From 2c5724c6edcf179959464a40b99098156a4e5f60 Mon Sep 17 00:00:00 2001 From: FusionPBX Date: Mon, 11 Sep 2023 01:45:19 -0600 Subject: [PATCH] Add new class methods and use them --- .../resources/classes/authentication.php | 62 ++----------- resources/check_auth.php | 30 ++++++- resources/classes/domains.php | 67 +++++++++++++- resources/classes/groups.php | 50 +++++++++++ resources/classes/permissions.php | 88 +++++++++++++++++-- resources/functions.php | 39 +------- resources/pdo.php | 80 ----------------- resources/require.php | 6 +- 8 files changed, 238 insertions(+), 184 deletions(-) diff --git a/core/authentication/resources/classes/authentication.php b/core/authentication/resources/classes/authentication.php index 5d73ad0de5..ab0355aec5 100644 --- a/core/authentication/resources/classes/authentication.php +++ b/core/authentication/resources/classes/authentication.php @@ -236,63 +236,13 @@ class authentication { $_SESSION["user"]["username"] = $result["username"]; $_SESSION["user"]["contact_uuid"] = $result["contact_uuid"]; - //get the groups assigned to the user and then set the groups in $_SESSION["groups"] - $sql = "select "; - $sql .= "u.user_group_uuid, "; - $sql .= "u.domain_uuid, "; - $sql .= "u.user_uuid, "; - $sql .= "u.group_uuid, "; - $sql .= "g.group_name, "; - $sql .= "g.group_level "; - $sql .= "from "; - $sql .= "v_user_groups as u, "; - $sql .= "v_groups as g "; - $sql .= "where u.domain_uuid = :domain_uuid "; - $sql .= "and u.user_uuid = :user_uuid "; - $sql .= "and u.group_uuid = g.group_uuid "; - $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; - $parameters['user_uuid'] = $_SESSION["user_uuid"]; - $database = new database; - $result = $database->select($sql, $parameters, 'all'); - $_SESSION["groups"] = $result; - $_SESSION["user"]["groups"] = $result; - unset($sql, $parameters); + //get the groups assigned to the user + $group = new groups; + $group->session($result["domain_uuid"], $result["user_uuid"]); - //get the users group level - $_SESSION["user"]["group_level"] = 0; - foreach ($_SESSION['user']['groups'] as $row) { - if ($_SESSION["user"]["group_level"] < $row['group_level']) { - $_SESSION["user"]["group_level"] = $row['group_level']; - } - } - - //get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions'] - if (is_array($_SESSION["groups"]) && @sizeof($_SESSION["groups"]) != 0) { - $x = 0; - $sql = "select distinct(permission_name) from v_group_permissions "; - $sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) "; - foreach ($_SESSION["groups"] as $field) { - if (!empty($field['group_name'])) { - $sql_where_or[] = "group_name = :group_name_".$x; - $parameters['group_name_'.$x] = $field['group_name']; - $x++; - } - } - if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) { - $sql .= "and (".implode(' or ', $sql_where_or).") "; - } - $sql .= "and permission_assigned = 'true' "; - $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; - $database = new database; - $result = $database->select($sql, $parameters, 'all'); - if (is_array($result) && @sizeof($result) != 0) { - foreach ($result as $row) { - $_SESSION['permissions'][$row["permission_name"]] = true; - $_SESSION["user"]["permissions"][$row["permission_name"]] = true; - } - } - unset($sql, $parameters, $result, $row); - } + //get the permissions assigned to the user through the assigned groups + $permission = new permissions; + $permission->session($result["domain_uuid"], $_SESSION["groups"]); //get the domains if (file_exists($_SERVER["PROJECT_ROOT"]."