Commit Graph

1340 Commits

Author SHA1 Message Date
Pliable Pixels fc27393a96 Replace MySQL Password() with bcrypt, allow for alternate JWT tokens (#2598)
* added sha1 and bcrypt submodules

* added bcrypt and sha to src build process

* added test sha1 and bcrypt code to validate working

* bcrypt auth migration in PHP land

* added include path

* add sha source

* added bcrypt to others

* put link_dir ahead of add_executable

* fixed typo

* try add_library instead

* absolute path

* absolute path

* build bcrypt as static

* move to wrapper

* move to fork

* logs tweak

* added lib-ssl/dev for JWT signing

* Moved to openSSL SHA1, initial JWT plugin

* removed vog

* fixed SHA1 algo

* typo

* use php-jwt, use proper way to add PHP modules, via composer

* fixed module path

* first attempt to fix cast error

* own fork

* own fork

* add composer vendor directory

* go back to jwt-cpp as PR merged

* moved to jwt-cpp after PR merge

* New token= query for JWT

* Add JWT token creation, move old code to a different function for future deprecation, simplified code for ZM_XX parameter reading

* JWT integration, validate JWT token via validateToken

* added token validation to zms/zmu/zmuser

* add token to command line for zmu

* move decode inside try/catch

* exception handling for try/catch

* fix db read, forgot to exec query

* remove allowing auth_hash_ip for token

* support refresh tokens as well for increased security

* remove auth_hash_ip

* Error out if used did not create an AUTH_HASH_SECRET

* fixed type conversion

* make sure refresh token login doesn't generate another refresh token

* fix absolute path

* move JWT/Bcrypt inside zm_crypt

* move sha headers out

* move out sha header

* handle case when supplied password is hashed, fix wrong params in AppController

* initial baby step for api tab

* initial plumbing to introduce token expiry and API bans per user

* remove M typo

* display user table in api

* added revoke all tokens code, removed test code

* use strtoul for conversion

* use strtoul for conversion

* use strtoul for conversion

* more fixes

* more fixes

* add mintokenexpiry to DB seek

* typo

* add ability to revoke tokens and enable/disable APIs per user

* moved API enable back to system

* comma

* enable API options only if API enabled

* move user creation to bcrypt

* added password_compat for PHP >=5.3 <5.5

* add Password back so User object indexes don't change

* move token index after adding password

* demote logs

* make old API auth optional, on by default

* make old API auth mechanism optional

* removed stale code

* forgot to checkin update file

* bulk overlay hash mysql encoded passwords

* add back ssl_dev, got deleted

* fix update script

* added token support to index.php

* reworked API document for new changes in 2.0

* Migrate from libdigest to crypt-eks-blowfish due to notice

* merge typo

* css classess for text that disappear

* fixed html typo

* added deps to ubuntu control files

* spaces

* removed extra line

* when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist

* add libssl1.0.0 for ubuntu 16/12

* small API fixes

* clean up of API, remove redundant sections

* moved to ZM fork for bcrypt

* whitespace and google code style

* regenerate auth hash if doing password migration

* dont need AUTH HASH LOGIN to be on

* Add auth hash verification to the user logged in already case

* fix missing ]

