pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor user permission handling to utilize hierarchy levels across user credential retrieval and role management. Update permission checks in user_roles.php and enhance session management in index.php for improved security and consistency.

Browse Source
This commit is contained in:
“VeLiTi”
2026-01-30 09:17:54 +01:00
parent 8df518d0a2
commit b3327f21ed
7 changed files with 19 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
api/v0/get/user_credentials.php
View File

@@ -14,7 +14,6 @@ $stmt->execute([$userkey, $userkey]);
$user_data = $stmt->fetch(); $user_data = $stmt->fetch();
//Define User data //Define User data
$partnerhierarchy = $user_data['partnerhierarchy']; $partnerhierarchy = $user_data['partnerhierarchy'];
$permission = userRights($user_data['view']);
$profile= getUserPermissions($pdo, $user_data['id']); $profile= getUserPermissions($pdo, $user_data['id']);
$username = $user_data['username']; $username = $user_data['username'];
$useremail = $user_data['email']; $useremail = $user_data['email'];
@@ -22,6 +21,7 @@ $servicekey = $user_data['service'];
$partner = json_decode($partnerhierarchy); $partner = json_decode($partnerhierarchy);
$language = $user_data['language']; $language = $user_data['language'];
$clientsecret = $user_data['userkey']; $clientsecret = $user_data['userkey'];
$permission = getHierarchyLevel($partner); //upgrade from userrights(view)
//Update Lastlogin //Update Lastlogin
$logindate = date('Y-m-d H:i:s'); $logindate = date('Y-m-d H:i:s');

2
api/v1/get/user_credentials.php
View File

@@ -16,7 +16,6 @@ if ($stmt->rowCount() == 1) {
$user_data = $stmt->fetch(); $user_data = $stmt->fetch();
//Define User data //Define User data
$partnerhierarchy = $user_data['partnerhierarchy']; $partnerhierarchy = $user_data['partnerhierarchy'];
$permission = userRights($user_data['view']);
$profile= getUserPermissions($pdo, $user_data['id']); $profile= getUserPermissions($pdo, $user_data['id']);
$username = $user_data['username']; $username = $user_data['username'];
$useremail = $user_data['email']; $useremail = $user_data['email'];
@@ -24,6 +23,7 @@ if ($stmt->rowCount() == 1) {
$language = $user_data['language']; $language = $user_data['language'];
$partner = json_decode($partnerhierarchy); $partner = json_decode($partnerhierarchy);
$clientsecret = $user_data['userkey']; $clientsecret = $user_data['userkey'];
$permission = getHierarchyLevel($partner); //upgrade from userrights(view)
//Update Lastlogin //Update Lastlogin
$logindate = date('Y-m-d H:i:s'); $logindate = date('Y-m-d H:i:s');

2
api/v2/get/user_credentials.php
View File

@@ -18,7 +18,6 @@ if ($stmt->rowCount() == 1) {
$user_data = $stmt->fetch(); $user_data = $stmt->fetch();
//Define User data //Define User data
$partnerhierarchy = $user_data['partnerhierarchy']; $partnerhierarchy = $user_data['partnerhierarchy'];
$permission = userRights($user_data['view']);
$profile= getUserPermissions($pdo, $user_data['id']); //getProfile($user_data['settings'],$permission); $profile= getUserPermissions($pdo, $user_data['id']); //getProfile($user_data['settings'],$permission);
$username = $user_data['username']; $username = $user_data['username'];
$useremail = $user_data['email']; $useremail = $user_data['email'];
@@ -26,6 +25,7 @@ if ($stmt->rowCount() == 1) {
$language = $user_data['language']; $language = $user_data['language'];
$partner = json_decode($partnerhierarchy); $partner = json_decode($partnerhierarchy);
$clientsecret = $user_data['userkey']; $clientsecret = $user_data['userkey'];
$permission = getHierarchyLevel($partner); //upgrade from userrights(view)
//Update Lastlogin //Update Lastlogin
$logindate = date('Y-m-d H:i:s'); $logindate = date('Y-m-d H:i:s');