/app/domains/app_config.php") && !is_cli()){ diff --git a/resources/check_auth.php b/resources/check_auth.php index ef9ee901fc..66cf392292 100644 --- a/resources/check_auth.php +++ b/resources/check_auth.php @@ -37,7 +37,35 @@ } //start the session - if (!isset($_SESSION)) { session_start(); } + if (function_exists('session_start')) { + if (!isset($_SESSION)) { + session_start(); + } + } + +//regenerate sessions to avoid session id attacks such as session fixation + if (array_key_exists('security',$_SESSION) && $_SESSION['security']['session_rotate']['boolean'] == "true") { + $_SESSION['session']['last_activity'] = time(); + if (!isset($_SESSION['session']['created'])) { + $_SESSION['session']['created'] = time(); + } else if (time() - $_SESSION['session']['created'] > 28800) { + // session started more than 8 hours ago + session_regenerate_id(true); // rotate the session id + $_SESSION['session']['created'] = time(); // update creation time + } + } + +//set the domains session + if (!isset($_SESSION['domains'])) { + $domain = new domains(); + $domain->session(); + $domain->set(); + } + +//set the domain_uuid variable from the session + if (!empty($_SESSION["domain_uuid"])) { + $domain_uuid = $_SESSION["domain_uuid"]; + } //define variables if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; } diff --git a/resources/classes/domains.php b/resources/classes/domains.php index f3d2eb4360..72ad9419ab 100644 --- a/resources/classes/domains.php +++ b/resources/classes/domains.php @@ -25,7 +25,6 @@ sreis */ - /** * domains class * @@ -803,6 +802,72 @@ if (!class_exists('domains')) { } } //end settings method + + /** + * get a domain list + */ + public function all() { + //get the domains from the database + $database = new database; + if ($database->table_exists('v_domains')) { + $sql = "select * from v_domains order by domain_name asc;"; + $database = new database; + $result = $database->select($sql, null, 'all'); + foreach($result as $row) { + $domain_names[] = $row['domain_name']; + } + unset($prep_statement); + } + + //build the domains array in the correct order + if (is_array($domain_names)) { + foreach ($domain_names as $dn) { + foreach ($result as $row) { + if ($row['domain_name'] == $dn) { + $domains[] = $row; + } + } + } + unset($result); + } + + //return the domains array + return $domains; + } + + /** + * get a domain list + */ + public function session() { + //get the list of domains + $domains = $this->all(); + + //get the domain + $domain_array = explode(":", $_SERVER["HTTP_HOST"] ?? ''); + + //set domain_name and domain_uuid and update domains array with domain_uuid as the key + if (!empty($domains) && is_array($domains)) { + foreach($domains as $row) { + if (!isset($_SESSION['username'])) { + if (!empty($domains) && count($domains) == 1) { + $domain_uuid = $row["domain_uuid"]; + $domain_name = $row['domain_name']; + $_SESSION["domain_uuid"] = $row["domain_uuid"]; + $_SESSION["domain_name"] = $row['domain_name']; + } + else { + if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) { + $_SESSION["domain_uuid"] = $row["domain_uuid"]; + $_SESSION["domain_name"] = $row["domain_name"]; + } + } + } + $_SESSION['domains'][$row['domain_uuid']] = $row; + } + unset($domains, $prep_statement); + } + } + } } diff --git a/resources/classes/groups.php b/resources/classes/groups.php index 155ac462bc..663155ab92 100644 --- a/resources/classes/groups.php +++ b/resources/classes/groups.php @@ -470,6 +470,56 @@ if (!class_exists('groups')) { } } + /** + * get the groups assigned to the user + */ + public function assigned($domain_uuid, $user_uuid) { + $sql = "select "; + $sql .= "u.user_group_uuid, "; + $sql .= "u.domain_uuid, "; + $sql .= "u.user_uuid, "; + $sql .= "u.group_uuid, "; + $sql .= "g.group_name, "; + $sql .= "g.group_level "; + $sql .= "from "; + $sql .= "v_user_groups as u, "; + $sql .= "v_groups as g "; + $sql .= "where u.domain_uuid = :domain_uuid "; + $sql .= "and u.user_uuid = :user_uuid "; + $sql .