Add new class methods and use them

2023-09-11 01:45:19 -06:00 · 2023-09-11 01:45:19 -06:00 · 2c5724c6ed
parent 6411f50750
commit 2c5724c6ed
8 changed files with 238 additions and 184 deletions
--- a/core/authentication/resources/classes/authentication.php
+++ b/core/authentication/resources/classes/authentication.php
@ -236,63 +236,13 @@ class authentication {
 					$_SESSION["user"]["username"] = $result["username"];
 					$_SESSION["user"]["contact_uuid"] = $result["contact_uuid"];

-				//get the groups assigned to the user and then set the groups in $_SESSION["groups"]
-					$sql = "select ";
-					$sql .= "u.user_group_uuid, ";
-					$sql .= "u.domain_uuid, ";
-					$sql .= "u.user_uuid, ";
-					$sql .= "u.group_uuid, ";
-					$sql .= "g.group_name, ";
-					$sql .= "g.group_level ";
-					$sql .= "from ";
-					$sql .= "v_user_groups as u, ";
-					$sql .= "v_groups as g ";
-					$sql .= "where u.domain_uuid = :domain_uuid ";
-					$sql .= "and u.user_uuid = :user_uuid ";
-					$sql .= "and u.group_uuid = g.group_uuid ";
-					$parameters['domain_uuid'] = $_SESSION["domain_uuid"];
-					$parameters['user_uuid'] = $_SESSION["user_uuid"];
-					$database = new database;
-					$result = $database->select($sql, $parameters, 'all');
-					$_SESSION["groups"] = $result;
-					$_SESSION["user"]["groups"] = $result;
-					unset($sql, $parameters);
+				//get the groups assigned to the user 
+					$group = new groups;
+					$group->session($result["domain_uuid"], $result["user_uuid"]);

-				//get the users group level
-					$_SESSION["user"]["group_level"] = 0;
-					foreach ($_SESSION['user']['groups'] as $row) {
-						if ($_SESSION["user"]["group_level"] < $row['group_level']) {
-							$_SESSION["user"]["group_level"] = $row['group_level'];
-						}
-					}
-
-				//get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions']
-					if (is_array($_SESSION["groups"]) && @sizeof($_SESSION["groups"]) != 0) {
-						$x = 0;
-						$sql = "select distinct(permission_name) from v_group_permissions ";
-						$sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
-						foreach ($_SESSION["groups"] as $field) {
-							if (!empty($field['group_name'])) {
-								$sql_where_or[] = "group_name = :group_name_".$x;
-								$parameters['group_name_'.$x] = $field['group_name'];
-								$x++;
-							}
-						}
-						if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) {
-							$sql .= "and (".implode(' or ', $sql_where_or).") ";
-						}
-						$sql .= "and permission_assigned = 'true' ";
-						$parameters['domain_uuid'] = $_SESSION["domain_uuid"];
-						$database = new database;
-						$result = $database->select($sql, $parameters, 'all');
-						if (is_array($result) && @sizeof($result) != 0) {
-							foreach ($result as $row) {
-								$_SESSION['permissions'][$row["permission_name"]] = true;
-								$_SESSION["user"]["permissions"][$row["permission_name"]] = true;
-							}
-						}
-						unset($sql, $parameters, $result, $row);
-					}
+				//get the permissions assigned to the user through the assigned groups
+					$permission = new permissions;
+					$permission->session($result["domain_uuid"], $_SESSION["groups"]);

 				//get the domains
 					if (file_exists($_SERVER["PROJECT_ROOT"]."/app/domains/app_config.php") && !is_cli()){
--- a/resources/check_auth.php
+++ b/resources/check_auth.php
@ -37,7 +37,35 @@
 	}

 //start the session
-	if (!isset($_SESSION)) { session_start(); }
+	if (function_exists('session_start')) { 
+		if (!isset($_SESSION)) {
+			session_start();
+		}
+	}
+
+//regenerate sessions to avoid session id attacks such as session fixation
+	if (array_key_exists('security',$_SESSION) && $_SESSION['security']['session_rotate']['boolean'] == "true") {
+		$_SESSION['session']['last_activity'] = time();
+		if (!isset($_SESSION['session']['created'])) {
+			$_SESSION['session']['created'] = time();
+		} else if (time() - $_SESSION['session']['created'] > 28800) {
+			// session started more than 8 hours ago
+			session_regenerate_id(true);    // rotate the session id
+			$_SESSION['session']['created'] = time();  // update creation time
+		}
+	}
+
+//set the domains session
+	if (!isset($_SESSION['domains'])) {
+		$domain = new domains();
+		$domain->session();
+		$domain->set();
+	}
+
+//set the domain_uuid variable from the session
+	if (!empty($_SESSION["domain_uuid"])) {
+		$domain_uuid = $_SESSION["domain_uuid"];
+	}