* reject requests if per user API disabled
2019-05-24 13:48:40 -04:00
Isaac Connor 729dee5dda Merge branch 'master' into storageareas 2019-05-24 10:06:14 -04:00
Isaac Connor db9ba7eeab Add StartDateTime and EndDateTime as Sort options. Fixes #2614 2019-05-24 10:02:15 -04:00
Isaac Connor f9004443cf Merge branch 'master' into storageareas 2019-05-24 09:37:03 -04:00
Isaac Connor 843a9a6630 Merge branch 'pliablepixels-crypt-replacement3' into storageareas 2019-05-24 09:36:54 -04:00
Isaac Connor 2fc7b3cf4d Don't allow deleting of in-progress recording 2019-05-24 09:31:48 -04:00
Isaac Connor aa1264f4d2 fix missing ] 2019-05-23 16:26:40 -04:00
Isaac Connor 4466ef13fd Merge branch 'pliablepixels-crypt-replacement3' into storageareas 2019-05-23 15:21:58 -04:00
Isaac Connor 7559c975e3 Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement3 2019-05-23 15:15:52 -04:00
Isaac Connor 883688a72d Add auth hash verification to the user logged in already case 2019-05-23 15:15:37 -04:00
Pliable Pixels 57708c016c dont need AUTH HASH LOGIN to be on 2019-05-23 14:59:21 -04:00
Isaac Connor d5120f7506 regenerate auth hash if doing password migration 2019-05-23 14:30:45 -04:00
Isaac Connor bc9116dd94 whitespace and google code style 2019-05-23 14:27:17 -04:00
Isaac Connor 2ce2381269 Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-19 08:45:42 -04:00
Pliable Pixels 8e1037458a when regenerating using refresh tokens, username needs to be derived from the refresh token, as no session would exist 2019-05-18 11:23:16 -04:00
Isaac Connor 93aeceecfc Merge branch 'crypt-replacement' of https://github.com/pliablepixels/ZoneMinder into pliablepixels-crypt-replacement 2019-05-17 10:18:15 -04:00
Pliable Pixels 95460a945a added token support to index.php 2019-05-14 19:22:49 -04:00
Pliable Pixels e9f843f297 bulk overlay hash mysql encoded passwords 2019-05-13 14:29:24 -04:00
Pliable Pixels adb01c4d0e added password_compat for PHP >=5.3 <5.5 2019-05-12 13:57:25 -04:00
Pliable Pixels d7dbaf52d4 move user creation to bcrypt 2019-05-12 13:01:29 -04:00
Pliable Pixels a9d601e5ae add ability to revoke tokens and enable/disable APIs per user 2019-05-12 10:56:17 -04:00
Pliable Pixels ae14be916c initial plumbing to introduce token expiry and API bans per user 2019-05-11 13:39:40 -04:00
Pliable Pixels 95b448abdd handle case when supplied password is hashed, fix wrong params in AppController 2019-05-10 11:25:55 -04:00
Pliable Pixels f9730bb46b remove auth_hash_ip 2019-05-08 14:07:48 -04:00
Pliable Pixels bc050fe330 support refresh tokens as well for increased security 2019-05-08 13:38:42 -04:00
Pliable Pixels b293592e4c added token validation to zms/zmu/zmuser 2019-05-08 10:55:32 -04:00
Pliable Pixels e8f79f3254 JWT integration, validate JWT token via validateToken 2019-05-07 15:04:51 -04:00
Isaac Connor 5fe565b99d spacing 2019-05-06 10:49:18 -04:00
Pliable Pixels ca3f65deef go back to jwt-cpp as PR merged 2019-05-05 14:32:09 -04:00
Pliable Pixels a55a11dad1 first attempt to fix cast error 2019-05-05 11:24:55 -04:00
Pliable Pixels 8d62c61b7a fixed module path 2019-05-05 07:50:52 -04:00
Pliable Pixels 725c3c50ed use php-jwt, use proper way to add PHP modules, via composer 2019-05-05 07:08:25 -04:00
Pliable Pixels 887912e7ad bcrypt auth migration in PHP land 2019-05-01 13:22:24 -04:00
Isaac Connor b3fb934fb5 add namespace to Logging calls 2019-04-29 14:16:55 -04:00
Isaac Connor 1a1c2db15f add the shutdown view and actions 2019-04-12 14:55:56 -04:00
Isaac Connor 780f4f9b9a Merge branch 'master' of github.com:zoneminder/ZoneMinder 2019-04-06 09:27:44 -04:00
Isaac Connor 381f526d66 spacing 2019-04-05 15:18:20 -04:00
Isaac Connor 8f3d1f8653 fix a missing = and use csrf_get_tokens instead of csrf_get_secret which is the wrong function 2019-04-02 15:25:14 -04:00
Isaac Connor 9e96c29620 Log a failed csrf check 2019-04-02 15:24:47 -04:00
Isaac Connor 8a90176a2c Add CanReboot to Controls 2019-04-02 09:25:50 -04:00
Isaac Connor 15fb546e15 spacing 2019-04-01 11:13:35 -04:00
Isaac Connor 49e3f0a68e eslint fixes 2019-03-28 09:43:31 -04:00
Isaac Connor 4eafc52955 spacing 2019-03-25 12:18:01 -04:00
Isaac Connor 8d07a4a08f Log useful error messages when can't mkdir the monitor events dir or the symlink to it. symlink is a warning because the symlink is just a user aid 2019-03-25 11:58:04 -04:00
Isaac Connor bd5c9b5b20 add Control to ZM namespace 2019-03-24 09:58:50 -04:00
Isaac Connor 8f28ba0be3 beter debug and less often when no terms in parseFilter 2019-03-22 17:28:12 -04:00
Isaac Connor 6d4d353209 fix namespace on MontageLayout 2019-03-22 17:27:58 -04:00
Isaac Connor 7f7acc18ee spacing and code doc 2019-03-21 14:14:30 -04:00
Isaac Connor f434042c52 fix spacing 2019-03-21 14:14:15 -04:00
Isaac Connor 6efeab5f8d improve readability of parseFilter 2019-03-20 14:26:48 -04:00
Isaac Connor 3f9564c10a Merge branch 'master' into storageareas 2019-03-19 10:37:35 -04:00
Isaac Connor 72b87a7c00 Add code to be a bit more careful about not deleting all events when an incomplete event object is used. 2019-03-19 09:36:58 -04:00
Isaac Connor 520c41da23 Merge ../ZoneMinder.connortechnology.bad into storageareas 2019-03-18 14:40:03 -04:00
Matthew Noorenberghe 3c31dd63ce Use zm_session_start() for API auth. Fixes #2547 2019-03-11 00:27:46 -07:00
Isaac Connor 6c8eac1ac8 Merge branch 'storageareas' into h265 2019-03-06 11:10:01 -05:00
Isaac Connor fa124eb29a Merge branch 'master' of github.com:zoneminder/ZoneMinder 2019-03-05 14:35:15 -05:00
Isaac Connor 0022dbfb76 add a newline to improve readability 2019-03-05 14:31:39 -05:00
Isaac Connor e59eb510e3 update and fix the donate popup 2019-03-05 13:10:04 -05:00
Isaac Connor 73ae3f49ed Merge branch 'master' into storageareas 2019-03-05 11:35:55 -05:00
Isaac Connor 7779edb485 Fix saving multiple monitors at once by moving the relevant code to includes/actions/monitors.php 2019-03-05 11:02:37 -05:00
Isaac Connor 49a1954f96 fix typo and remove deprecated DefaultView 2019-03-05 11:01:39 -05:00
Isaac Connor 8b29c5f54c Fix typo: Ineterval to Interval 2019-03-05 10:58:23 -05:00
Isaac Connor f446e73ff7 Typo: AnalysisUpdateDelete to AnalysisUpdateDelay 2019-03-05 10:55:27 -05:00
Isaac Connor 778707c8df Merge branch 'master' into storageareas 2019-03-04 14:33:28 -05:00
Isaac Connor 96e29c0299 fix up remaining issues with cycle updates 2019-03-04 13:35:40 -05:00
Isaac Connor 190142b24c Merge branch 'master' into storageareas 2019-03-01 17:47:07 -05:00
Isaac Connor 7703661cb1 Don't use streaming port in UrlToIndex because xmlHttpRequest won't send cookies to a different port 2019-03-01 17:25:17 -05:00
Isaac Connor 466c379e94 Merge branch 'master' into storageareas 2019-03-01 14:03:49 -05:00
Isaac Connor 675b4975b0 Fix control presets 2019-03-01 13:37:34 -05:00
Isaac Connor 20fe502ca4 Add ZM to ErrorHandler. Spacing and quotes 2019-02-27 12:02:40 -05:00
Isaac Connor af9c87a112 Merge branch 'master' into storageareas 2019-02-27 10:53:19 -05:00
Isaac Connor 6e4444099b Only populate session with user info on successful login. Use parameters in sql when loading users in getAuthUser. Fixes #2542 2019-02-27 09:57:50 -05:00
Isaac Connor c0ae7820bb add zmeventnotification to Server object 2019-02-27 09:28:36 -05:00
Isaac Connor df3e11d83c Fix authentication in api because we no longer store the user object in the session 2019-02-26 17:01:45 -05:00
Isaac Connor a00e2381b7 Merge branch 'master' into storageareas 2019-02-26 11:33:29 -05:00
Isaac Connor 92dc7878de
Fix 2340 (#2368)
* include includes/functions.php so that we have access to all it's contents

