey => $id), $mon_options)); @@ -149,14 +153,14 @@ class EventsController extends AppController { */ public function add() { - if ($this->Session->Read('eventPermission') != 'Edit') { + if ( $this->Session->Read('eventPermission') != 'Edit' ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } - if ($this->request->is('post')) { + if ( $this->request->is('post') ) { $this->Event->create(); - if ($this->Event->save($this->request->data)) { + if ( $this->Event->save($this->request->data) ) { return $this->flash(__('The event has been saved.'), array('action' => 'index')); } } @@ -173,18 +177,18 @@ class EventsController extends AppController { */ public function edit($id = null) { - if ($this->Session->Read('eventPermission') != 'Edit') { + if ( $this->Session->Read('eventPermission') != 'Edit' ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } $this->Event->id = $id; - if (!$this->Event->exists($id)) { + if ( !$this->Event->exists($id) ) { throw new NotFoundException(__('Invalid event')); } - if ($this->Event->save($this->request->data)) { + if ( $this->Event->save($this->request->data) ) { $message = 'Saved'; } else { $message = 'Error'; @@ -204,16 +208,16 @@ class EventsController extends AppController { * @return void */ public function delete($id = null) { - if ($this->Session->Read('eventPermission') != 'Edit') { + if ( $this->Session->Read('eventPermission') != 'Edit' ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } $this->Event->id = $id; - if (!$this->Event->exists()) { + if ( !$this->Event->exists() ) { throw new NotFoundException(__('Invalid event')); } $this->request->allowMethod('post', 'delete'); - if ($this->Event->delete()) { + if ( $this->Event->delete() ) { //$this->loadModel('Frame'); //$this->Event->Frame->delete(); return $this->flash(__('The event has been deleted.'), array('action' => 'index')); @@ -228,7 +232,7 @@ class EventsController extends AppController { foreach ($this->params['named'] as $param_name => $value) { // Transform params into mysql - if (preg_match("/interval/i", $value, $matches)) { + if (preg_match('/interval/i', $value, $matches)) { $condition = array("$param_name >= (date_sub(now(), $value))"); } else { $condition = array($param_name => $value); @@ -254,12 +258,12 @@ class EventsController extends AppController { $this->Event->recursive = -1; $results = array(); - $moreconditions =""; + $moreconditions = ''; foreach ($this->request->params['named'] as $name => $param) { - $moreconditions = $moreconditions . " AND ".$name.$param; + $moreconditions = $moreconditions . ' AND '.$name.$param; } - $query = $this->Event->query("select MonitorId, COUNT(*) AS Count from Events WHERE (StartTime >= (DATE_SUB(NOW(), interval $interval)) $moreconditions) GROUP BY MonitorId;"); + $query = $this->Event->query("SELECT MonitorId, COUNT(*) AS Count FROM Events WHERE (StartTime >= (DATE_SUB(NOW(), interval $interval)) $moreconditions) GROUP BY MonitorId;"); foreach ($query as $result) { $results[$result['Events']['MonitorId']] = $result[0]['Count']; @@ -275,7 +279,7 @@ class EventsController extends AppController { public function createThumbnail($id = null) { $this->Event->recursive = -1; - if (!$this->Event->exists($id)) { + if ( !$this->Event->exists($id) ) { throw new NotFoundException(__('Invalid event')); } @@ -291,7 +295,7 @@ class EventsController extends AppController { 'Score' => $event['Event']['MaxScore'] ) ))) { - throw new NotFoundException(__("Can not find Frame for Event " . $event['Event']['Id'])); + throw new NotFoundException(__('Can not find Frame for Event ' . $event['Event']['Id'])); } $this->loadModel('Config'); @@ -304,12 +308,13 @@ class EventsController extends AppController { $config = $this->Config->find('list', array( 'conditions' => array('OR' => array( - 'Name' => array('ZM_WEB_LIST_THUMB_WIDTH', - 'ZM_WEB_LIST_THUMB_HEIGHT', - 'ZM_EVENT_IMAGE_DIGITS', - 'ZM_DIR_IMAGES', - $thumbs, - 'ZM_DIR_EVENTS' + 'Name' => array( + 'ZM_WEB_LIST_THUMB_WIDTH', + 'ZM_WEB_LIST_THUMB_HEIGHT', + 'ZM_EVENT_IMAGE_DIGITS', + 'ZM_DIR_IMAGES', + $thumbs, + 'ZM_DIR_EVENTS' ) )), 'fields' => array('Name', 'Value') @@ -335,7 +340,7 @@ class