 //define variables
 	if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; }
--- a/resources/classes/domains.php
+++ b/resources/classes/domains.php
@ -25,7 +25,6 @@
 	sreis
 */

-
 /**
 * domains class
 *
@ -803,6 +802,72 @@ if (!class_exists('domains')) {
 				}

 		} //end settings method
+
+		/**
+		 * get a domain list
+		 */
+		public function all() {
+			//get the domains from the database
+				$database = new database;
+				if ($database->table_exists('v_domains')) {
+					$sql = "select * from v_domains order by domain_name asc;";
+					$database = new database;
+					$result = $database->select($sql, null, 'all');
+					foreach($result as $row) {
+						$domain_names[] = $row['domain_name'];
+					}
+					unset($prep_statement);
+				}
+
+			//build the domains array in the correct order
+				if (is_array($domain_names)) { 
+					foreach ($domain_names as $dn) {
+						foreach ($result as $row) {
+							if ($row['domain_name'] == $dn) {
+								$domains[] = $row;
+							}
+						}
+					}
+					unset($result);
+				}
+
+			//return the domains array
+				return $domains;
+		}
+
+		/**
+		 * get a domain list
+		 */
+		public function session() {
+			//get the list of domains
+				$domains = $this->all();
+
+			//get the domain
+				$domain_array = explode(":", $_SERVER["HTTP_HOST"] ?? '');
+
+			//set domain_name and domain_uuid and update domains array with domain_uuid as the key
+				if (!empty($domains) && is_array($domains)) {
+					foreach($domains as $row) {
+						if (!isset($_SESSION['username'])) {
+							if (!empty($domains) && count($domains) == 1) {
+								$domain_uuid = $row["domain_uuid"];
+								$domain_name = $row['domain_name'];
+								$_SESSION["domain_uuid"] = $row["domain_uuid"];
+								$_SESSION["domain_name"] = $row['domain_name'];
+							}
+							else {
+								if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) {
+									$_SESSION["domain_uuid"] = $row["domain_uuid"];
+									$_SESSION["domain_name"] = $row["domain_name"];
+								}
+							}
+						}	
+						$_SESSION['domains'][$row['domain_uuid']] = $row;
+					}
+					unset($domains, $prep_statement);
+				}
+		}
+
 	}
 }

--- a/resources/classes/groups.php
+++ b/resources/classes/groups.php
@ -470,6 +470,56 @@ if (!class_exists('groups')) {
 				}
 		}

+		/**
+		 * get the groups assigned to the user
+		 */
+		public function assigned($domain_uuid, $user_uuid) {
+			$sql = "select ";
+			$sql .= "u.user_group_uuid, ";
+			$sql .= "u.domain_uuid, ";
+			$sql .= "u.user_uuid, ";
+			$sql .= "u.group_uuid, ";
+			$sql .= "g.group_name, ";
+			$sql .= "g.group_level ";
+			$sql .= "from ";
+			$sql .= "v_user_groups as u, ";
+			$sql .= "v_groups as g ";
+			$sql .= "where u.domain_uuid = :domain_uuid ";
+			$sql .= "and u.user_uuid = :user_uuid ";
+			$sql .= "and u.group_uuid = g.group_uuid ";
+			$parameters['domain_uuid'] = $domain_uuid;
+			$parameters['user_uuid'] = $user_uuid;
+			$database = new database;
+			$groups = $database->select($sql, $parameters, 'all');
+			unset($sql, $parameters);
+			if (!empty($groups)) {
+				return $groups;
+			}
+			else {
+				return false;
+			}
+		}
+
+		/**
+		 * add the assigned groups the session array
+		 */
+		public function session($domain_uuid, $user_uuid) {
+			//get the groups
+			$groups = $this->assigned($domain_uuid, $user_uuid);
+
+			//set the groups in the session
+			$_SESSION["groups"] = $groups;
+			$_SESSION["user"]["groups"] = $groups;
+
+			//get the users group level
+			$_SESSION["user"]["group_level"] = 0;
+			foreach ($_SESSION['user']['groups'] as $row) {
+				if ($_SESSION["user"]["group_level"] < $row['group_level']) {
+					$_SESSION["user"]["group_level"] = $row['group_level'];
+				}
+			}
+
+		}
 	}
 }

