ZoneMinder
/
zoneminder
mirror of https://github.com/ZoneMinder/zoneminder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Load use from session when it exists

pull/2695/head
Isaac Connor 2019-09-03 10:54:34 -04:00
parent b344701dea
commit b84d005d8f
2 changed files with 33 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
web/api/app/Controller/AppController.php
View File

@ -93,6 +93,7 @@ class AppController extends Controller {
if ( $stateful ) {
zm_session_start();
$_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking
$_SESSION['username'] = $user['Username'];
if ( ZM_AUTH_RELAY == 'plain' ) {
@ -100,6 +101,14 @@ class AppController extends Controller {
$_SESSION['password'] = $_REQUEST['password'];
}
session_write_close();
} else if ( $_COOKIE['ZMSESSID'] ) {
# Have a cookie set, try to load user by session
if ( ! is_session_started() )
zm_session_start();
else
ZM\Logger::Debug(print_r($_SESSION,true));
$user = userFromSession();
session_write_close();
}
}
@ -142,10 +151,7 @@ class AppController extends Controller {
return;
}
} # end if ! login or logout
if ($user['APIEnabled'] == 0 ) {
throw new UnauthorizedException(__('API Disabled'));
return;
}
} # end if ZM_OPT_AUTH
// make sure populated user object has APIs enabled
} # end function beforeFilter()

40
web/includes/auth.php
View File

@ -243,6 +243,28 @@ function canEdit($area, $mid=false) {
return ( $user[$area] == 'Edit' && ( !$mid || visibleMonitor($mid) ));
}
function userFromSession() {
$user = null; // Not global
if ( isset($_SESSION['username']) ) {
if ( ZM_AUTH_HASH_LOGINS and (ZM_AUTH_RELAY == 'hashed') ) {
# Extra validation, if logged in, then the auth hash will be set in the session, so we can validate it.
# This prevent session modification to switch users
if ( isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) )
$user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]);
else
ZM\Logger::Debug("No auth hash in session, there should have been");
} else {
# Need to refresh permissions and validate that the user still exists
$sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?';
$user = dbFetchOne($sql, NULL, array($_SESSION['username']));
}
} else {
ZM\Logger::Debug('No username in session');
}
return $user;
}
if ( ZM_OPT_USE_AUTH ) {
if ( !empty($_REQUEST['token']) ) {
$ret = validateToken($_REQUEST['token'], 'access');
@ -250,23 +272,7 @@ if ( ZM_OPT_USE_AUTH ) {
} else {
// Non token based auth
if ( isset($_SESSION['username']) ) {
if ( ZM_AUTH_HASH_LOGINS and (ZM_AUTH_RELAY == 'hashed') ) {
# Extra validation, if logged in, then the auth hash will be set in the session, so we can validate it.
# This prevent session modification to switch users
if ( isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) )
$user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]);
else
ZM\Logger::Debug("No auth hash in session, there should have been");
} else {
# Need to refresh permissions and validate that the user still exists
$sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?';
$user = dbFetchOne($sql, NULL, array($_SESSION['username']));
}
} else {
ZM\Logger::Debug("No username in session");
}
$user = userFromSession();
if ( ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST['auth']) ) {
$user = getAuthUser($_REQUEST['auth']);