EventsController extends AppController { $thumbData['Width'] = (int)$thumbWidth; $thumbData['Height'] = (int)$thumbHeight; - return( $thumbData ); + return $thumbData; } public function archive($id = null) { From ba0ab50545cf523ac862b9521c6f7a5dbf285ff9 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 12:02:18 -0400 Subject: [PATCH 06/13] change quotes --- web/api/app/Controller/HostController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/api/app/Controller/HostController.php b/web/api/app/Controller/HostController.php index 54ced3ec7..fbba5058d 100644 --- a/web/api/app/Controller/HostController.php +++ b/web/api/app/Controller/HostController.php @@ -38,7 +38,7 @@ class HostController extends AppController { if ( $zmOptAuth == '1' ) { - require_once "../../../includes/auth.php"; + require_once '../../../includes/auth.php'; global $user; # $user is loaded from Session in AppController From 98f279addba1ea3ce7fe665aec5b172cc24bffeb Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 12:02:35 -0400 Subject: [PATCH 07/13] Update permission code to use --- web/api/app/Controller/MonitorsController.php | 67 +++++++++++-------- 1 file changed, 39 insertions(+), 28 deletions(-) diff --git a/web/api/app/Controller/MonitorsController.php b/web/api/app/Controller/MonitorsController.php index 1e659b39e..212849f27 100644 --- a/web/api/app/Controller/MonitorsController.php +++ b/web/api/app/Controller/MonitorsController.php @@ -18,10 +18,13 @@ class MonitorsController extends AppController { public function beforeRender() { $this->set($this->Monitor->enumValues()); } + public function beforeFilter() { parent::beforeFilter(); - $canView = $this->Session->Read('monitorPermission'); - if ($canView == 'None') { + global $user; + # We already tested for auth in appController, so we just need to test for specific permission + $canView = (!$user) || ($user['Monitors'] != 'None'); + if ( !$canView ) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } @@ -35,7 +38,7 @@ class MonitorsController extends AppController { public function index() { $this->Monitor->recursive = 0; - if ($this->request->params['named']) { + if ( $this->request->params['named'] ) { $this->FilterComponent = $this->Components->load('Filter'); //$conditions = $this->FilterComponent->buildFilter($this->request->params['named']); $conditions = $this->request->params['named']; @@ -44,13 +47,13 @@ class MonitorsController extends AppController { } global $user; - $allowedMonitors=preg_split ('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY); - if (!empty($allowedMonitors)) { + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; + if ( $allowedMonitors ) { $conditions['Monitor.Id' ] = $allowedMonitors; } $find_array = array('conditions'=>$conditions,'contain'=>array('Group')); - if ( isset( $conditions['GroupId'] ) ) { + if ( isset($conditions['GroupId']) ) { $find_array['joins'] = array( array( 'table' => 'Groups_Monitors', @@ -85,11 +88,12 @@ class MonitorsController extends AppController { */ public function view($id = null) { $this->Monitor->recursive = 0; - if (!$this->Monitor->exists($id)) { + if ( !$this->Monitor->exists($id) ) { throw new NotFoundException(__('Invalid monitor')); } - $allowedMonitors=preg_split ('@,@', $this->Session->Read('allowedMonitors'),NULL, PREG_SPLIT_NO_EMPTY); - if (!empty($allowedMonitors)) { + global $user; + $allowedMonitors = $user ? preg_split('@,@', $user['MonitorIds'], NULL, PREG_SPLIT_NO_EMPTY) : null; + if ( $allowedMonitors ) { $restricted = array('Monitor.' . $this->Monitor->primaryKey => $allowedMonitors); } else { $restricted = ''; @@ -148,7 +152,8 @@ class MonitorsController extends AppController { if (!