ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add permissions checking to API/Logs. Fixes unprivileged user being to add/edit/delete/view logs.

pull/3621/head
Isaac Connor 2022-10-06 16:22:56 -04:00
parent cb3fc5907d
commit 34ffd92bf1
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
web/api/app/Controller/LogsController.php
View File

@ -20,6 +20,17 @@ class LogsController extends AppController {
'paramType' => 'querystring'
);
public function beforeFilter() {
parent::beforeFilter();
global $user;
# We already tested for auth in appController, so we just need to test for specific permission
$canView = (!$user) || ($user['System'] != 'None');
if (!$canView) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return;
}
}
/**
* index method
*
@ -54,6 +65,12 @@ class LogsController extends AppController {
* @return void
*/
public function add() {
global $user;
$canAdd = (!$user) || (($user['System'] == 'Edit') || ZM_LOG_INJECT);
if (!$canAdd) {
throw new UnauthorizedException(__('Insufficient privileges'));
return;
}
if ($this->request->is('post')) {
$this->Log->create();
if ($this->Log->save($this->request->data)) {
@ -70,6 +87,13 @@ class LogsController extends AppController {
* @return void
*/
public function edit($id = null) {
global $user;
$canEdit = (!$user) || ($user['System'] == 'Edit');
if (!$canEdit) {
throw new UnauthorizedException(__('Insufficient privileges'));
return;
}
if (!$this->Log->exists($id)) {
throw new NotFoundException(__('Invalid log'));
}
@ -91,6 +115,11 @@ class LogsController extends AppController {
* @return void
*/
public function delete($id = null) {
$canDelete = (!$user) || ($user['System'] == 'Edit');
if (!$canDelete) {
throw new UnauthorizedException(__('Insufficient privileges'));
return;
}
$this->Log->id = $id;
if (!$this->Log->exists()) {
throw new NotFoundException(__('Invalid log'));