* add a beforeDelete function which deletes the files.  Add other needed functions like Path() LinkPath() etc.

* add require_once for Storage and functions because we use them in Event

* Now that ZM has namespaces use the ZM Event class to do the heavy lifting of delete

* Don't need functions in AppController anymore
2019-02-26 11:28:56 -05:00
Isaac Connor 5da51d51bc Merge branch 'master' into storageareas 2019-02-26 10:55:51 -05:00
Isaac Connor 53c0fae688 Merge fix from storageareas for archive/delete in events list 2019-02-26 10:22:58 -05:00
Isaac Connor 2187dea2aa add namespace to Warnings 2019-02-25 15:11:08 -05:00
Isaac Connor 46c6735311 Missing namespace on filter. Fixes #2541 2019-02-24 10:02:49 -05:00
Isaac Connor fd310c0f0a Merge branch 'master' into storageareas 2019-02-22 11:33:47 -05:00
Isaac Connor 2b90bf15a6
Improve session (#2487)
* Introduce ZM_COOKIE_LIFETIME which sets the life of the SESSION cookie, instead of using what is in php.ini

* Use zm specific session functions, which are now located in includes/session.php.  Be more agressive about clearing session on logout.

* Move session code to includes/session.php

* remove duplicate line

* Move is_session_open to session.php.  Move code to clear a session into session.php

* improve debug line when there is a problem updating config entry

* split description into description and help text for COOKIE_LIFETIME

* Remove redirect on line.  We do it in javascript on postlogin view so that we can say logging in before switching to console

* If there is a username in the session, then we are logged in, but we need to load the user object from the db.  We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request.

* Use session_regenerate_id instead of our broken code to do the same

* Move auth code to includes/auth.php

* add autocomplete tags to username and password inputs

* Don't redirect to login if we are already viewing login.  Put auth before including skin includes

* need to include session.php in auth.php

* update to php namespace
2019-02-22 09:43:38 -05:00
Isaac Connor 410cb70ddb
get rid of js that just does the form submit. Upgrade the button from an input to a button. Use 0 and 1 instead of accept and decline, which allows us to pre-select the current value of ZM_TELEMETRY_DATA. So that if you had previously declined, you won't accidentally accept. This fixes the reported error that choosing decline would cause the setting to not be saved and the privacy popup to happen again. (#2534) 2019-02-22 09:20:54 -05:00
Isaac Connor 8dd8888975
Php namespace (#2537)
* experiment with namespaces on the Server class