$this->Monitor->exists($id)) { throw new NotFoundException(__('Invalid monitor')); } - if ($this->Session->Read('monitorPermission') != 'Edit') { + global $user; + if ( $user and $user['Monitors'] != 'Edit' ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -164,9 +169,17 @@ class MonitorsController extends AppController { // - restart or stop this monitor after change $func = $Monitor['Function']; // We don't pass the request data as the monitor object because it may be a subset of the full monitor array - $this->daemonControl( $this->Monitor->id, 'stop' ); - if ( ( $func != 'None' ) and ( (!defined('ZM_SERVER_ID')) or ($Monitor['ServerId']==ZM_SERVER_ID) ) ) { - $this->daemonControl( $this->Monitor->id, 'start' ); + $this->daemonControl($this->Monitor->id, 'stop'); + if ( + ( $func != 'None' ) + and + ( + (!defined('ZM_SERVER_ID')) + or + ($Monitor['ServerId']==ZM_SERVER_ID) + ) + ) { + $this->daemonControl($this->Monitor->id, 'start'); } } else { $message = 'Error ' . print_r($this->Monitor->invalidFields(), true); @@ -188,10 +201,10 @@ class MonitorsController extends AppController { */ public function delete($id = null) { $this->Monitor->id = $id; - if (!$this->Monitor->exists()) { + if ( !$this->Monitor->exists() ) { throw new NotFoundException(__('Invalid monitor')); } - if ($this->Session->Read('systemPermission') != 'Edit') { + if ( $this->Session->Read('systemPermission') != 'Edit' ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -199,7 +212,7 @@ class MonitorsController extends AppController { $this->daemonControl($this->Monitor->id, 'stop'); - if ($this->Monitor->delete()) { + if ( $this->Monitor->delete() ) { return $this->flash(__('The monitor has been deleted.'), array('action' => 'index')); } else { return $this->flash(__('The monitor could not be deleted. Please, try again.'), array('action' => 'index')); @@ -207,7 +220,7 @@ class MonitorsController extends AppController { } public function sourceTypes() { - $sourceTypes = $this->Monitor->query("describe Monitors Type;"); + $sourceTypes = $this->Monitor->query('describe Monitors Type;'); preg_match('/^enum\((.*)\)$/', $sourceTypes[0]['COLUMNS']['Type'], $matches); foreach( explode(',', $matches[1]) as $value ) { @@ -253,19 +266,18 @@ class MonitorsController extends AppController { // form auth key based on auth credentials $this->loadModel('Config'); $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_AUTH')); - $config = $this->Config->find('first', $options); + $config = $this->Config->find('first', $options); $zmOptAuth = $config['Config']['Value']; - $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_AUTH_RELAY')); - $config = $this->Config->find('first', $options); + $config = $this->Config->find('first', $options); $zmAuthRelay = $config['Config']['Value']; - $auth=''; + $auth = ''; if ( $zmOptAuth ) { if ( $zmAuthRelay == 'hashed' ) { $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_AUTH_HASH_SECRET')); - $config = $this->Config->find('first', $options); + $config = $this->Config->find('first', $options); $zmAuthHashSecret = $config['Config']['Value']; $time = localtime(); @@ -294,7 +306,7 @@ class MonitorsController extends AppController { $id = $this->request->params['named']['id']; $daemon = $this->request->params['named']['daemon']; - if (!$this->Monitor->exists($id)) { + if ( !$this->Monitor->exists($id) ) { throw new NotFoundException(__('Invalid monitor')); } @@ -307,7 +319,7 @@ class MonitorsController extends AppController { $monitor = Set::extract('/Monitor/.', $monitor); // Pass -d for local, otherwise -m - if ($monitor[0]['Type'] == 'Local') { + if ( $monitor[0]['Type'] == 'Local' ) { $args = '-d '. $monitor[0]['Device']; } else { $args = '-m '. $monitor[0]['Id']; @@ -316,7 +328,7 @@ class MonitorsController extends AppController { // Build the command, and execute it $zm_path_bin = Configure::read('ZM_PATH_BIN'); $command = escapeshellcmd("$zm_path_bin/zmdc.pl status $daemon $args"); - $status = exec( $command ); + $status = exec($command); // If 'not' is present, the daemon is not running, so return false // https://github.com/ZoneMinder/ZoneMinder/issues/799#issuecomment-108996075 @@ -352,9 +364,9 @@ class MonitorsController extends AppController { $zm_path_bin = Configure::read('ZM_PATH_BIN'); - foreach ($daemons as $daemon) { + foreach ( $daemons as $daemon ) { $args = ''; - if ( $daemon == 'zmc' and $monitor['Type'] == 'Local') { + if ( $daemon == 'zmc' and $monitor['Type'] == 'Local' ) { $args = '-d ' . $monitor['Device']; } else { $args = '-m ' . $id; @@ -364,5 +376,4 @@ class MonitorsController extends AppController { $status = exec( $shellcmd ); } } - } // end class MonitorsController From 8098051268a06e6eae2de26e08b966fc12cbb454 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 16:42:16 -0400 Subject: [PATCH 08/13] Use instal of session for systemPermission --- web/api/app/Controller/MonitorsController.