separate token hash cost, Authenticator->userHasPermission now takes user as second parameter
This commit is contained in:
parent
7347fbe32f
commit
bfe7b0c1b4
1
.gitignore
vendored
1
.gitignore
vendored
@ -8,3 +8,4 @@ packages/**
|
||||
!packages/crispage.core/**
|
||||
!packages/.htaccess
|
||||
crispage_*.tar.gz
|
||||
_build/**
|
||||
|
@ -76,7 +76,7 @@
|
||||
|
||||
// Check perms
|
||||
$perm = $class::getPermissions()["create"];
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
http_response_code(401);
|
||||
$out = ["error" => "Unauthorized"];
|
||||
break;
|
||||
@ -132,7 +132,7 @@
|
||||
$perm = $asset::getPermissions()["modify_own"];
|
||||
else $perm = $asset::getPermissions()["modify"];
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
http_response_code(401);
|
||||
$out = ["error" => "Unauthorized"];
|
||||
break;
|
||||
@ -186,7 +186,7 @@
|
||||
$perm = $asset::getPermissions()["delete_own"];
|
||||
else $perm = $asset::getPermissions()["delete"];
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
http_response_code(401);
|
||||
$out = ["error" => "Unauthorized"];
|
||||
break;
|
||||
|
@ -76,7 +76,7 @@
|
||||
$perm = $asset::getPermissions()["modify_own"];
|
||||
else $perm = $asset::getPermissions()["modify"];
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
http_response_code(401);
|
||||
$out = ["error" => "Unauthorized"];
|
||||
break;
|
||||
|
@ -58,7 +58,7 @@
|
||||
|
||||
$this->app->search->fromText($query);
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::VIEW_UNPUBLISHED))
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::VIEW_UNPUBLISHED))
|
||||
$this->app->search->addFilter(new SearchFilter("state", 0, SearchFilter::FOP_GREATER));
|
||||
|
||||
$this->app->search->collect();
|
||||
|
@ -87,7 +87,7 @@
|
||||
}
|
||||
|
||||
// Check that user has required permissions
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
http_response_code(401);
|
||||
header("Content-Type: application/json");
|
||||
$com = $this->app->page->createComponent(
|
||||
|
@ -44,7 +44,7 @@
|
||||
|
||||
// If not published and user does not have unpublished perms, error 404
|
||||
$show_unpublished = $this->app->auth->userHasPermission(
|
||||
null, CorePermissions::VIEW_UNPUBLISHED
|
||||
CorePermissions::VIEW_UNPUBLISHED
|
||||
);
|
||||
if ($article->state < Article::PUBLISHED && !$show_unpublished) {
|
||||
$this->app->handleException(new CrispageException(
|
||||
|
@ -73,7 +73,7 @@
|
||||
$perm = $this->data["asset"]::getPermissions()["delete_own"];
|
||||
else $perm = $this->data["asset"]::getPermissions()["delete"];
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -80,7 +80,7 @@
|
||||
$perm = $this->data["asset"]::getPermissions()["modify_own"];
|
||||
else $perm = $this->data["asset"]::getPermissions()["modify"];
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
@ -96,7 +96,7 @@
|
||||
$this->data["asset"] = null;
|
||||
|
||||
$perm = $this->data["classname"]::getPermissions()["create"];
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -37,7 +37,7 @@
|
||||
|
||||
// Check perms
|
||||
$perm = Comment::getPermissions()["modify"];
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -37,7 +37,7 @@
|
||||
|
||||
// Check perms
|
||||
$perm = Comment::getPermissions()["modify"];
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -34,7 +34,7 @@
|
||||
"route" => "extensions/list"
|
||||
]);
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::MANAGE_EXTENSIONS)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::MANAGE_EXTENSIONS)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -36,7 +36,7 @@
|
||||
|
||||
$this->data["package"] = strval($this->app->request->params["package"] ?? "");
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::MANAGE_EXTENSIONS)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::MANAGE_EXTENSIONS)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -38,7 +38,7 @@
|
||||
"folder" => $this->data["folder"]->path
|
||||
]);
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::MANAGE_MEDIA)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::MANAGE_MEDIA)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -38,7 +38,7 @@
|
||||
"folder" => $this->data["folder"]
|
||||
]);
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::MANAGE_MEDIA)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::MANAGE_MEDIA)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -38,7 +38,7 @@
|
||||
"folder" => $this->data["folder"]->path
|
||||
]);
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::MANAGE_MEDIA)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::MANAGE_MEDIA)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -40,7 +40,7 @@
|
||||
|
||||
// Check perms
|
||||
$perm = Module::getPermissions()["create"];
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -33,7 +33,7 @@
|
||||
if (!is_array($settings)) $settings = [];
|
||||
|
||||
if (!empty($settings)) {
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::MODIFY_SETTINGS)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::MODIFY_SETTINGS)) {
|
||||
$this->app->page->data["messages"]["no_permission"] = [
|
||||
"content" => $this->app->i18n->translate("{%YOU_DO_NOT_HAVE_PERMISSION_TO_PERFORM_}"),
|
||||
"color" => "danger"
|
||||
