[ 'actions' => [ 'index' => 'Crud.Index', 'add' => 'Crud.Add', 'edit' => 'Crud.Edit', 'view' => 'Crud.View', 'keyvalue' => 'Crud.List', 'category' => 'Crud.Category' ], 'listeners' => ['Api', 'ApiTransformation'] #], #'DebugKit.Toolbar' => [ # 'bootstrap' => true, 'routes' => true ] ]; // Global beforeFilter function //Zoneminder sets the username session variable // to the logged in user. If this variable is set // then you are logged in // its pretty simple to extend this to also check // for role and deny API access in future // Also checking to do this only if ZM_OPT_USE_AUTH is on public function beforeFilter() { $this->loadModel('Config'); $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_API')); $config = $this->Config->find('first', $options); $zmOptApi = $config['Config']['Value']; if ($zmOptApi !='1') { throw new UnauthorizedException(__('API Disabled')); return; } $options = array('conditions' => array('Config.' . $this->Config->primaryKey => 'ZM_OPT_USE_AUTH')); $config = $this->Config->find('first', $options); $zmOptAuth = $config['Config']['Value']; if ( $zmOptAuth == '1' ) { require_once "../../../includes/auth.php"; $this->loadModel('User'); if ( isset($_REQUEST['user']) and isset($_REQUEST['pass']) ) { $user = $this->User->find('first', array ('conditions' => array ( 'User.Username' => $_REQUEST['user'], 'User.Password' => $_REQUEST['pass'], )) ); if ( ! $user ) { throw new UnauthorizedException(__('User not found')); return; } else { $this->Session->Write( 'user.Username', $user['User']['Username'] ); $this->Session->Write( 'user.Enabled', $user['User']['Enabled'] ); } } if ( isset($_REQUEST['auth']) ) { $user = getAuthUser($_REQUEST['auth']); if ( ! $user ) { throw new UnauthorizedException(__('User not found')); return; } else { if ( ! $this->Session->Write('user.Username', $user['Username']) ) $this->log("Error writing session var user.Username"); if ( ! $this->Session->Write('user.Enabled', $user['Enabled']) ) $this->log("Error writing session var user.Enabled"); } } # end if REQUEST['auth'] if ( ! $this->Session->read('user.Username') ) { throw new UnauthorizedException(__('Not Authenticated')); return; } else if ( ! $this->Session->read('user.Enabled') ) { throw new UnauthorizedException(__('User is not enabled')); return; } $options = array ('conditions' => array ('User.Username' => $this->Session->Read('user.Username'))); $userMonitors = $this->User->find('first', $options); $this->Session->Write('allowedMonitors',$userMonitors['User']['MonitorIds']); $this->Session->Write('streamPermission',$userMonitors['User']['Stream']); $this->Session->Write('eventPermission',$userMonitors['User']['Events']); $this->Session->Write('controlPermission',$userMonitors['User']['Control']); $this->Session->Write('systemPermission',$userMonitors['User']['System']); $this->Session->Write('monitorPermission',$userMonitors['User']['Monitors']); } else { // if auth is not on, you can do everything //$userMonitors = $this->User->find('first', $options); $this->Session->Write('allowedMonitors',''); $this->Session->Write('streamPermission','View'); $this->Session->Write('eventPermission','Edit'); $this->Session->Write('controlPermission','Edit'); $this->Session->Write('systemPermission','Edit'); $this->Session->Write('monitorPermission','Edit'); } } # end function beforeFilter() }