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/web/api/app/Controller/MonitorsController.php b/web/api/app/Controller/MonitorsController.php index 212849f27..e339cfc42 100644 --- a/web/api/app/Controller/MonitorsController.php +++ b/web/api/app/Controller/MonitorsController.php @@ -119,8 +119,10 @@ class MonitorsController extends AppController { public function add() { if ( $this->request->is('post') ) { - if ( $this->Session->Read('systemPermission') != 'Edit' ) { - throw new UnauthorizedException(__('Insufficient privileges')); + global $user; + $canAdd = (!$user) || ($user['System'] == 'Edit' ); + if ( !$canAdd ) { + throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -153,7 +155,8 @@ class MonitorsController extends AppController { throw new NotFoundException(__('Invalid monitor')); } global $user; - if ( $user and $user['Monitors'] != 'Edit' ) { + $canEdit = (!$user) || ($user['Monitors'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } From 3a676cd569cf9af34c179b19ac26b870852690dc Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 16:42:36 -0400 Subject: [PATCH 09/13] deprecate montiorPermision in session --- web/api/app/Controller/HostController.php | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/web/api/app/Controller/HostController.php b/web/api/app/Controller/HostController.php index fbba5058d..cd442adf9 100644 --- a/web/api/app/Controller/HostController.php +++ b/web/api/app/Controller/HostController.php @@ -62,23 +62,6 @@ class HostController extends AppController { throw new UnauthorizedException(__('missing credentials')); } - if ( 0 and $user ) { - # We have to redo the session variables because cakephp's Session code will overwrite the normal php session - # Actually I'm not sure that is true. Getting indeterminate behaviour - Logger::Debug("user.Username: " . $this->Session->read('user.Username')); - if ( ! $this->Session->Write('user', $user) ) - $this->log("Error writing session var user"); - Logger::Debug("user.Username: " . $this->Session->read('user.Username')); - if ( ! $this->Session->Write('user.Username', $user['Username']) ) - $this->log("Error writing session var user.Username"); - if ( ! $this->Session->Write('password', $user['Password']) ) - $this->log("Error writing session var user.Username"); - if ( ! $this->Session->Write('user.Enabled', $user['Enabled']) ) - $this->log("Error writing session var user.Enabled"); - if ( ! $this->Session->Write('remoteAddr', $_SERVER['REMOTE_ADDR']) ) - $this->log("Error writing session var remoteAddr"); - } - // I don't think this is really needed - the Username part // Enabled check is ok if ( !$user['Username'] ) { @@ -89,21 +72,15 @@ class HostController extends AppController { return; } - $this->Session->Write('allowedMonitors',$user['MonitorIds']); - $this->Session->Write('streamPermission',$user['Stream']); $this->Session->Write('eventPermission',$user['Events']); $this->Session->Write('controlPermission',$user['Control']); $this->Session->Write('systemPermission',$user['System']); - $this->Session->Write('monitorPermission',$user['Monitors']); } else { // if auth is not on, you can do everything //$userMonitors = $this->User->find('first', $options); - $this->Session->Write('allowedMonitors',''); - $this->Session->Write('streamPermission','View'); $this->Session->Write('eventPermission','Edit'); $this->Session->Write('controlPermission','Edit'); $this->Session->Write('systemPermission','Edit'); - $this->Session->Write('monitorPermission','Edit'); } $cred = $this->_getCredentials(); From c6aae346b94126556498e197c97c11f29da246d7 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 24 Jul 2018 16:43:07 -0400 Subject: [PATCH 10/13] use instead of session streamPermission --- web/api/app/Controller/ServersController.php | 65 ++++++++++---------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/web/api/app/Controller/ServersController.php