@ -53,7 +53,7 @@
|
||||
if (!is_array($tools)) $tools = [];
|
||||
|
||||
if (!empty($tools)) {
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::MODIFY_SETTINGS)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::MODIFY_SETTINGS)) {
|
||||
$this->app->page->data["messages"]["no_permission"] = [
|
||||
"content" => $this->app->i18n->translate("{%YOU_DO_NOT_HAVE_PERMISSION_TO_PERFORM_}"),
|
||||
"color" => "danger"
|
||||
|
@ -40,7 +40,7 @@
|
||||
|
||||
// Check perms
|
||||
$perm = User::getPermissions()["create"];
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -37,7 +37,7 @@
|
||||
]);
|
||||
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::SEND_MESSAGES)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::SEND_MESSAGES)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate(
|
||||
|
@ -37,7 +37,7 @@
|
||||
$this->app->page->redirect(URIUtils::iuri("/login", ["rl" => "/backend"]));
|
||||
|
||||
// Check that user has backend perms
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::BACKEND)) {
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::BACKEND)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"backend_access_denied",
|
||||
$this->app->i18n->getTranslation("BACKEND_ACCESS_DENIED"),
|
||||
|
@ -43,7 +43,7 @@
|
||||
}
|
||||
|
||||
$perm = Comment::getPermissions()["create"];
|
||||
if (!$this->app->auth->userHasPermission(null, $perm)) {
|
||||
if (!$this->app->auth->userHasPermission($perm)) {
|
||||
$this->app->page->setPersistentMessage(
|
||||
"no_permission",
|
||||
$this->app->i18n->translate("{%YOU_DO_NOT_HAVE_PERMISSION_TO_PERFORM_}"),
|
||||
|
@ -51,7 +51,7 @@
|
||||
|
||||
$this->app->search->fromText($query);
|
||||
|
||||
if (!$this->app->auth->userHasPermission(null, CorePermissions::VIEW_UNPUBLISHED))
|
||||
if (!$this->app->auth->userHasPermission(CorePermissions::VIEW_UNPUBLISHED))
|
||||
$this->app->search->addFilter(new SearchFilter("state", 0, SearchFilter::FOP_GREATER));
|
||||
|
||||
$this->app->search->collect();
|
||||
|
@ -70,11 +70,12 @@
|
||||
return $this->currentUser && $this->sessionId;
|
||||
}
|
||||
|
||||
public function password_hash(string $passwd): string {
|
||||
public function password_hash(string $passwd, bool $token = false): string {
|
||||
$ckey = ($token) ? "crispage.security.token_opts" : "crispage.security.password_opts";
|
||||
return password_hash(
|
||||
$passwd,
|
||||
ApplicationConfig::get("crispage.security.password_algo"),
|
||||
ApplicationConfig::get("crispage.security.password_opts")
|
||||
ApplicationConfig::get($ckey)
|
||||
);
|
||||
}
|
||||
|
||||
@ -89,7 +90,7 @@
|
||||
|
||||
$sessid = uniqid("cspg_", true);
|
||||
$token = $this->token();
|
||||
$token_hash = $this->password_hash($token);
|
||||
$token_hash = $this->password_hash($token, true);
|
||||
$expire_time = time() + (int)$this->app->settings->get(
|
||||
"crispage.auth.session_timeout", 3600
|
||||
);
|
||||
@ -564,7 +565,7 @@
|
||||
return $this->setPassword($user, $password);
|
||||
}
|
||||
|
||||
public function getRank(User $user = null): int {
|
||||
public function getRank(?User $user = null): int {
|
||||
// Default to current user
|
||||
$user ??= $this->currentUser;
|
||||
if (!$user) return -1;
|
||||
@ -584,7 +585,7 @@
|
||||
return $rank;
|
||||
}
|
||||
|
||||
public function getPermissions(User $user = null): int {
|
||||
public function getPermissions(?User $user = null): int {
|
||||
// Default to current user
|
||||
$user ??= $this->currentUser;
|
||||
if (!$user) return 0;
|
||||
@ -605,7 +606,7 @@
|
||||
return $perms;
|
||||
}
|
||||
|
||||
public function userHasPermission(?User $user, int $perms = null): bool {
|
||||
public function userHasPermission(?int $perms = null, ?User $user = null): bool {
|
||||
if ($perms === CorePermissions::NEVER) return false;
|
||||
return ($this->getPermissions($user) & $perms) == $perms;
|
||||
}
|
||||
|
@ -14,7 +14,7 @@
|
||||
|
||||
defined("ROOT") or die();
|
||||
|
||||
use \Crispage\Config;
|
||||
use \Crispage\ApplicationConfig;
|
||||
use \Crispage\Framework\Asset;
|
||||
use \Crispage\Framework\ApplicationFeature;
|
||||
|
||||
|
@ -64,7 +64,7 @@
|
||||
($this->app->i18n)("<p class=\"title is-3\">{%COMMENTS}</p>");
|
||||
|
||||
if ($this->data["module"]->config("show_form", true)) {
|
||||
if ($this->app->auth->userHasPermission(null, CorePermissions::POST_COMMENT)) {
|
||||
if ($this->app->auth->userHasPermission(CorePermissions::POST_COMMENT)) {
|
||||
$com_body = $this->app->page->createComponent(
|
||||
"\\Crispage\\Components\\Fields\\TextareaFieldComponent", [
|
||||
"name" => "body",
|
||||
@ -98,7 +98,7 @@
|
||||
}
|
||||
|
||||
$perm = Comment::getPermissions()["modify"];
|
||||
$is_mod = $this->app->auth->userHasPermission(null, $perm);
|
||||
$is_mod = $this->app->auth->userHasPermission($perm);
|
||||
|
||||
$count = 0;
|
||||
foreach ($comments as $comment) {
|
||||
|
@ -34,7 +34,7 @@
|
||||
$Crispage->init();
|
||||
|
||||
$Crispage->auth->refreshSession();
|
||||
if (!$Crispage->auth->userHasPermission(null, CorePermissions::MANAGE_EXTENSIONS)) {
|
||||
if (!$Crispage->auth->userHasPermission(CorePermissions::MANAGE_EXTENSIONS)) {
|
||||
http_response_code(401);
|
||||
die("Unauthorized");
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user