mirror of
https://github.com/librenms/librenms.git
synced 2024-10-07 16:52:45 +00:00
* Security fix: unauthorized access Affects nginx users: Moved php files outside of public html directory (Apache was protected by .htaccess) Affects all users: Some files did not check for authentication and could disclose some info. Better checks before including files from user input * git mv html/includes/ includes/html git mv html/pages/ includes/html/
100 lines
3.7 KiB
PHP
100 lines
3.7 KiB
PHP
<?php
|
|
/* Copyright (C) 2015 Daniel Preussker, QuxLabs UG <preussker@quxlabs.com>
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>. */
|
|
|
|
/**
|
|
* Notification Page
|
|
* @author Daniel Preussker
|
|
* @copyright 2015 Daniel Preussker, QuxLabs UG
|
|
* @license GPL
|
|
* @package LibreNMS
|
|
* @subpackage Notifications
|
|
*/
|
|
|
|
use LibreNMS\Authentication\LegacyAuth;
|
|
|
|
header('Content-type: application/json');
|
|
|
|
if (!isset($_REQUEST['action'])) {
|
|
die(json_encode([
|
|
'status' => 'error',
|
|
'message' => 'ERROR: Missing Params',
|
|
]));
|
|
}
|
|
|
|
if (in_array($_REQUEST['action'], ['stick', 'unstick', 'create']) && !LegacyAuth::user()->hasGlobalAdmin()) {
|
|
die(json_encode([
|
|
'status' => 'error',
|
|
'message' => 'ERROR: Need to be GlobalAdmin or DemoUser',
|
|
]));
|
|
}
|
|
|
|
|
|
if ($_REQUEST['action'] == 'read' && isset($_REQUEST['notification_id'])) {
|
|
if (dbInsert(['notifications_id'=>$_REQUEST['notification_id'],'user_id'=>LegacyAuth::id(),'key'=>'read','value'=>1], 'notifications_attribs')) {
|
|
die(json_encode([
|
|
'status' => 'ok',
|
|
'message' => 'Set as Read',
|
|
]));
|
|
}
|
|
} elseif ($_REQUEST['action'] == 'read-all-notif') {
|
|
$unread = dbFetchColumn("SELECT `notifications_id` FROM `notifications` AS N WHERE NOT EXISTS ( SELECT 1 FROM `notifications_attribs` WHERE `notifications_id` = N.`notifications_id` AND `user_id`=? AND `key`='read' AND `value`=1)", [LegacyAuth::id()]);
|
|
foreach ($unread as $notification_id) {
|
|
dbInsert(
|
|
[
|
|
'notifications_id' => $notification_id,
|
|
'user_id' => LegacyAuth::id(),
|
|
'key' => 'read',
|
|
'value' => 1
|
|
],
|
|
'notifications_attribs'
|
|
);
|
|
}
|
|
die(json_encode([
|
|
'status' => 'ok',
|
|
'message' => 'All notifications set as read',
|
|
]));
|
|
} elseif ($_REQUEST['action'] == 'stick' && isset($_REQUEST['notification_id'])) {
|
|
if (dbInsert(['notifications_id'=>$_REQUEST['notification_id'],'user_id'=>LegacyAuth::id(),'key'=>'sticky','value'=>1], 'notifications_attribs')) {
|
|
die(json_encode([
|
|
'status' => 'ok',
|
|
'message' => 'Set as Sticky',
|
|
]));
|
|
}
|
|
} elseif ($_REQUEST['action'] == 'unstick' && isset($_REQUEST['notification_id'])) {
|
|
if (dbDelete('notifications_attribs', "notifications_id = ? && user_id = ? AND `key`='sticky'", [$_REQUEST['notification_id'],LegacyAuth::id()])) {
|
|
die(json_encode([
|
|
'status' => 'ok',
|
|
'message' => 'Removed Sticky',
|
|
]));
|
|
}
|
|
} elseif ($_REQUEST['action'] == 'create' && (!empty($_REQUEST['title']) && !empty($_REQUEST['body']))) {
|
|
if (dbInsert(['title'=>$_REQUEST['title'],'body'=>$_REQUEST['body'],'checksum'=>hash('sha512', LegacyAuth::id().'.LOCAL.'.$_REQUEST['title']),'source'=>LegacyAuth::id()], 'notifications')) {
|
|
die(json_encode([
|
|
'status' => 'ok',
|
|
'message' => 'Created',
|
|
]));
|
|
}
|
|
} else {
|
|
die(json_encode([
|
|
'status' => 'error',
|
|
'message' => 'ERROR: Missing Params',
|
|
]));
|
|
}
|
|
|
|
die(json_encode(array(
|
|
'status' => 'error',
|
|
'message' => 'unknown error',
|
|
)));
|