b/web/api/app/Controller/ServersController.php index 88a5bec90..778ed2fa9 100644 --- a/web/api/app/Controller/ServersController.php +++ b/web/api/app/Controller/ServersController.php @@ -8,7 +8,6 @@ App::uses('AppController', 'Controller'); */ class ServersController extends AppController { - /** * Components * @@ -16,18 +15,15 @@ class ServersController extends AppController { */ public $components = array('Paginator', 'RequestHandler'); - -public function beforeFilter() { - parent::beforeFilter(); - $canView = $this->Session->Read('streamPermission'); - if ($canView =='None') { - throw new UnauthorizedException(__('Insufficient Privileges')); - return; + public function beforeFilter() { + parent::beforeFilter(); + $canView = (!$user) || ($user['system'] != 'None'); + if ( !$canView ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } } -} - - /** * index method * @@ -36,7 +32,7 @@ public function beforeFilter() { public function index() { $this->Server->recursive = 0; - $options=''; + $options = ''; $servers = $this->Server->find('all',$options); $this->set(array( 'servers' => $servers, @@ -76,16 +72,17 @@ public function beforeFilter() { * @return void */ public function add() { - if ($this->request->is('post')) { + if ( $this->request->is('post') ) { - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); return; } $this->Server->create(); - if ($this->Server->save($this->request->data)) { + if ( $this->Server->save($this->request->data) ) { # Might be nice to send it a start request #$this->daemonControl($this->Server->id, 'start', $this->request->data); return $this->flash(__('The server has been saved.'), array('action' => 'index')); @@ -103,15 +100,17 @@ public function beforeFilter() { public function edit($id = null) { $this->Server->id = $id; - if (!$this->Server->exists($id)) { - throw new NotFoundException(__('Invalid server')); - } - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); return; } - if ($this->Server->save($this->request->data)) { + + if ( !$this->Server->exists($id) ) { + throw new NotFoundException(__('Invalid server')); + } + if ( $this->Server->save($this->request->data) ) { $message = 'Saved'; } else { $message = 'Error'; @@ -133,20 +132,22 @@ public function beforeFilter() { * @return void */ public function delete($id = null) { - $this->Server->id = $id; - if (!$this->Server->exists()) { - throw new NotFoundException(__('Invalid server')); - } - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); return; } + + $this->Server->id = $id; + if ( !$this->Server->exists() ) { + throw new NotFoundException(__('Invalid server')); + } $this->request->allowMethod('post', 'delete'); #$this->daemonControl($this->Server->id, 'stop'); - if ($this->Server->delete()) { + if ( $this->Server->delete() ) { return $this->flash(__('The server has been deleted.'), array('action' => 'index')); } else { return $this->flash(__('The server could not be deleted. Please, try again.'), array('action' => 'index')); From 1534934b2020c5a5cc620e567e500f6e70f187e4 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 1 Aug 2018 10:01:35 -0400 Subject: [PATCH 11/13] move login code back into AppController. Has to be done for every request --- web/api/app/Controller/AppController.php | 45 +++++++++++++++++------- 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php index e4a238d10..68828f7ba 100644 --- a/web/api/app/Controller/AppController.php +++ b/web/api/app/Controller/AppController.php @@ -60,13 +60,7 @@ class AppController extends Controller { // for role and deny API access in future // Also checking to do this only if ZM_OPT_USE_AUTH is on public function beforeFilter() { - $this->loadModel('Config'); - - $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_API')); - $config = $this->Config->find('first', $options); - $zmOptApi = $config['Config']['Value']; - - if ( $zmOptApi != '1' ) { + if ( ! ZM_OPT_USE_API ) { throw new UnauthorizedException(__('API Disabled')); return; } @@ -76,13 +70,40 @@ class AppController extends Controller { $user = $this->Session->read('user'); if ( ZM_OPT_USE_AUTH ) { + require_once '../../../includes/auth.php'; + + $mUser = $this->request->data('user'); + $mPassword = $this->request->data('pass'); + $mAuth = $this->request->data('auth'); + + if ( $mUser and $mPassword ) { + $user = userLogin($mUser, $mPassword); + if ( !