6
api/v2/post/user_roles.php
View File

@@ -55,7 +55,7 @@ $clause_insert = substr($clause_insert, 2);
$input_insert = substr($input_insert, 1); $input_insert = substr($input_insert, 1);
//QUERY AND VERIFY ALLOWED //QUERY AND VERIFY ALLOWED
if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U') === 1){ if ($command == 'update' && isAllowed('user_roles',$profile,$permission,'U') === 1){
$sql = 'UPDATE user_roles SET '.$clause.' WHERE rowID = ?'; $sql = 'UPDATE user_roles SET '.$clause.' WHERE rowID = ?';
$execute_input[] = $id; $execute_input[] = $id;
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
@@ -82,7 +82,7 @@ if ($command == 'update' && isAllowed('user_role_manage',$profile,$permission,'U
} }
} }
} }
elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permission,'C') === 1){ elseif ($command == 'insert' && isAllowed('user_roles',$profile,$permission,'C') === 1){
$sql = 'INSERT INTO user_roles ('.$clause_insert.') VALUES ('.$input_insert.')'; $sql = 'INSERT INTO user_roles ('.$clause_insert.') VALUES ('.$input_insert.')';
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute($execute_input); $stmt->execute($execute_input);
@@ -106,7 +106,7 @@ elseif ($command == 'insert' && isAllowed('user_role_manage',$profile,$permissio
} }
} }
} }
elseif ($command == 'delete' && isAllowed('user_role_manage',$profile,$permission,'D') === 1){ elseif ($command == 'delete' && isAllowed('user_roles',$profile,$permission,'D') === 1){
//Delete role permissions first (foreign key constraint) //Delete role permissions first (foreign key constraint)
$stmt = $pdo->prepare('DELETE FROM role_access_permissions WHERE role_id = ?'); $stmt = $pdo->prepare('DELETE FROM role_access_permissions WHERE role_id = ?');
$stmt->execute([$id]); $stmt->execute([$id]);

1
assets/functions.php
View File

@@ -1726,6 +1726,7 @@ function getProfile($profile, $permission){
$always_allowed = [ $always_allowed = [
'com_log' => 'CRU', 'com_log' => 'CRU',
'application' => 'CRU', 'application' => 'CRU',
'user_roles' => 'R',
'user_role_assignments' => 'R', 'user_role_assignments' => 'R',
'user_permissions' => 'R', 'user_permissions' => 'R',
'products_software' => 'R', 'products_software' => 'R',

2
equipment.php
View File

@@ -461,7 +461,7 @@ $shipto_id = explode("-",$partner_data->shipto) ?? '';
$partner_users_id = ($shipto_id[0] != '')? $shipto_id[0] : (($soldto_id[0] != '')? $soldto_id[0] : 1); $partner_users_id = ($shipto_id[0] != '')? $shipto_id[0] : (($soldto_id[0] != '')? $soldto_id[0] : 1);
$view_communication = ''; $view_communication = '';
if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1){ if ($partner_users_id != 1 && (isAllowed('communications',$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'R') === 1)){
$view_communication = ' <a href="index.php?page=communications&partnerid='.$partner_users_id.'" class="btn">'.$button_partner_assigned_communication.'</a>'; $view_communication = ' <a href="index.php?page=communications&partnerid='.$partner_users_id.'" class="btn">'.$button_partner_assigned_communication.'</a>';
} }

9
index.php
View File

@@ -29,7 +29,7 @@ include_once dirname(__FILE__).'/settings/countries.php';
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
//GET USER PERMISSION ASSIGNED //GET USER PERMISSION ASSIGNED
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ //+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
if (!isset($_SESSION['authorization']['id'])){ if (!isset($_SESSION['authorization']['id']) && isset($_SESSION['authorization']['userkey'])){
$api_url = '/v2/user_permissions/userkey='.$_SESSION['authorization']['userkey']; $api_url = '/v2/user_permissions/userkey='.$_SESSION['authorization']['userkey'];
$responses = ioServer($api_url,''); $responses = ioServer($api_url,'');
@@ -37,9 +37,16 @@ if (!isset($_SESSION['authorization']['id'])){
if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;} if (!empty($responses)){$responses = json_decode($responses,true);}else{$responses = null;}
//STORE DATA IN SESSION //STORE DATA IN SESSION
if (is_array($responses) && !isset($responses['error'])) {
foreach($responses as $key => $value){ foreach($responses as $key => $value){
$_SESSION['authorization'][$key] = $value; $_SESSION['authorization'][$key] = $value;
} }
} else {
// API call failed or returned error - redirect to login
session_destroy();
header('location: login.php');
die();
}
} }
if (debug && debug_id == $_SESSION['authorization']['id']){ if (debug && debug_id == $_SESSION['authorization']['id']){