* experiment with namespaces on the Server class

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects

* Implement the ZM namespace on objects
2019-02-22 09:19:07 -05:00
Isaac Connor 8837015239 remove bogus test for Filter Id 2019-02-19 13:54:25 -05:00
Isaac Connor 6d1541a4d2 Merge branch 'fix_privacy_view' into storageareas 2019-02-19 12:57:01 -05:00
Isaac Connor 97a888c0db get rid of js that just does the form submit. Upgrade the button from an input to a button. Use 0 and 1 instead of accept and decline, which allows us to pre-select the current value of ZM_TELEMETRY_DATA. So that if you had previously declined, you won't accidentally accept. This fixes the reported error that choosing decline would cause the setting to not be saved and the privacy popup to happen again. 2019-02-19 12:54:12 -05:00
Isaac Connor 5029d7214a Merge branch 'master' into storageareas 2019-02-18 17:00:45 -05:00
Mitch Capper b646284da3 don't quote dbEscape values it will quote it already (#2529) 2019-02-17 11:31:28 -05:00
Isaac Connor b25770a2f0 Merge branch 'master' into storageareas 2019-02-13 11:52:31 -05:00
Isaac Connor d0745da11c fix path to Control.php 2019-02-13 11:52:16 -05:00
Isaac Connor dd641793a2 Merge branch 'improve_session' into storageareas 2019-02-13 11:17:30 -05:00
Isaac Connor 91a280e56e need to include session.php in auth.php 2019-02-13 11:17:15 -05:00
Isaac Connor a3374aa26c Merge branch 'reload_zmfilter_on_filter_save' into storageareas 2019-02-11 13:26:53 -05:00
Isaac Connor 5695be9f32 rough in a control function in Filter object. Use it to start/stop zmfilter processes when filters are deleted or Saved. 2019-02-11 13:21:00 -05:00
Matthew Noorenberghe cdbd59f054 bandwidth.php: Submit to the 'bandwidth' view but render the 'none' view. Fixes #2493 2019-02-10 13:22:08 -08:00
Isaac Connor 555cb4780d Merge branch 'master' into storageareas 2019-02-10 12:37:45 -05:00
Matthew Noorenberghe a6ee79f428 Fix typo in dbc1c7b72f comment 2019-02-09 22:40:39 -08:00
Matthew Noorenberghe dbc1c7b72f Only output the CSRF Try Again button (and add a warning) when ZM_LOG_DEBUG is on. Fixes #2469 2019-02-09 22:39:54 -08:00
Matthew Noorenberghe a97711de89 Replace or sanitize remaining uses of PHP_SELF. Fixes #2446 2019-02-09 22:12:36 -08:00
Matthew Noorenberghe effd609ff7 Escape output of state names. Fixes #2475 2019-02-09 20:40:08 -08:00
Matthew Noorenberghe c9d597dced logger.php: Don't output Panic messages unless debugging is on. Fixes #2460 2019-02-09 18:51:30 -08:00
Matthew Noorenberghe 6d2f3c265f events.php: Remove inline event handlers and enforce CSP 2019-02-09 17:34:59 -08:00
Matthew Noorenberghe fcbc22b6a2 functions.php: Ensure 'limit' request parameter is an integer. Fixes #2456 2019-02-09 17:27:47 -08:00
Matthew Noorenberghe 502f53fad0 functions.php: Fix SQLi in getFormChanges 2019-02-09 17:15:02 -08:00
Matthew Noorenberghe 254b7286b4 monitor.php: Escape SignalCheckColour to prevent XSS. Fixes #2451 2019-02-09 16:41:54 -08:00
Matthew Noorenberghe b2a97ee190 frame.php: Fix multiple XSS from 'show' and 'scale' parameters and enforce CSP.
Fixes #2448, fixes #2449, and fixes #2447.
2019-02-09 15:10:45 -08:00
Matthew Noorenberghe c8066919ff functions.php: Esacepe textContent in htmlOptions() 2019-02-09 14:14:46 -08:00
Matthew Noorenberghe 98e0a0d2c5 Don't output Fatal(...) error messages unless debugging is on to avoid leaking info. Fixes #2459 2019-02-09 02:18:57 -08:00
Matthew Noorenberghe 02f09aad7f view=export: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2443 2019-02-09 02:01:26 -08:00
Matthew Noorenberghe 0b38e72f88 view=download: Remove inline event handlers and fix arbitrary URL/XSS usage. Fixes #2441 2019-02-09 01:16:32 -08:00
Isaac Connor d33e094526 Merge branch 'master' into storageareas 2019-02-06 17:03:41 -05:00
Isaac Connor 8e62c93f5f add to_json function to Storage. 2019-02-06 11:44:36 -05:00
Isaac Connor d121ecab75 Merge branch 'improve_session' into storageareas 2019-02-05 15:48:42 -05:00
Isaac Connor 141f2afc8c Merge branch 'master' into storageareas 2019-02-05 15:46:58 -05:00
Isaac Connor 21702dcc68 Merge branch 'master' into improve_session 2019-02-05 12:35:29 -05:00
Isaac Connor c54fe7e89a fix state actions 2019-02-05 12:35:06 -05:00
Isaac Connor cb0d9325e6 Use session_regenerate_id instead of our broken code to do the same 2019-02-05 11:45:09 -05:00
Isaac Connor 2466d765bf If there is a username in the session, then we are logged in, but we need to load the user object from the db. We can't just trust it from the session. The user may have been deleted and having that data in the session can be a security risk. So load the user object on every request. 2019-02-05 11:44:45 -05:00
Isaac Connor 5a9083fe86 Remove redirect on line. We do it in javascript on postlogin view so that we can say logging in before switching to console 2019-02-05 11:40:58 -05:00
Isaac Connor 97e3a8178a use session_regenerate_id instead of other strange code 2019-01-30 16:08:09 -05:00
Isaac Connor b09a71d0e2 code style 2019-01-30 16:06:16 -05:00
Isaac Connor 71f961d012 remove redirect to console on login, as it is done in javascript after Logging in message is displayed 2019-01-30 16:05:51 -05:00
Isaac Connor 4e10e6f0ae Merge branch 'improve_session' into storageareas 2019-01-30 15:26:37 -05:00
Isaac Connor 9a3aa49bae Merge branch 'fix_bandwidth' into storageareas 2019-01-30 15:18:16 -05:00
Isaac Connor 533d021dea Merge branch 'master' into storageareas 2019-01-30 15:17:27 -05:00
Isaac Connor 604dbf8776 fix state changing/etc 2019-01-30 14:36:46 -05:00
Isaac Connor 2e2404643f Fix bandwidth due to new actions code. Update buttons on bandwidth popup 2019-01-30 13:20:24 -05:00
Isaac Connor cc0b5e0f1f Move is_session_open to session.php. Move code to clear a session into session.php 2019-01-30 12:52:01 -05:00
Isaac Connor 0eba430932 remove duplicate line 2019-01-30 11:05:43 -05:00
Isaac Connor 85bb70df68 Use zm specific session functions, which are now located in includes/session.php. Be more agressive about clearing session on logout. 2019-01-30 11:05:19 -05:00
Matt N 8c5687ca30 Fix name/protocol XSS in controlcaps.php. Fixes #2445 (#2479) 2019-01-25 08:35:07 -05:00
Matt N fd6179d7c8 Enforce CSP on many more views (#2480) 2019-01-25 08:34:29 -05:00
Matthew Noorenberghe 47d8c9b066 plugin.php: Remove undefined onclick function reference and enforce CSP
Also fix tag closing.
2019-01-23 19:47:58 -08:00
Isaac Connor 6eb4d7ae27
Filter improvements (#2438)
* Put back code to close the popup when view is none

* clean up and reduce depth of some logic

* Increase width of user popup

* fix code style

* Make execute_filter work on a filter Id instead of name

* rework logic to reduce code depth. Change view to events to display the results of execute.

* Change the redirect to stay on the new view.  When redirecting from executing a filter, it was redirecting to filter.