$user ) { + throw new UnauthorizedException(__('User not found or incorrect password')); + return; + } + } else if ( $mAuth ) { + $user = getAuthUser($mAuth); + if ( !$user ) { + throw new UnauthorizedException(__('Invalid Auth Key')); + return; + } + } + + //$this->Session->Write('eventPermission',$user['Events']); + //$this->Session->Write('controlPermission',$user['Control']); + //$this->Session->Write('systemPermission',$user['System']); + //} else { + //// if auth is not on, you can do everything + ////$userMonitors = $this->User->find('first', $options); + //$this->Session->Write('eventPermission','Edit'); + //$this->Session->Write('controlPermission','Edit'); + //$this->Session->Write('systemPermission','Edit'); + //} + // We need to reject methods that are not authenticated // besides login and logout - if ( - strcasecmp($this->params->action, 'login') - && - strcasecmp($this->params->action, 'logout') - ) { + if ( strcasecmp($this->params->action, 'logout') ) { if ( !( $user and $user['Username'] ) ) { throw new UnauthorizedException(__('Not Authenticated')); return; From 5b878d5e89b5241bb289b4c2791f33a5b5530ce2 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Wed, 1 Aug 2018 12:10:43 -0400 Subject: [PATCH 12/13] deprecate eventPermission, controlPermission and systemPermission in session. --- web/api/app/Controller/AppController.php | 11 -- web/api/app/Controller/EventsController.php | 12 +- web/api/app/Controller/HostController.php | 51 ------ web/api/app/Controller/StatesController.php | 185 ++++++++++---------- 4 files changed, 102 insertions(+), 157 deletions(-) diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php index 68828f7ba..f363beb09 100644 --- a/web/api/app/Controller/AppController.php +++ b/web/api/app/Controller/AppController.php @@ -90,17 +90,6 @@ class AppController extends Controller { } } - //$this->Session->Write('eventPermission',$user['Events']); - //$this->Session->Write('controlPermission',$user['Control']); - //$this->Session->Write('systemPermission',$user['System']); - //} else { - //// if auth is not on, you can do everything - ////$userMonitors = $this->User->find('first', $options); - //$this->Session->Write('eventPermission','Edit'); - //$this->Session->Write('controlPermission','Edit'); - //$this->Session->Write('systemPermission','Edit'); - //} - // We need to reject methods that are not authenticated // besides login and logout if ( strcasecmp($this->params->action, 'logout') ) { diff --git a/web/api/app/Controller/EventsController.php b/web/api/app/Controller/EventsController.php index 378e01ec4..1d9456cc4 100644 --- a/web/api/app/Controller/EventsController.php +++ b/web/api/app/Controller/EventsController.php @@ -153,7 +153,9 @@ class EventsController extends AppController { */ public function add() { - if ( $this->Session->Read('eventPermission') != 'Edit' ) { + global $user; + $canEdit = (!$user) || ($user['Events'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -177,7 +179,9 @@ class EventsController extends AppController { */ public function edit($id = null) { - if ( $this->Session->Read('eventPermission') != 'Edit' ) { + global $user; + $canEdit = (!$user) || ($user['Events'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } @@ -208,7 +212,9 @@ class EventsController extends AppController { * @return void */ public function delete($id = null) { - if ( $this->Session->Read('eventPermission') != 'Edit' ) { + global $user; + $canEdit = (!$user) || ($user['Events'] == 'Edit'); + if ( !