mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: Don't access $_SESSION directly for Auth (#8513)

Browse Source 
* Don't access $_SESSION directly for Auth

* fix style

* add property annotations
This commit is contained in:
Tony Murray
2018-04-07 15:55:28 -05:00
committed by Neil Lathwood
parent 2ece84495d
commit 7250376104
193 changed files with 949 additions and 510 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
html/includes/api_functions.inc.php
View File

@ -22,15 +22,15 @@ function authToken(\Slim\Route $route)
$token = $app->request->headers->get('X-Auth-Token');
if (!empty($token)
&& ($user_id = dbFetchCell('SELECT `AT`.`user_id` FROM `api_tokens` AS AT WHERE `AT`.`token_hash`=? && `AT`.`disabled`=0', array($token)))
&& ($username = Auth::get()->getUser($user_id))
&& ($user = Auth::get()->getUser($user_id))
) {
// Fake session so the standard auth/permissions checks work
$_SESSION = array(
'username' => $username['username'],
'user_id' => $username['user_id'],
'userlevel' => $username['level']
'username' => $user['username'],
'user_id' => $user['user_id'],
'userlevel' => $user['level']
);
$permissions = permissions_cache($_SESSION['user_id']);
$permissions = permissions_cache(Auth::id());
return;
}
@ -109,14 +109,14 @@ function check_port_permission($port_id, $device_id)
function check_is_admin()
{
if (!is_admin()) {
if (!Auth::user()->hasGlobalAdmin()) {
api_error(403, 'Insufficient privileges');
}
}
function check_is_read()
{
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
api_error(403, 'Insufficient privileges');
}
}
@ -342,9 +342,9 @@ function list_devices()
}
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
$sql .= " AND `device_id` IN (SELECT device_id FROM devices_perms WHERE user_id = ?)";
$param[] = $_SESSION['user_id'];
$param[] = Auth::id();
}
$devices = array();
$dev_query = "SELECT $select FROM `devices` AS d $join WHERE $sql GROUP BY d.`hostname` ORDER BY $order";
@ -572,9 +572,9 @@ function list_cbgp()
$sql = " AND `devices`.`device_id` = ?";
$sql_params[] = $device_id;
}
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
$sql .= " AND `bgpPeers_cbgp`.`device_id` IN (SELECT device_id FROM devices_perms WHERE user_id = ?)";
$sql_params[] = $_SESSION['user_id'];
$sql_params[] = Auth::id();
}
$bgp_counters = array();
@ -871,7 +871,7 @@ function get_port_graphs()
$params = array($device_id);
if (!device_permitted($device_id)) {
$sql = 'AND `port_id` IN (select `port_id` from `ports_perms` where `user_id` = ?)';
array_push($params, $_SESSION['user_id']);
array_push($params, Auth::id());
}
$ports = dbFetchRows("SELECT $columns FROM `ports` WHERE `device_id` = ? AND `deleted` = '0' $sql ORDER BY `ifIndex` ASC", $params);
@ -941,10 +941,10 @@ function get_all_ports()
validate_column_list($columns, 'ports');
$params = array();
$sql = '';
if (!is_read() && !is_admin()) {
if (!Auth::user()->hasGlobalRead()) {
$sql = ' AND (device_id IN (SELECT device_id FROM devices_perms WHERE user_id = ?) OR port_id IN (SELECT port_id FROM ports_perms WHERE user_id = ?))';
array_push($params, $_SESSION['user_id']);
array_push($params, $_SESSION['user_id']);
array_push($params, Auth::id());
array_push($params, Auth::id());
}
$ports = dbFetchRows("SELECT $columns FROM `ports` WHERE `deleted` = 0 $sql", $params);
@ -1270,9 +1270,9 @@ function list_bills()
} else {
$sql = '1';
}
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
$sql .= ' AND `bill_id` IN (SELECT `bill_id` FROM `bill_perms` WHERE `user_id` = ?)';
$param[] = $_SESSION['user_id'];
$param[] = Auth::id();
}
if ($period === 'previous') {
@ -1328,7 +1328,7 @@ function get_bill_graph()
$bill_id = mres($router['bill_id']);
$graph_type = $router['graph_type'];
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
check_bill_permission($bill_id);
}
@ -1354,7 +1354,7 @@ function get_bill_graphdata()
$bill_id = mres($router['bill_id']);
$graph_type = $router['graph_type'];
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
check_bill_permission($bill_id);
}
@ -1382,7 +1382,7 @@ function get_bill_history()
$router = $app->router()->getCurrentRoute()->getParams();
$bill_id = mres($router['bill_id']);
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
check_bill_permission($bill_id);
}
@ -1404,7 +1404,7 @@ function get_bill_history_graph()
$bill_hist_id = mres($router['bill_hist_id']);
$graph_type = $router['graph_type'];
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
check_bill_permission($bill_id);
}
@ -1448,7 +1448,7 @@ function get_bill_history_graphdata()
$bill_hist_id = mres($router['bill_hist_id']);
$graph_type = $router['graph_type'];
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
check_bill_permission($bill_id);
}
@ -1777,9 +1777,9 @@ function list_vrf()
$sql = " AND `vrfs`.`vrf_name`=?";
$sql_params = array($vrfname);
}
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
$sql .= " AND `vrfs`.`device_id` IN (SELECT device_id FROM devices_perms WHERE user_id = ?)";
$sql_params[] = $_SESSION['user_id'];
$sql_params[] = Auth::id();
}
$vrfs = array();
@ -1850,9 +1850,9 @@ function list_vlans()
$sql = " AND `devices`.`device_id` = ?";
$sql_params[] = $device_id;
}
if (!is_admin() && !is_read()) {
if (!Auth::user()->hasGlobalRead()) {
$sql .= " AND `vlans`.`device_id` IN (SELECT device_id FROM devices_perms WHERE user_id = ?)";
$sql_params[] = $_SESSION['user_id'];
$sql_params[] = Auth::id();
}
$vlans = array();