* Set a form action for correctness. Change execute button to a button instead of a submit. Stay on the filter view when executing
2019-01-23 11:30:51 -05:00
Isaac Connor cc8de69eba Merge branch 'master' into storageareas 2019-01-22 11:44:42 -05:00
Isaac Connor ae703c45ee Set closePopup=true so that we don't need code in the none view to close the popup. The common code in skin.js will take care of it. 2019-01-22 09:14:33 -05:00
Matt N 0619a4a161 Validate cnj, obr, and cbr arguments in parseFilter (#2434) 2019-01-22 08:03:25 -05:00
Isaac Connor 7260f823cb Merge branch 'master' into storageareas 2019-01-21 13:52:38 -05:00
Isaac Connor a2d4dc974b Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-21 11:19:07 -05:00
Isaac Connor fbc236128e add a function to format a time into a duration. Can't use date() because 0 doesn't give us 00:00:00 it gives 19:00:00 2019-01-21 11:16:14 -05:00
Isaac Connor b24b930f65 After login go to postlogin, not console. the login view is in a popup so we want to close 2019-01-21 11:15:36 -05:00
Matt N d7ebc85d81 Replace remaining `console` inline event handlers (#2432)
* Use a hidden submit button in _monitor_filters rather than onkeydown

* events/console: Convert checkbox header toggle inline event listeners
2019-01-21 11:11:40 -05:00
Matt N 35fb4366b6 Fix recaptcha support with the CSP (#2420) 2019-01-19 09:47:04 -05:00
Matt N 4e48939660 Add a validateForm event listener and enforce CSP on some views (#2425)
* Add a validateForm event listener and enforce CSP on the controlcap view

* filter.php: Use .validateFormOnSubmit

* server.php: Use .validateFormOnSubmit and fix makePopupButton condition check

* Use .validateFormOnSubmit and enforce CSP on the storage view
2019-01-19 09:41:53 -05:00
Isaac Connor 552e14a971 Merge branch 'master' into storageareas 2019-01-18 10:36:59 -05:00
Matt N 6bb5aa1b87 More inline JS / nonce conversions (#2415)
* monitor.php: Add nonce and move <script> inside </body>

* export_functions.php: Untested: Add @nonce to <script>

* blank.php: Add @nonce to <script> and add to CSP enforced views

* Enforce CSP on login and privacy views

* group.php: Add nonce and move <script> inside </body>

* filter.php: Add @nonce to <script>

* Fix updateButtons argument on the filter page upon change and page load

* events.php: Add @nonce to <script>
2019-01-18 09:51:06 -05:00
Isaac Connor 599769b701 rework logic of functions to be more verbose about errors. Implement javascript Nonce support when view=none 2019-01-17 08:50:33 -05:00
Isaac Connor 87d1390fed Merge branch 'storageareas' into h265 2019-01-16 15:20:17 -05:00
Isaac Connor f49dd93b6a Merge branch 'master' into storageareas 2019-01-16 14:39:56 -05:00
Isaac Connor 1f3da476b8 switch to single quotes 2019-01-16 14:04:24 -05:00
Isaac Connor b1cc0c2b82 add CSP nonce to CSRF rewriting 2019-01-16 14:04:07 -05:00
Isaac Connor d8ef33396a If multi-port is on, we need to output CORS headers 2019-01-16 13:44:57 -05:00
Isaac Connor ba21820fd0 fix typo 2019-01-16 12:10:34 -05:00
Isaac Connor eee1d871e0 get rid of default value for PathToIndex so that it will use PHP_SELF instead 2019-01-16 12:09:26 -05:00
Matt N d33fec9c3f Add a CSP script-src policy with nonce-source and convert more inline event handlers (#2413)
* Add Content-Security-Policy-Report-Only: script-src 'self' 'nonce-' policy

* Use @data-on-click-this to attach inline click event handlers which expect being called with 'this'

Only handle ones that don't return a value.

* Use @data-on-click to attach inline click event handlers with no args and no return value

* Use @data-on-click-true to attach inline click event handlers with 'true' as the only argument

* Enforce a script-src CSP on views without inline JS

* Convert some onchange attributes to data-on-change
2019-01-16 09:59:58 -05:00
Isaac Connor fd696bc066 Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-15 11:38:56 -05:00
Isaac Connor 3182d8bab7 implement to_json method so that defaults get included 2019-01-15 11:36:56 -05:00
Andrew Bauer 07d8ac1d49 implement timezone check function (#2387)
* implement timezone check function

* remove comment

* also check if the timezone is valid

* whitespace
2019-01-15 09:05:11 -05:00
Matt N 083f284599 Replace onclick inline event handlers for createPopup (#2410)
* Move <script> before </body>

