From 8f20009475970d824c46bd892895a01657c249ea Mon Sep 17 00:00:00 2001 From: Sebastian Grewe Date: Fri, 28 Jun 2013 21:32:59 +0200 Subject: [PATCH] Distinguish between admin and user API call Fixes #268 --- .../include/pages/api/getuserstatus.inc.php | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/public/include/pages/api/getuserstatus.inc.php b/public/include/pages/api/getuserstatus.inc.php index c91ade94..ac8f6654 100644 --- a/public/include/pages/api/getuserstatus.inc.php +++ b/public/include/pages/api/getuserstatus.inc.php @@ -5,18 +5,30 @@ if (!defined('SECURITY')) die('Hacking attempt'); // Check user token -$id = $user->checkApiKey($_REQUEST['api_key']); +$user_id = $user->checkApiKey($_REQUEST['api_key']); -// We have to check if that user is admin too -if ( ! $user->isAdmin($id) ) { +/** + * This check will ensure the user can do the following: + * Admin: Check any user via request id + * Regular: Check your own status + * Other: Deny access via checkApiKey + **/ +if ( ! $user->isAdmin($user_id) && ($_REQUEST['id'] != $user_id && !empty($_REQUEST['id']))) { + // User is admin and tries to access an ID that is not their own header("HTTP/1.1 401 Unauthorized"); die("Access denied"); +} else if ($user->isAdmin($user_id)) { + // Admin, so allow any ID passed in request + $id = $_REQUEST['id']; + // Is it a username or a user ID + ctype_digit($_REQUEST['id']) ? $username = $user->getUserName($_REQUEST['id']) : $username = $_REQUEST['id']; + ctype_digit($_REQUEST['id']) ? $id = $_REQUEST['id'] : $id = $user->getUserId($_REQUEST['id']); +} else { + // Not admin, only allow own user ID + $id = $user_id; + $username = $user->getUserName($id); } -// Is it a username or a user ID -ctype_digit($_REQUEST['id']) ? $username = $user->getUserName($_REQUEST['id']) : $username = $_REQUEST['id']; -ctype_digit($_REQUEST['id']) ? $id = $_REQUEST['id'] : $id = $user->getUserId($_REQUEST['id']); - // Output JSON format echo json_encode(array('getuserstatus' => array( 'username' => $username,