$canEdit ) { throw new UnauthorizedException(__('Insufficient privileges')); return; } diff --git a/web/api/app/Controller/HostController.php b/web/api/app/Controller/HostController.php index cd442adf9..6dd9e5211 100644 --- a/web/api/app/Controller/HostController.php +++ b/web/api/app/Controller/HostController.php @@ -32,57 +32,6 @@ class HostController extends AppController { function login() { - $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_AUTH')); - $config = $this->Config->find('first', $options); - $zmOptAuth = $config['Config']['Value']; - - if ( $zmOptAuth == '1' ) { - - require_once '../../../includes/auth.php'; - global $user; - # $user is loaded from Session in AppController - - $mUser = $this->request->data('user'); - $mPassword = $this->request->data('pass'); - $mAuth = $this->request->data('auth'); - - if ( $mUser and $mPassword ) { - $user = userLogin($mUser, $mPassword); - if ( !$user ) { - throw new UnauthorizedException(__('User not found or incorrect password')); - return; - } - } else if ( $mAuth ) { - $user = getAuthUser($mAuth); - if ( !$user ) { - throw new UnauthorizedException(__('User not found or incorrect password')); - return; - } - } else { - throw new UnauthorizedException(__('missing credentials')); - } - - // I don't think this is really needed - the Username part - // Enabled check is ok - if ( !$user['Username'] ) { - throw new UnauthorizedException(__('Not Authenticated')); - return; - } else if ( !$user['Enabled'] ) { - throw new UnauthorizedException(__('User is not enabled')); - return; - } - - $this->Session->Write('eventPermission',$user['Events']); - $this->Session->Write('controlPermission',$user['Control']); - $this->Session->Write('systemPermission',$user['System']); - } else { - // if auth is not on, you can do everything - //$userMonitors = $this->User->find('first', $options); - $this->Session->Write('eventPermission','Edit'); - $this->Session->Write('controlPermission','Edit'); - $this->Session->Write('systemPermission','Edit'); - } - $cred = $this->_getCredentials(); $ver = $this->_getVersion(); $this->set(array( diff --git a/web/api/app/Controller/StatesController.php b/web/api/app/Controller/StatesController.php index 051837b27..29201d2c1 100644 --- a/web/api/app/Controller/StatesController.php +++ b/web/api/app/Controller/StatesController.php @@ -12,30 +12,28 @@ class StatesController extends AppController { public $components = array('RequestHandler'); public function beforeFilter() { - parent::beforeFilter(); - $canView = $this->Session->Read('systemPermission'); - if ($canView =='None') - { - throw new UnauthorizedException(__('Insufficient Privileges')); - return; - } - + parent::beforeFilter(); + global $user; + $canView = (!$user) || ($user['System'] != 'None'); + if ( !$canView ) { + throw new UnauthorizedException(__('Insufficient Privileges')); + return; + } } - /** * index method * * @return void */ - public function index() { - $this->State->recursive = 0; - $states = $this->State->find('all'); - $this->set(array( - 'states' => $states, - '_serialize' => array('states') - )); - } +public function index() { + $this->State->recursive = 0; + $states = $this->State->find('all'); + $this->set(array( + 'states' => $states, + '_serialize' => array('states') + )); +} /** * view method @@ -44,35 +42,35 @@ public function beforeFilter() { * @param string $id * @return void */ - public function view($id = null) { - if (!$this->State->exists($id)) { - throw new NotFoundException(__('Invalid state')); - } - $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); - $this->set('state', $this->State->find('first', $options)); - } +public function view($id = null) { + if ( !$this->State->exists($id) ) { + throw new NotFoundException(__('Invalid state')); + } + $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); + $this->set('state', $this->State->find('first', $options)); +} /** * add method * * @return void */ - public function add() { - - if ($this->request->is('post')) { +public function add() { - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } + if ($this->request->is('post')) { - $this->State->create(); - if ($this->State->save($this->request->data)) { - return $this->flash(__('The state has been saved.'), array('action' => 'index')); - } - } - } + if ($this->Session->Read('systemPermission') != 'Edit') + { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } + + $this->State->create(); + if ($this->State->save($this->request->data)) { + return $this->flash(__('The state has been saved.'), array('action' => 'index')); + } + } +} /** * edit method @@ -81,26 +79,27 @@ public function beforeFilter() { * @param string $id * @return void */ - public function edit($id = null) { - if (!