* Change makePopupLink to not use onclick

* Change makePopupButton to not use onclick

* Use .popup-link in control_functions.php

* Use makePopupButton in controlcaps.php

* Prevent double-encoding in makePopup*

* Use makePopupButton in devices.php

* Use makePopupButton in logout.php

* Use makePopupLink in monitor.php

* Use makePopupLink and .popup-link in montage.php

* Use makePopupButton in options.php

* Use makePopupButton, makePopupLink, and .popup-link in zones.php
2019-01-15 09:01:58 -05:00
Isaac Connor f726666f54 Merge branch 'master' into h265 2019-01-14 12:36:11 -05:00
Isaac Connor fc7403fe3d Merge branch 'master' into storageareas 2019-01-13 14:53:34 -05:00
Isaac Connor c834fbe462 the filter action should singular filter, not filters 2019-01-13 14:52:39 -05:00
Isaac Connor b373577589 fix function view after actions cleanup 2019-01-10 12:08:25 -05:00
Isaac Connor f3a807f1f8 Merge branch 'master' into storageareas 2019-01-07 09:21:25 -05:00
Isaac Connor b4f8500cb5 Merge branch 'split_actions' 2019-01-05 18:33:04 -05:00
Isaac Connor 3f10553464 Fix include path to Monitors.php 2019-01-05 18:32:53 -05:00
Isaac Connor 1a75cf333e Merge branch 'master' into storageareas 2019-01-05 11:12:38 -05:00
Isaac Connor e34a5e972a fix missing } 2019-01-05 11:12:26 -05:00
Isaac Connor 8eb61b1c11 Merge branch 'master' into storageareas 2019-01-05 10:16:38 -05:00
Isaac Connor 5b5905c83a We always use markEids[] now 2019-01-04 16:29:16 -05:00
Isaac Connor 0e20666992 fix eventdetail actions being in events 2019-01-04 15:43:31 -05:00
Isaac Connor ab198bfd75 remove master version of actions.php 2019-01-04 15:29:21 -05:00
Isaac Connor 52466c398b Merge branch 'split_actions' into storageareas 2019-01-04 15:28:55 -05:00
Isaac Connor b8d065275b Merge branch 'master' into storageareas 2019-01-04 15:22:18 -05:00
Isaac Connor e2f32ab091 Upgrade config saving 2019-01-04 09:43:36 -05:00
Isaac Connor 7ec96655c3 fix missing ! when testing for permission on editing config 2019-01-04 09:37:26 -05:00
Isaac Connor 5b9bf48945 Merge branch 'master' into split_actions 2019-01-04 09:35:54 -05:00
Isaac Connor 46adcbb66b Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2019-01-04 09:34:51 -05:00
Isaac Connor edeaa07c12 Fix no quotes around Id 2019-01-04 09:34:42 -05:00
Isaac Connor 6cad852e11 fix path to MontageLayout 2019-01-04 09:34:18 -05:00
Isaac Connor dbe9817bc8 Split actions.php into individual files per view 2019-01-04 09:26:34 -05:00
Isaac Connor 874930d8fc Merge branch 'master' into improve_config_efficiency 2019-01-02 13:07:53 -05:00
Isaac Connor 5060358870 Merge branch 'master' into storageareas 2018-12-29 09:56:53 -05:00
Andrew Bauer d14e9ecf74 force overloadframes and ExtendAlarmFrames to int (#2373) 2018-12-29 09:53:31 -05:00
Isaac Connor 1a1231fdaa Merge branch 'master' into storageareas 2018-12-28 10:47:27 -05:00
Andrew Bauer a029909972 fix path to thumb and anal images (#2367) 2018-12-28 10:46:13 -05:00
Andrew Bauer fb37fc48e1 update viewImagePatch (#2370) 2018-12-28 10:38:39 -05:00
Andrew Bauer 5f9a113da1
redirect to montage rather than montagereview 2018-12-26 10:34:01 -06:00
Isaac Connor 2b8fa653ed Merge branch 'small_groups_fixes' into storageareas 2018-12-24 09:48:36 -05:00
Isaac Connor e0cae5709f Group::find is now more powerful so we can just use it to return all Groups to be deleted 2018-12-24 09:39:40 -05:00
Isaac Connor 63199289ad Change depth function to be 0-based. 2018-12-24 09:38:55 -05:00
Isaac Connor 7a8beffdcc Merge branch 'master' into storageareas 2018-12-20 15:10:52 -05:00
Isaac Connor a277f697e9 whitespace 2018-12-20 14:58:38 -05:00
Isaac Connor 0bfe1007c8 Merge branch 'master' into storageareas 2018-12-14 10:16:08 -05:00
Mike Rosack 567b60ffa7 support for forwarded proto/port in Server.php (#2343) 2018-12-13 10:24:32 -05:00
Andrew Bauer 8d74354fcb