--- a/resources/classes/permissions.php
+++ b/resources/classes/permissions.php
@ -18,7 +18,6 @@
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
 	Copyright (C) 2016	All Rights Reserved.
-
 */

 /**
@ -65,16 +64,89 @@ if (!class_exists('permissions')) {
 		 * Check to see if the permission exists
 		 * @var string $permission
 		 */
-		function exists($permission) {
-			//set default false
-				$result = false;
-			//search for the permission
-				if (!empty($_SESSION["permissions"]) && is_array($_SESSION["permissions"]) && isset($_SESSION["permissions"][$permission])) {
-					$result = true;
+		public function exists($permission) {
+			//define permissions global variable
+			global $permissions;
+
+			if (empty($permissions) && empty($_SESSION["permissions"])) {
+				//define additional global variables
+				global $groups, $domain_uuid, $user_uuid;
+
+				//get the groups assigned to the user
+				if (empty($groups)) {
+					$group = new groups;
+					$groups = $group->assigned($domain_uuid, $user_uuid);
 				}
+
+				//get the permissions assigned to the user through the assigned groups
+				$permission = new permissions;
+				$permissions = $permission->assigned($domain_uuid, $groups);
+			}
+			if (!empty($_SESSION["permissions"])) {
+				$permissions = $_SESSION["permissions"];
+			}
+
+			//set default to false
+			$result = false;
+
+			//search for the permission
+			if (!empty($permissions) && !empty($permission)) {
+				foreach($permissions as $field) {
+					if ($permission == $field) {
+						$result = true;
+					}
+				}
+			}
+
 			//return the result
-				return $result;
+			return $result;
 		}
+
+		/**
+		 * get the assigned permissions
+		 * @var array $groups
+		 */
+		public function assigned($domain_uuid, $groups) {
+			//groups not provided return false
+			if (empty($groups)) {
+				return false;
+			}
+
+			//get the permissions assigned to the user through the assigned groups
+			$x = 0;
+			$sql = "select distinct(permission_name) from v_group_permissions ";
+			$sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
+			foreach ($groups as $field) {
+				if (!empty($field['group_name'])) {
+					$sql_where_or[] = "group_name = :group_name_".$x;
+					$parameters['group_name_'.$x] = $field['group_name'];
+					$x++;
+				}
+			}
+			if (!empty($sql_where_or)) {
+				$sql .= "and (".implode(' or ', $sql_where_or).") ";
+			}
+			$sql .= "and permission_assigned = 'true' ";
+			$parameters['domain_uuid'] = $domain_uuid;
+			$database = new database;
+			$permissions = $database->select($sql, $parameters, 'all');
+			unset($sql, $parameters, $result);
+			return $permissions;
+		}
+
+		/**
+		 * save the assigned permissions to a session
+		 */
+		public function session($domain_uuid, $groups) {
+			$permissions = $this->assigned($domain_uuid, $groups);
+			if (!empty($permissions)) {
+				foreach ($permissions as $row) {
+					$_SESSION['permissions'][$row["permission_name"]] = true;
+					$_SESSION["user"]["permissions"][$row["permission_name"]] = true;
+				}
+			}
+		}
+
 	}
 }

--- a/resources/functions.php
+++ b/resources/functions.php
@ -274,44 +274,11 @@
 		}
 	}