= "and u.group_uuid = g.group_uuid "; + $parameters['domain_uuid'] = $domain_uuid; + $parameters['user_uuid'] = $user_uuid; + $database = new database; + $groups = $database->select($sql, $parameters, 'all'); + unset($sql, $parameters); + if (!empty($groups)) { + return $groups; + } + else { + return false; + } + } + + /** + * add the assigned groups the session array + */ + public function session($domain_uuid, $user_uuid) { + //get the groups + $groups = $this->assigned($domain_uuid, $user_uuid); + + //set the groups in the session + $_SESSION["groups"] = $groups; + $_SESSION["user"]["groups"] = $groups; + + //get the users group level + $_SESSION["user"]["group_level"] = 0; + foreach ($_SESSION['user']['groups'] as $row) { + if ($_SESSION["user"]["group_level"] < $row['group_level']) { + $_SESSION["user"]["group_level"] = $row['group_level']; + } + } + + } } } diff --git a/resources/classes/permissions.php b/resources/classes/permissions.php index ddc8b18d5d..63664cffe7 100644 --- a/resources/classes/permissions.php +++ b/resources/classes/permissions.php @@ -18,7 +18,6 @@ The Initial Developer of the Original Code is Mark J Crane Copyright (C) 2016 All Rights Reserved. - */ /** @@ -65,16 +64,89 @@ if (!class_exists('permissions')) { * Check to see if the permission exists * @var string $permission */ - function exists($permission) { - //set default false - $result = false; - //search for the permission - if (!empty($_SESSION["permissions"]) && is_array($_SESSION["permissions"]) && isset($_SESSION["permissions"][$permission])) { - $result = true; + public function exists($permission) { + //define permissions global variable + global $permissions; + + if (empty($permissions) && empty($_SESSION["permissions"])) { + //define additional global variables + global $groups, $domain_uuid, $user_uuid; + + //get the groups assigned to the user + if (empty($groups)) { + $group = new groups; + $groups = $group->assigned($domain_uuid, $user_uuid); } + + //get the permissions assigned to the user through the assigned groups + $permission = new permissions; + $permissions = $permission->assigned($domain_uuid, $groups); + } + if (!empty($_SESSION["permissions"])) { + $permissions = $_SESSION["permissions"]; + } + + //set default to false + $result = false; + + //search for the permission + if (!empty($permissions) && !empty($permission)) { + foreach($permissions as $field) { + if ($permission == $field) { + $result = true; + } + } + } + //return the result - return $result; + return $result; } + + /** + * get the assigned permissions + * @var array $groups + */ + public function assigned($domain_uuid, $groups) { + //groups not provided return false + if (empty($groups)) { + return false; + } + + //get the permissions assigned to the user through the assigned groups + $x = 0; + $sql = "select distinct(permission_name) from v_group_permissions "; + $sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) "; + foreach ($groups as $field) { + if (!empty($field['group_name'])) { + $sql_where_or[] = "group_name = :group_name_".$x; + $parameters['group_name_'.$x] = $field['group_name']; + $x++; + } + } + if (!empty($sql_where_or)) { + $sql .= "and (".implode(' or ', $sql_where_or).") "; + } + $sql .= "and permission_assigned = 'true' "; + $parameters['domain_uuid'] = $domain_uuid; + $database = new database; + $permissions = $database->select($sql, $parameters, 'all'); + unset($sql, $parameters, $result); + return $permissions; + } + + /** + * save the assigned permissions to a session + */ + public function session($domain_uuid, $groups) { + $permissions = $this->assigned($domain_uuid, $groups); + if (!empty($permissions)) { + foreach ($permissions as $row) { + $_SESSION['permissions'][$row["permission_name"]] = true; + $_SESSION["user"]["permissions"][$row["permission_name"]] = true; + } + } + } + } } diff --git a/resources/functions.php b/resources/functions.php index ea0c1c56c2..5c33b3095f 100644 --- a/resources/functions.php +++ b/resources/functions.php @@ -274,44 +274,11 @@ } } + //check if the permission exists if (!function_exists('permission_exists')) { function permission_exists($permission, $operator = 'or') { - //set default - $result = false; - //permissions exist - if (!empty($_SESSION["permissions"]) && is_array($_SESSION["permissions"]) && @sizeof($_SESSION['permissions']) != 