From 55f2567976bbe547490b88550142554ef6505d93 Mon Sep 17 00:00:00 2001 From: Moe Date: Sat, 6 Aug 2022 11:18:46 -0700 Subject: [PATCH] Add Permission checks to Scheduler, Probe, and ONVIF Device Man --- libs/onvifDeviceManager.js | 64 ++++++++++++++++++++++++++++++++++---- libs/scanners.js | 14 +++++++++ libs/scheduler.js | 16 ++++++---- 3 files changed, 82 insertions(+), 12 deletions(-) diff --git a/libs/onvifDeviceManager.js b/libs/onvifDeviceManager.js index 072c7da1..1c66ba2b 100644 --- a/libs/onvifDeviceManager.js +++ b/libs/onvifDeviceManager.js @@ -26,10 +26,26 @@ module.exports = function(s,config,lang,app,io){ */ app.get(config.webPaths.apiPrefix+':auth/onvifDeviceManager/:ke/:id',function (req,res){ s.auth(req.params,async (user) => { + const groupKey = req.params.ke + const monitorId = req.params.id + const { + monitorPermissions, + monitorRestrictions, + } = s.getMonitorsPermitted(user.details,monitorId) + const { + isRestricted, + isRestrictedApiKey, + apiKeyPermissions, + } = s.checkPermission(user) + if( + isRestrictedApiKey && apiKeyPermissions.get_monitors_disallowed || + isRestricted && !monitorPermissions[`${monitorId}_monitors`] + ){ + s.closeJsonResponse(res,{ok: false, msg: lang['Not Authorized']}); + return + } const endData = {ok: true} try{ - const groupKey = req.params.ke - const monitorId = req.params.id const onvifDevice = await getOnvifDevice(groupKey,monitorId) const cameraInfo = await getUIFieldValues(onvifDevice) endData.onvifData = cameraInfo @@ -46,11 +62,29 @@ module.exports = function(s,config,lang,app,io){ */ app.post(config.webPaths.apiPrefix+':auth/onvifDeviceManager/:ke/:id/save',function (req,res){ s.auth(req.params,async (user) => { + const groupKey = req.params.ke + const monitorId = req.params.id + const { + monitorPermissions, + monitorRestrictions, + } = s.getMonitorsPermitted(user.details,monitorId); + const { + isRestricted, + isRestrictedApiKey, + apiKeyPermissions, + } = s.checkPermission(user); + if( + isRestrictedApiKey && apiKeyPermissions.control_monitors_disallowed + ){ + s.closeJsonResponse(res,{ + ok: false, + msg: lang['Not Authorized'] + }); + return + } const endData = {ok: true} const responses = {} try{ - const groupKey = req.params.ke - const monitorId = req.params.id const onvifDevice = await getOnvifDevice(groupKey,monitorId) const form = s.getPostData(req) const videoToken = form.VideoConfiguration && form.VideoConfiguration.videoToken ? form.VideoConfiguration.videoToken : null @@ -100,10 +134,28 @@ module.exports = function(s,config,lang,app,io){ */ app.get(config.webPaths.apiPrefix+':auth/onvifDeviceManager/:ke/:id/reboot',function (req,res){ s.auth(req.params,async (user) => { + const groupKey = req.params.ke + const monitorId = req.params.id + const { + monitorPermissions, + monitorRestrictions, + } = s.getMonitorsPermitted(user.details,monitorId); + const { + isRestricted, + isRestrictedApiKey, + apiKeyPermissions, + } = s.checkPermission(user); + if( + isRestrictedApiKey && apiKeyPermissions.control_monitors_disallowed + ){ + s.closeJsonResponse(res,{ + ok: false, + msg: lang['Not Authorized'] + }); + return + } const endData = {ok: true} try{ - const groupKey = req.params.ke - const monitorId = req.params.id const onvifDevice = await getOnvifDevice(groupKey,monitorId) const cameraInfo = await rebootCamera(onvifDevice) endData.onvifData = cameraInfo diff --git a/libs/scanners.js b/libs/scanners.js index a30a406f..af570cdf 100644 --- a/libs/scanners.js +++ b/libs/scanners.js @@ -21,6 +21,20 @@ module.exports = function(s,config,lang,app,io){ */ app.get(config.webPaths.apiPrefix+':auth/probe/:ke',function (req,res){ s.auth(req.params,function(user){ + const { + isRestricted, + isRestrictedApiKey, + apiKeyPermissions, + } = s.checkPermission(user); + if( + isRestrictedApiKey && apiKeyPermissions.control_monitors_disallowed + ){ + s.closeJsonResponse(res,{ + ok: false, + msg: lang['Not Authorized'] + }); + return + } ffprobe(req.query.url,req.params.auth,(endData) => { s.closeJsonResponse(res,endData) }) diff --git a/libs/scheduler.js b/libs/scheduler.js index 3b3e51d7..a25fe43d 100644 --- a/libs/scheduler.js +++ b/libs/scheduler.js @@ -194,9 +194,11 @@ module.exports = function(s,config,lang,app,io){ var endData = { ok : false } - if(user.details.sub){ - endData.msg = user.lang['Not Permitted'] - s.closeJsonResponse(res,endData) + const { + isSubAccount, + } = s.checkPermission(user) + if(isSubAccount){ + s.closeJsonResponse(res,{ok: false, msg: lang['Not an Administrator Account']}); return } var whereQuery = [ @@ -234,9 +236,11 @@ module.exports = function(s,config,lang,app,io){ var endData = { ok : false } - if(user.details.sub){ - endData.msg = user.lang['Not Permitted'] - s.closeJsonResponse(res,endData) + const { + isSubAccount, + } = s.checkPermission(user) + if(isSubAccount){ + s.closeJsonResponse(res,{ok: false, msg: lang['Not an Administrator Account']}); return } switch(req.params.action){