From 3d3903eadccfdfed9b8fa92f3b22a0e41488698c Mon Sep 17 00:00:00 2001 From: halworsen Date: Sat, 11 Nov 2017 17:06:56 +0100 Subject: [PATCH] Check usergroups when accessing admin panel --- src/pvv/admin/usermanager.php | 2 +- www/admin/aktiviteter/delete.php | 13 +++++++++++++ www/admin/aktiviteter/edit.php | 13 +++++++++++++ www/admin/aktiviteter/index.php | 13 +++++++++++++ www/admin/aktiviteter/update.php | 12 ++++++++++++ www/admin/index.php | 12 ++++++++++++ www/admin/prosjekter/delete.php | 13 +++++++++++++ www/admin/prosjekter/edit.php | 14 ++++++++++++++ www/admin/prosjekter/index.php | 13 +++++++++++++ www/admin/prosjekter/update.php | 12 ++++++++++++ 10 files changed, 116 insertions(+), 1 deletion(-) diff --git a/src/pvv/admin/usermanager.php b/src/pvv/admin/usermanager.php index 0c2c858..b9f97f2 100644 --- a/src/pvv/admin/usermanager.php +++ b/src/pvv/admin/usermanager.php @@ -9,7 +9,7 @@ class UserManager{ public $usergroups = [ 'admin' => 1, 'prosjekt' => 2, - 'hendelser' => 4 + 'aktiviteter' => 4 ]; public function __construct($pdo){ diff --git a/www/admin/aktiviteter/delete.php b/www/admin/aktiviteter/delete.php index 8be6c8f..f56cf37 100644 --- a/www/admin/aktiviteter/delete.php +++ b/www/admin/aktiviteter/delete.php @@ -3,6 +3,19 @@ require __DIR__ . '/../../../src/_autoload.php'; require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'aktiviteter')){ + echo 'Ingen tilgang'; + exit(); +} + $eventID = $_GET['id']; $query = 'DELETE FROM events WHERE id=\'' . $eventID . '\''; diff --git a/www/admin/aktiviteter/edit.php b/www/admin/aktiviteter/edit.php index ad6a8a9..807d6ad 100644 --- a/www/admin/aktiviteter/edit.php +++ b/www/admin/aktiviteter/edit.php @@ -7,6 +7,19 @@ require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'aktiviteter')){ + echo 'Ingen tilgang'; + exit(); +} + $customActivity = new \pvv\side\DBActivity($pdo); $new = 0; diff --git a/www/admin/aktiviteter/index.php b/www/admin/aktiviteter/index.php index 15e8300..4597876 100644 --- a/www/admin/aktiviteter/index.php +++ b/www/admin/aktiviteter/index.php @@ -7,6 +7,19 @@ require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'aktiviteter')){ + echo 'Ingen tilgang'; + exit(); +} + $customActivity = new \pvv\side\DBActivity($pdo); $events = $customActivity->getAllEvents(); diff --git a/www/admin/aktiviteter/update.php b/www/admin/aktiviteter/update.php index c137af3..1df3a11 100644 --- a/www/admin/aktiviteter/update.php +++ b/www/admin/aktiviteter/update.php @@ -5,6 +5,18 @@ require __DIR__ . '/../../../src/_autoload.php'; require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'aktiviteter')){ + echo 'Ingen tilgang'; + exit(); +} if(!isset($_POST['title']) or !isset($_POST['desc']) or !isset($_POST['start']) or !isset($_POST['end']) or !isset($_POST['organiser']) or !isset($_POST['location'])){ header('Location: ' . $_SERVER['HTTP_REFERER']); diff --git a/www/admin/index.php b/www/admin/index.php index b9c9a79..3f5e045 100644 --- a/www/admin/index.php +++ b/www/admin/index.php @@ -1,7 +1,19 @@ setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + $as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); $attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!($userManager->isAdmin($uname) | $userManager->hasGroup($uname, 'prosjekt') | $userManager->hasGroup($uname, 'aktiviteter'))){ + echo 'Ingen tilgang'; + exit(); +} ?> diff --git a/www/admin/prosjekter/delete.php b/www/admin/prosjekter/delete.php index 4be135a..543d558 100644 --- a/www/admin/prosjekter/delete.php +++ b/www/admin/prosjekter/delete.php @@ -3,6 +3,19 @@ require __DIR__ . '/../../../src/_autoload.php'; require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'prosjekt')){ + echo 'Ingen tilgang'; + exit(); +} + $projectID = $_GET['id']; $query = 'DELETE FROM projects WHERE id=\'' . $projectID . '\''; diff --git a/www/admin/prosjekter/edit.php b/www/admin/prosjekter/edit.php index 9f2ac7d..4c4e80d 100644 --- a/www/admin/prosjekter/edit.php +++ b/www/admin/prosjekter/edit.php @@ -6,6 +6,20 @@ require __DIR__ . '/../../../src/_autoload.php'; require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); +$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'prosjekt')){ + echo 'Ingen tilgang'; + exit(); +} + $projectManager = new \pvv\side\ProjectManager($pdo); $projects = $projectManager->getAll(); diff --git a/www/admin/prosjekter/index.php b/www/admin/prosjekter/index.php index dbe69ea..c183937 100644 --- a/www/admin/prosjekter/index.php +++ b/www/admin/prosjekter/index.php @@ -7,6 +7,19 @@ require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'prosjekt')){ + echo 'Ingen tilgang'; + exit(); +} + $projectManager = new \pvv\side\ProjectManager($pdo); $projects = $projectManager->getAll(); diff --git a/www/admin/prosjekter/update.php b/www/admin/prosjekter/update.php index cfa57a5..294bc65 100644 --- a/www/admin/prosjekter/update.php +++ b/www/admin/prosjekter/update.php @@ -5,6 +5,18 @@ require __DIR__ . '/../../../src/_autoload.php'; require __DIR__ . '/../../../sql_config.php'; $pdo = new \PDO($dbDsn, $dbUser, $dbPass); $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); +$userManager = new \pvv\admin\UserManager($pdo); + +require_once(__DIR__ . '/../../../vendor/simplesamlphp/simplesamlphp/lib/_autoload.php'); +$as = new SimpleSAML_Auth_Simple('default-sp'); +$as->requireAuth(); +$attrs = $as->getAttributes(); +$uname = $attrs['uid'][0]; + +if(!$userManager->hasGroup($uname, 'prosjekt')){ + echo 'Ingen tilgang'; + exit(); +} if(!isset($_POST['title']) or !isset($_POST['desc']) or !isset($_POST['organisername']) or !isset($_POST['organiser'])){ header('Location: ' . $_SERVER['HTTP_REFERER']);