$this->State->exists($id)) { - throw new NotFoundException(__('Invalid state')); - } +public function edit($id = null) { + if (!$this->State->exists($id)) { + throw new NotFoundException(__('Invalid state')); + } - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } - if ($this->request->is(array('post', 'put'))) { - if ($this->State->save($this->request->data)) { - return $this->flash(__('The state has been saved.'), array('action' => 'index')); - } - } else { - $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); - $this->request->data = $this->State->find('first', $options); - } - } + if ( $this->request->is(array('post', 'put')) ) { + if ( $this->State->save($this->request->data) ) { + return $this->flash(__('The state has been saved.'), array('action' => 'index')); + } + } else { + $options = array('conditions' => array('State.' . $this->State->primaryKey => $id)); + $this->request->data = $this->State->find('first', $options); + } +} /** * delete method @@ -109,48 +108,50 @@ public function beforeFilter() { * @param string $id * @return void */ - public function delete($id = null) { - $this->State->id = $id; - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } +public function delete($id = null) { + $this->State->id = $id; + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } - if (!$this->State->exists()) { - throw new NotFoundException(__('Invalid state')); - } - $this->request->allowMethod('post', 'delete'); - if ($this->State->delete()) { - return $this->flash(__('The state has been deleted.'), array('action' => 'index')); - } else { - return $this->flash(__('The state could not be deleted. Please, try again.'), array('action' => 'index')); - } - } + if (!$this->State->exists()) { + throw new NotFoundException(__('Invalid state')); + } + $this->request->allowMethod('post', 'delete'); + if ($this->State->delete()) { + return $this->flash(__('The state has been deleted.'), array('action' => 'index')); + } else { + return $this->flash(__('The state could not be deleted. Please, try again.'), array('action' => 'index')); + } +} - public function change() { - if ($this->Session->Read('systemPermission') != 'Edit') - { - throw new UnauthorizedException(__('Insufficient privileges')); - return; - } +public function change() { + global $user; + $canEdit = (!$user) || ($user['System'] == 'Edit'); + if ( !$canEdit ) { + throw new UnauthorizedException(__('Insufficient privileges')); + return; + } - $newState = $this->request->params['pass'][0]; - $blah = $this->packageControl($newState); + $newState = $this->request->params['pass'][0]; + $blah = $this->packageControl($newState); - $this->set(array( - 'blah' => $blah, - '_serialize' => array('blah') - )); - } + $this->set(array( + 'blah' => $blah, + '_serialize' => array('blah') + )); +} - public function packageControl( $command ) { - $zm_path_bin = Configure::read('ZM_PATH_BIN'); - $string = $zm_path_bin.'/zmpkg.pl '.escapeshellarg( $command ); - $status = exec( $string ); +public function packageControl( $command ) { + $zm_path_bin = Configure::read('ZM_PATH_BIN'); + $string = $zm_path_bin.'/zmpkg.pl '.escapeshellarg( $command ); + $status = exec( $string ); - return $status; - } + return $status; +} } From 3de6b764e2e67eb47d5aad003cc2665a1137b4f0 Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Thu, 2 Aug 2018 06:52:36 -0400 Subject: [PATCH 13/13] exit on HUP to free up memory. --- scripts/zmfilter.pl.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/zmfilter.pl.in b/scripts/zmfilter.pl.in index 1504c0aa3..cfea3bfe4 100644 --- a/scripts/zmfilter.pl.in +++ b/scripts/zmfilter.pl.in @@ -98,6 +98,11 @@ use constant EVENT_PATH => ($Config{ZM_DIR_EVENTS}=~m|/|) logInit($filter_id?(id=>'zmfilter_'.$filter_id):()); sub HupHandler { + # This idea at this time is to just exit, freeing up the memory. + # zmfilter.pl will be respawned by zmdc. + TermHandler(); + return; + Info('Received HUP, reloading'); ZoneMinder::Object::init_cache(); &ZoneMinder::Logger::logHupHandler();