+	//check if the permission exists
 	if (!function_exists('permission_exists')) {
 		function permission_exists($permission, $operator = 'or') {
-			//set default
-				$result = false;
-			//permissions exist
-				if (!empty($_SESSION["permissions"]) && is_array($_SESSION["permissions"]) && @sizeof($_SESSION['permissions']) != 0) {
-					//array
-					if (is_array($permission) && @sizeof($permission) != 0) {
-						if ($operator == 'and') {
-							$exists_all = true;
-							foreach ($permission as $perm) {
-								if ($_SESSION["permissions"][$permission] != true) {
-									$exists_all = false;
-									break;
-								}
-							}
-							$result = $exists_all;
-						}
-						else {
-							$exists_one = false;
-							foreach ($permission as $perm) {
-								if (isset($_SESSION["permissions"][$perm]) && $_SESSION["permissions"][$perm] != true) {
-									$exists_one = true;
-									break;
-								}
-							}
-							$result = $exists_one;
-						}
-					}
-					//single
-					else {
-						if (isset($_SESSION["permissions"][$permission]) && $_SESSION["permissions"][$permission] == true) {
-							$result = true;
-						}
-					}
-				}
-			//return the result
-				return $result;
+			$permission = new permissions;
+			return $permission->exists($permission);
 		}
 	}

--- a/resources/pdo.php
+++ b/resources/pdo.php
@ -279,84 +279,4 @@ if ($db_type == "odbc") {
 	}
 } //end if db_type pgsql

-//get the domain list
-	if (empty($_SESSION['domains']) or empty($_SESSION["domain_uuid"])) {
-
-		//get the domain
-			$domain_array = explode(":", $_SERVER["HTTP_HOST"] ?? '');
-
-		//get the domains from the database
-			$database = new database;
-			if ($database->table_exists('v_domains')) {
-				$sql = "select * from v_domains order by domain_name asc;";
-				$prep_statement = $db->prepare($sql);
-				$prep_statement->execute();
-				$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
-				foreach($result as $row) {
-					$domain_names[] = $row['domain_name'];
-				}
-				unset($prep_statement);
-			}
-
-		//build the domains array in the correct order
-			if (is_array($domain_names)) { 
-				foreach ($domain_names as $dn) {
-					foreach ($result as $row) {
-						if ($row['domain_name'] == $dn) {
-							$domains[] = $row;
-						}
-					}
-				}
-				unset($result);
-			}
-
-			if (is_array($domains)) {
-				foreach($domains as $row) {
-					if (!isset($_SESSION['username'])) {
-						if (count($domains) == 1) {
-							$_SESSION["domain_uuid"] = $row["domain_uuid"];
-							$_SESSION["domain_name"] = $row['domain_name'];
-						}
-						else {
-							if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) {
-								$_SESSION["domain_uuid"] = $row["domain_uuid"];
-								$_SESSION["domain_name"] = $row["domain_name"];
-							}
-						}
-					}	
-					$_SESSION['domains'][$row['domain_uuid']] = $row;
-				}
-				unset($domains, $prep_statement);
-			}
-	}
-
-//get the software name
-	if (!isset($_SESSION["software_name"])) {
-		$database = new database;
-		if ($database->table_exists('v_software')) {
-			$sql = "select * from v_software ";
-			$prep_statement = $db->prepare(check_sql($sql));
-			if ($prep_statement) {
-				$prep_statement->execute();
-				$row = $prep_statement->fetch(PDO::FETCH_ASSOC);
-				$_SESSION["software_name"] = $row['software_name'];
-			}
-			unset($prep_statement, $result);
-		}
-	}
-
-//set the setting arrays
-	if (!isset($_SESSION['domain']['menu'])) {
-		$domain = new domains();
-		$domain->set();
-	}
-
-//set the domain_uuid variable from the session
-	if (!empty($_SESSION["domain_uuid"])) {
-		$domain_uuid = $_SESSION["domain_uuid"];
-	}
-	else {
-		$domain_uuid = uuid();
-	}
-
 ?>
--- a/resources/require.php
+++ b/resources/require.php
@ -123,14 +123,16 @@
 	require_once "resources/functions.php";
 	if (is_array($conf) && count($conf) > 0) {
 		require_once "resources/pdo.php";
-		require_once "resources/cidr.php";
+		if (!defined('STDIN')) {
+			require_once "resources/cidr.php";
+		}
 		if (file_exists($_SERVER["DOCUMENT_ROOT"] . PROJECT_PATH . "/resources/switch.php")) {
 			require_once "resources/switch.php";
 		}
 	}

 //change language on the fly - for translate tool (if available)
-	if (isset($_REQUEST['view_lang_code']) && ($_REQUEST['view_lang_code']) != '') {
+	if (!defined('STDIN') && isset($_REQUEST['view_lang_code']) && ($_REQUEST['view_lang_code']) != '') {
 		$_SESSION['domain']['language']['code'] = $_REQUEST['view_lang_code'];
 	}