Merge pull request #2242 from connortechnology/cleanup_auth
Cleanup auth
2018-12-12 20:53:24 -06:00
Isaac Connor eba8b3327d Merge branch 'master' into cleanup_auth 2018-12-11 16:04:42 -05:00
Andrew Bauer 4d7e98475f
Merge pull request #2297 from connortechnology/introduce_getBodyTopHTML
Introduce get body top html
2018-12-11 09:35:54 -06:00
Isaac Connor c8c34d3f95 Merge branch 'master' into storageareas 2018-12-11 10:21:22 -05:00
Isaac Connor e1ecd47bff Fix missing use of UrlToApi 2018-12-11 09:40:40 -05:00
Isaac Connor a1141d2dc4 remove second use of HTTP_HOST and use a better method of stripping off port from HTTP_HOST 2018-12-07 08:39:23 -05:00
Isaac Connor 757e538550 strip port from HTTP_HOST 2018-12-06 17:12:03 -05:00
Isaac Connor bc5f8d0d8d rework pts/dts of audio stream. Spacing. Fix crash 2018-12-04 18:23:08 -05:00
Isaac Connor 2df6d74a3e Merge branch 'master' into storageareas 2018-12-02 17:15:12 -05:00
Andrew Bauer e327ad100e fix WebSite camera startup issue 2018-12-01 17:03:50 -06:00
Andrew Bauer cae6ffd5a3 use HTTP_HOST instead of SERVER_NAME 2018-12-01 13:27:08 -06:00
Isaac Connor 4272225a17 Merge branch 'master' into h265 2018-11-30 16:42:16 -05:00
Isaac Connor 7d90a56561 Merge branch 'master' into storageareas 2018-11-30 14:46:42 -05:00
Isaac Connor 8c626c984b Need to pass port through all Url functions 2018-11-30 14:45:58 -05:00
Isaac Connor fe45e83bb4 Fix PathToIndex 2018-11-29 15:54:25 -05:00
Isaac Connor 4cf7ff7fe4 Merge branch 'server_path_prefix' into storageareas 2018-11-29 15:53:58 -05:00
Isaac Connor 3bd5774ea1 Default to PathToIndex should have the index.php in it 2018-11-29 15:53:19 -05:00
Isaac Connor af2bb992e9 Merge branch 'server_path_prefix' into storageareas 2018-11-29 14:33:46 -05:00
Isaac Connor 1c17f334d3 fix missing bits. Implement UrlToIndex in Monitor and fix use of Url(). Implement PathToApi as well 2018-11-29 14:26:30 -05:00
Isaac Connor 4625f7c879 Merge branch 'master' into storageareas 2018-11-28 10:46:49 -05:00
Isaac Connor 1e915e9567 Merge branch 'master' into server_path_prefix 2018-11-28 10:45:36 -05:00
Isaac Connor 57acb2aac6 Merge branch 'server_path_prefix' into storageareas 2018-11-28 10:41:11 -05:00
Isaac Connor f8b2ff5c77 rework from Url() to PathToIndex(), PathToZMS(), UrlToIndex() and UrlToZMS() 2018-11-27 17:35:25 -05:00
Isaac Connor 17c1933913 remove an extra l 2018-11-26 16:20:15 -05:00
Isaac Connor 19f3cce41f Dont auto-guess pathPrefix 2018-11-23 13:54:14 -05:00
Isaac Connor 7ad19be0d7 Merge branch 'server_path_prefix' into storageareas 2018-11-23 13:29:01 -05:00
Isaac Connor dea5db9dd9 Merge branch 'zmaudit_check_other_storageareas' into storageareas 2018-11-23 11:11:39 -05:00
Isaac Connor c5f7fb7b18 Merge branch 'master' into server_path_prefix 2018-11-22 10:04:33 -05:00
Isaac Connor 62e511cfd1 Merge branch 'master' into h265 2018-11-17 10:41:20 -05:00
Isaac Connor 415d43fafb Include Server Name when testing for CORS. Also be case insensitive. 2018-11-15 12:23:52 -05:00
Isaac Connor e24a308481 Merge branch 'master' into h265 2018-11-14 17:15:37 -05:00
Isaac Connor 9d5772b517 Merge branch 'fix_multiserver_daemon_restarting' into storageareas 2018-11-14 13:02:30 -05:00
Isaac Connor 786ca5b22a implement remove service restart for zma. Use daemonControl instead of saving the monitor when restarting zmc 2018-11-14 13:00:19 -05:00
Isaac Connor e8ed1367d7 Merge branch 'master' into storageareas 2018-11-13 14:22:00 -05:00
Isaac Connor ec09a71ba0 Include defaults for all the missing Monitor Columns 2018-11-07 13:18:53 -05:00
Isaac Connor 702143e51b Create a function called getBodyTopHTML that outputs the body tag and anything else that should go at the top.
Things like the we require javascript message, and any other messages like error messages.
Use this on the monitor and console view to stick an error message at the top when saving a monitor fails.