0) { - //array - if (is_array($permission) && @sizeof($permission) != 0) { - if ($operator == 'and') { - $exists_all = true; - foreach ($permission as $perm) { - if ($_SESSION["permissions"][$permission] != true) { - $exists_all = false; - break; - } - } - $result = $exists_all; - } - else { - $exists_one = false; - foreach ($permission as $perm) { - if (isset($_SESSION["permissions"][$perm]) && $_SESSION["permissions"][$perm] != true) { - $exists_one = true; - break; - } - } - $result = $exists_one; - } - } - //single - else { - if (isset($_SESSION["permissions"][$permission]) && $_SESSION["permissions"][$permission] == true) { - $result = true; - } - } - } - //return the result - return $result; + $permission = new permissions; + return $permission->exists($permission); } } diff --git a/resources/pdo.php b/resources/pdo.php index 18ccf7f53b..74671b4ecb 100644 --- a/resources/pdo.php +++ b/resources/pdo.php @@ -279,84 +279,4 @@ if ($db_type == "odbc") { } } //end if db_type pgsql -//get the domain list - if (empty($_SESSION['domains']) or empty($_SESSION["domain_uuid"])) { - - //get the domain - $domain_array = explode(":", $_SERVER["HTTP_HOST"] ?? ''); - - //get the domains from the database - $database = new database; - if ($database->table_exists('v_domains')) { - $sql = "select * from v_domains order by domain_name asc;"; - $prep_statement = $db->prepare($sql); - $prep_statement->execute(); - $result = $prep_statement->fetchAll(PDO::FETCH_NAMED); - foreach($result as $row) { - $domain_names[] = $row['domain_name']; - } - unset($prep_statement); - } - - //build the domains array in the correct order - if (is_array($domain_names)) { - foreach ($domain_names as $dn) { - foreach ($result as $row) { - if ($row['domain_name'] == $dn) { - $domains[] = $row; - } - } - } - unset($result); - } - - if (is_array($domains)) { - foreach($domains as $row) { - if (!isset($_SESSION['username'])) { - if (count($domains) == 1) { - $_SESSION["domain_uuid"] = $row["domain_uuid"]; - $_SESSION["domain_name"] = $row['domain_name']; - } - else { - if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) { - $_SESSION["domain_uuid"] = $row["domain_uuid"]; - $_SESSION["domain_name"] = $row["domain_name"]; - } - } - } - $_SESSION['domains'][$row['domain_uuid']] = $row; - } - unset($domains, $prep_statement); - } - } - -//get the software name - if (!isset($_SESSION["software_name"])) { - $database = new database; - if ($database->table_exists('v_software')) { - $sql = "select * from v_software "; - $prep_statement = $db->prepare(check_sql($sql)); - if ($prep_statement) { - $prep_statement->execute(); - $row = $prep_statement->fetch(PDO::FETCH_ASSOC); - $_SESSION["software_name"] = $row['software_name']; - } - unset($prep_statement, $result); - } - } - -//set the setting arrays - if (!isset($_SESSION['domain']['menu'])) { - $domain = new domains(); - $domain->set(); - } - -//set the domain_uuid variable from the session - if (!empty($_SESSION["domain_uuid"])) { - $domain_uuid = $_SESSION["domain_uuid"]; - } - else { - $domain_uuid = uuid(); - } - ?> diff --git a/resources/require.php b/resources/require.php index c2c5de0e5b..d5c5d659ef 100644 --- a/resources/require.php +++ b/resources/require.php @@ -123,14 +123,16 @@ require_once "resources/functions.php"; if (is_array($conf) && count($conf) > 0) { require_once "resources/pdo.php"; - require_once "resources/cidr.php"; + if (!defined('STDIN')) { + require_once "resources/cidr.php"; + } if (file_exists($_SERVER["DOCUMENT_ROOT"] . PROJECT_PATH . "/resources/switch.php")) { require_once "resources/switch.php"; } } //change language on the fly - for translate tool (if available) - if (isset($_REQUEST['view_lang_code']) && ($_REQUEST['view_lang_code']) != '') { + if (!defined('STDIN') && isset($_REQUEST['view_lang_code']) && ($_REQUEST['view_lang_code']) != '') { $_SESSION['domain']['language']['code'] = $_REQUEST['view_lang_code']; }