From b84d005d8fb8a2ce047225e400adecc542ecfd7d Mon Sep 17 00:00:00 2001 From: Isaac Connor Date: Tue, 3 Sep 2019 10:54:34 -0400 Subject: [PATCH] Load use from session when it exists --- web/api/app/Controller/AppController.php | 14 ++++++--- web/includes/auth.php | 40 ++++++++++++++---------- 2 files changed, 33 insertions(+), 21 deletions(-) diff --git a/web/api/app/Controller/AppController.php b/web/api/app/Controller/AppController.php index b6ef078be..889182b90 100644 --- a/web/api/app/Controller/AppController.php +++ b/web/api/app/Controller/AppController.php @@ -93,6 +93,7 @@ class AppController extends Controller { if ( $stateful ) { zm_session_start(); + $_SESSION['remoteAddr'] = $_SERVER['REMOTE_ADDR']; // To help prevent session hijacking $_SESSION['username'] = $user['Username']; if ( ZM_AUTH_RELAY == 'plain' ) { @@ -100,6 +101,14 @@ class AppController extends Controller { $_SESSION['password'] = $_REQUEST['password']; } session_write_close(); + } else if ( $_COOKIE['ZMSESSID'] ) { + # Have a cookie set, try to load user by session + if ( ! is_session_started() ) + zm_session_start(); + else + ZM\Logger::Debug(print_r($_SESSION,true)); + $user = userFromSession(); + session_write_close(); } } @@ -142,10 +151,7 @@ class AppController extends Controller { return; } } # end if ! login or logout - if ($user['APIEnabled'] == 0 ) { - throw new UnauthorizedException(__('API Disabled')); - return; - } + } # end if ZM_OPT_AUTH // make sure populated user object has APIs enabled } # end function beforeFilter() diff --git a/web/includes/auth.php b/web/includes/auth.php index 4ada2afa2..cb8863001 100644 --- a/web/includes/auth.php +++ b/web/includes/auth.php @@ -243,6 +243,28 @@ function canEdit($area, $mid=false) { return ( $user[$area] == 'Edit' && ( !$mid || visibleMonitor($mid) )); } +function userFromSession() { + $user = null; // Not global + if ( isset($_SESSION['username']) ) { + if ( ZM_AUTH_HASH_LOGINS and (ZM_AUTH_RELAY == 'hashed') ) { + # Extra validation, if logged in, then the auth hash will be set in the session, so we can validate it. + # This prevent session modification to switch users + if ( isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) ) + $user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]); + else + ZM\Logger::Debug("No auth hash in session, there should have been"); + + } else { + # Need to refresh permissions and validate that the user still exists + $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?'; + $user = dbFetchOne($sql, NULL, array($_SESSION['username'])); + } + } else { + ZM\Logger::Debug('No username in session'); + } + return $user; +} + if ( ZM_OPT_USE_AUTH ) { if ( !empty($_REQUEST['token']) ) { $ret = validateToken($_REQUEST['token'], 'access'); @@ -250,23 +272,7 @@ if ( ZM_OPT_USE_AUTH ) { } else { // Non token based auth - if ( isset($_SESSION['username']) ) { - if ( ZM_AUTH_HASH_LOGINS and (ZM_AUTH_RELAY == 'hashed') ) { - # Extra validation, if logged in, then the auth hash will be set in the session, so we can validate it. - # This prevent session modification to switch users - if ( isset($_SESSION['AuthHash'.$_SESSION['remoteAddr']]) ) - $user = getAuthUser($_SESSION['AuthHash'.$_SESSION['remoteAddr']]); - else - ZM\Logger::Debug("No auth hash in session, there should have been"); - - } else { - # Need to refresh permissions and validate that the user still exists - $sql = 'SELECT * FROM Users WHERE Enabled=1 AND Username=?'; - $user = dbFetchOne($sql, NULL, array($_SESSION['username'])); - } - } else { - ZM\Logger::Debug("No username in session"); - } + $user = userFromSession(); if ( ZM_AUTH_HASH_LOGINS && empty($user) && !empty($_REQUEST['auth']) ) { $user = getAuthUser($_REQUEST['auth']);