This is a pretty quick, crude implementation.
2018-11-07 12:33:54 -05:00
Isaac Connor a066968aca fix dbError and cause it to return the error string instead of just logging it. Add error logging of db errors that don't throw exceptions. 2018-11-07 12:33:18 -05:00
Isaac Connor eb6d978927 Merge branch 'master' into storageareas 2018-10-31 14:47:43 -04:00
Isaac Connor bdb50567df fix disk_event_space to event_disk_space 2018-10-31 11:56:08 -04:00
Isaac Connor 461ce3c1f8 Merge branch 'master' into storageareas 2018-10-29 12:52:06 -04:00
Isaac Connor 6691b5fb52 Include CORS headers when there is a Server defined, instead of requiring there to be more than 1 2018-10-29 12:50:50 -04:00
Isaac Connor 95a6d0666a Improve behaviour and reduce extra logging when db goes away 2018-10-29 09:59:26 -04:00
Isaac Connor 91d83a89fa include semaphore function replacements 2018-10-25 15:40:12 -04:00
Isaac Connor d025adab6d Need to load Config Categories in options save 2018-10-25 09:13:07 -04:00
Isaac Connor 875bc3caf9 Merge branch 'master' into storageareas 2018-10-24 10:17:27 -04:00
Isaac Connor ca8770bd5a Merge branch 'fix_rce' into storageareas 2018-10-24 10:17:16 -04:00
Isaac Connor 115141bf9f add caching to Group::find 2018-10-24 10:02:42 -04:00
Isaac Connor a8329465fb Merge branch 'master' into h265 2018-10-22 10:30:01 -04:00
Isaac Connor c47b4a5a04 Merge branch 'improve_config_efficiency' into storageareas 2018-10-19 15:03:00 -04:00
Isaac Connor e30b100e8e Don't load & process categories in initial config loading 2018-10-19 15:00:30 -04:00
Isaac Connor 17a5519dd6
Include the remoteAddr in the session authhash cache, so that a change of ip won't allow the same useless auth hash. (#2264) 2018-10-19 13:39:37 -04:00
Isaac Connor 98579fc02a Merge branch 'master' into storageareas 2018-10-19 11:27:43 -04:00
Isaac Connor f9b1453705 Include SERVER_PORT when not doing multi-server or multi-port but are running on a port other than 80. 2018-10-19 10:59:16 -04:00
Isaac Connor c2af380e29 Merge branch 'master' into storageareas 2018-10-16 11:39:26 -04:00
Isaac Connor 37065d15ac fix url to api in monitor restart. 2018-10-16 09:47:24 -04:00
Isaac Connor 7149576a7c Merge branch 'smarter_packetqueue' into storageareas 2018-10-15 10:59:50 -04:00
Isaac Connor f2b38f175d Update Frame::find_one so that we can specify an ordering for find_one and so that semantics match other objects find methods 2018-10-11 09:14:40 -04:00
Isaac Connor c4c8a728f2 Handle no controls found more gracefully 2018-10-10 19:04:00 -04:00
Isaac Connor 2881d2af3f Merge branch 'master' into storageareas 2018-10-10 14:13:27 -04:00
Isaac Connor 6ed146b4dd Use Hostname instead of Url in test for CORS access. 2018-10-10 14:01:36 -04:00
Isaac Connor e268264761 Merge branch 'cleanup_auth' into storageareas 2018-10-09 10:24:32 -04:00
Isaac Connor 1958351a13 Merge branch 'master' into storageareas 2018-10-09 10:24:24 -04:00
Isaac Connor cbc26e0cec cleanup trailing whitespace 2018-10-09 10:07:40 -04:00
Isaac Connor a3d0cb42ea Move GOOGLE RECAPCHA to includes/auth.php, clean login actions. 2018-10-09 10:05:50 -04:00
Isaac Connor 918d5fd469 move utility functions for doing get/post requests into functions.php from actions.php 2018-10-09 09:39:04 -04:00
Isaac Connor 52b1439d51 fix the lack of /zm/index.php in url in Server->Url() and multiport 2018-10-08 09:55:47 -04:00
Isaac Connor 1eb8e9ed9e Include PHP_SELF in url to Server. This will assume that all servers in a multi-server setup use the same path 2018-10-08 09:45:03 -04:00
Isaac Connor 5dba17e1fc Merge branch 'master' into storageareas 2018-09-21 10:50:10 -04:00
Isaac Connor 999e4c6c43 Merge branch 'master' of github.com:ZoneMinder/ZoneMinder 2018-09-20 13:37:46 -04:00
Isaac Connor 90d1d79e9a Add missing AutoUpload field to Filter 2018-09-20 13:37:36 -04:00
Isaac Connor 7fe2749de6 Merge branch 'master' into storageareas 2018-09-20 10:58:36 -04:00
Isaac Connor ba4878d2b5 fix use of instead of ['limit'] 2018-09-20 10:11:55 -04:00
Isaac Connor 503b40cb62 Need to cache the object not the row 2018-09-20 10:07:15 -04:00
Isaac Connor 520d1bb7bf Merge branch 'master' into storageareas 2018-09-20 09:08:29 -04:00
Isaac Connor c6e953c4a9 if Monitor is not found, return empty Monitor instead of null 2018-09-20 09:02:20 -04:00
Isaac Connor c4108a2610 Fix missing quotes inc Event::Monitor 2018-09-20 08:59:15 -04:00
Isaac Connor 7f98277571 Merge updated Monitor.php that does caching 2018-09-15 09:52:08 -04:00
Isaac Connor b0c555599c Merge updated objects from sa. Implements caching of objects and fixes logged errors when using the default storage group. Fixes #2209 2018-09-15 09:42:59 -04:00
Isaac Connor 5dc852132e Add defaults to Server, getting rid of error log when loading the default non existent storage area 2018-09-15 09:39:40 -04:00
Isaac Connor 246b50be9c add caching to Server 2018-09-15 09:39:04 -04:00
Isaac Connor 02403c4c30 add caching to Monitor 2018-09-15 09:38:52 -04:00
Isaac Connor 27bc9d0a50 fix $limit should be $options['limit'] 2018-09-15 09:38:36 -04:00
Isaac Connor 1db59283e3 use find_one when loading Monitor to take advantage of caching 2018-09-15 09:38:09 -04:00
Isaac Connor 2b66b28689 fix $limit should be $options['limit'] 2018-09-15 09:37:44 -04:00
Isaac Connor fa55cec12c fix error when scale is auto 2018-09-14 16:57:28 -04:00
Isaac Connor 77edb8f74b Add test for auto scale and don't rescale. Use find_one when loading StorageArea so as to use caching 2018-09-14 16:19:29 -04:00
Isaac Connor 34c7ee32ee Merge branch 'master' into storageareas 2018-09-14 15:13:57 -04:00
Isaac Connor f1442eba90 once we have found a match for our origin, break out of loop 2018-09-14 14:56:26 -04:00
Isaac Connor d9b1d3ec11 fix CORS Headers when we are coming from a non-standard port. Use a regexp instead of == so that we match regardless of port 2018-09-14 14:52:33 -04:00
Isaac Connor b5b71edbf6 Make a Url function in the Monitor object to use the Server->Url + Port. Default to port used in current url. Fixes problems with using something other than port 80 2018-09-14 14:26:45 -04:00
Isaac Connor 03f769eacc Rough in codec specification for Events 2018-09-10 12:22:55 -04:00
Isaac Connor 5eec7e00c5 Merge branch 'master' into storageareas 2018-09-09 14:09:52 -04:00
Isaac Connor 55dcb161ae find should always return an array 2018-09-09 13:59:10 -04:00
Isaac Connor b4f80fbe11 Always return an array from find 2018-09-09 13:56:29 -04:00
Isaac Connor e4c87ce256 Merge branch 'master' into storageareas 2018-09-09 11:36:52 -04:00
Isaac Connor dfdac2ed70 make find and find_one functions consistent across Objects 2018-09-07 16:31:11 -04:00
Isaac Connor c9b4f14171 fix deleting events 2018-09-04 09:57:32 -04:00
Isaac Connor 2858564155 Merge branch 'master' into storageareas 2018-08-31 16:06:13 -04:00
Isaac Connor 7ee80e7cca Debug lines should be debug, not warning 2018-08-31 11:58:03 -04:00
Isaac Connor 4b30ea7877 cleanup, whitespace 2018-08-31 10:35:23 -04:00
Isaac Connor 4e32089a48 Merge branch 'master' into storageareas 2018-08-30 14:51:27 -04:00
Andrew Bauer 8f0fb0843a Add Privacy Statement (#2194)
* initial implementation of privacy popup

* split the privacy text and run it through translate

* change style of toggle button, validate the form

* fix copy/paste error

* fix typos

* display privacy view inline rather than popup

* display privacy inline if show_privacy flag set

* redirect to console after selection is made

* typo

* css formatting

* update privacy verbiage

* create and load default.php

* fix typos

* fix erroneous copy/paste
2018-08-30 13:25:02 -04:00
Isaac Connor 4be2a0501c Merge branch 'master' into storageareas 2018-08-22 17:22:54 -04:00
Isaac Connor 21d193294f Log errors shouldn't be fatal 2018-08-22 17:22:40 -04:00