pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b34733f9b761416d376da66d3c24eac407a61436
assetmgt/api.php
“VeLiTi” f7a91737bc Implement RBAC migration and role management enhancements 
- Added AJAX functionality to fetch role permissions for copying.
- Introduced system role management with permission checks for updates.
- Implemented role deletion with confirmation modal and backend handling.
- Enhanced user role assignment migration scripts to transition from legacy profiles to RBAC.
- Created SQL migration scripts for user roles and permissions mapping.
- Updated user interface to support new role management features including copy permissions and system role indicators.
2026-01-27 15:10:21 +01:00

230 lines
8.0 KiB
PHP
Raw Blame History

<?php
define('secure_34563$52', true);
//------------------------------------------
// Get DATA from API
//------------------------------------------
$request = explode('/', trim($_SERVER['PATH_INFO'],'/'));
//$input = json_decode(file_get_contents('php://input'),true);
$post_data_curl = fopen('php://input', 'r');
$input = stream_get_contents($post_data_curl);
//------------------------------------------
// Include functions
//------------------------------------------
require_once './assets/functions.php';
include './settings/settings_redirector.php';
include './settings/config_redirector.php';
if (debug){
set_error_handler(function($errno, $errstr, $errfile, $errline) {
debuglog("PHP ERROR [$errno]: $errstr in $errfile on line $errline");
return false; // Let PHP handle as usual (optional)
});
set_exception_handler(function($exception) {
debuglog("PHP EXCEPTION: " . $exception->getMessage() . " in " . $exception->getFile() . " on line " . $exception->getLine());
});
}
//------------------------------------------
// Header security - enabled via config
//------------------------------------------
if (header_security){
// Array of allowed domain patterns (without the protocol part)
$allowedDomainPatterns = [
'vanbeers.tv',
'soveliti.nl',
'veliti.nl',
'gewoonlekkerspaans.nl'
];
// Get the origin from the request headers
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
// Set CORS headers if origin is allowed
if (isOriginAllowed($origin, $allowedDomainPatterns)) {
header("Access-Control-Allow-Origin: $origin");
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: Authorization, Content-Type");
//header("Access-Control-Allow-Credentials: true"); // Include if needed
}
// Handle preflight requests
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
// Return early with 204 No Content for preflight requests
http_response_code(204);
exit;
}
// Strict security headers
header('Content-Type: application/json');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Content-Security-Policy: default-src \'none\'');
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
header('Referrer-Policy: strict-origin-when-cross-origin');
// Validate Content-Type
if (!str_contains($_SERVER['CONTENT_TYPE'] ?? '', 'application/json')) {
http_response_code(400);
exit(json_encode(['error' => 'Invalid Content-Type']));
}
// Validate request size
$maxRequestSize = 5 * 1024 * 1024; // 5MB in bytes
if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxRequestSize) {
http_response_code(413);
exit(json_encode(['error' => 'Request too large']));
}
}
//------------------------------------------
// Retrieve API version and Collection
// api.php/(v)ersion/{get/post}/collection/
//------------------------------------------
$version = (isset($request[0])) ? strtolower($request[0]) : '';
$collection = (isset($request[1])) ? strtolower($request[1]) : '';
$get_content = (isset($request[2])) ? strtolower($request[2]) : '';
//------------------------------------------
// Initial authorization request - get TOKEN
//------------------------------------------
if ($collection == 'authorization'){
$api_authorization = './api/'.$version.'/'.$collection.'.php'; //Get related file
if (file_exists($api_authorization)){
include_once $api_authorization; //Include the code
}
else
{
echo null;
}
}
else {
//------------------------------------------
// Check Security token
//------------------------------------------
$bearer_token = get_bearer_token();
$is_jwt_valid = is_jwt_valid($bearer_token);
//------------------------------------------
//IF security token is valid
//------------------------------------------
if($is_jwt_valid && str_contains($version, 'v')) {
//------------------------------------------
// Get Userrights
//------------------------------------------
$userkey = getUserKey($bearer_token); //Get key from Token
$api_user_file = './api/'.$version.'/get/user_credentials.php'; //Get related file
if (file_exists($api_user_file)){
include_once $api_user_file; //Include the code
}
else
{
echo null;
}
//
//------------------------------------------
// Check for maintenance mode, exclude debug user
//------------------------------------------
if(maintenance_mode == false || debug_id == $user_data['id']){
//------------------------------------------
// Build up version and check if file is available
//------------------------------------------
$api_file = './api/'.$version.'/get/'.$collection.'.php';
$api_file_post = './api/'.$version.'/post/'.$collection.'.php';
//------------------------------------------
//GET CLEAN LANGUAGE CODE
//------------------------------------------
$language_code = ($user_data['language']) ? $user_data['language'] : 'US';
$api_file_language = './settings/translations/translations_'.strtoupper($language_code).'.php';
//------------------------------------------
//INCLUDE LANGUAGE FILE
//------------------------------------------
if (file_exists($api_file_language)){
include_once $api_file_language; //Include the code
}
else {
include_once './settings/translations/translations_US.php';
}
//------------------------------------------
//CHECK IF USER IS ALLOWED TO CALL SPECIFIC API
//------------------------------------------
//------------------------------------------
// First check if endPoint is fileUpload
//------------------------------------------
$fileUploadEndpoints = [
'media_upload',
'marketing_upload'
];
$isFileUploadEndpoint = in_array($collection, $fileUploadEndpoints);
$hasValidFileData = !empty($_FILES) && $_SERVER['REQUEST_METHOD'] ==='POST';
if ($isFileUploadEndpoint && $hasValidFileData) {
$input = $_POST;
}
//------------------------------------------
// END check if endPoint is fileUpload
//------------------------------------------
debuglog("API call: collection=$collection, input_empty=" . (empty($input) ? 'true' : 'false') . ", file_exists=" . (file_exists($api_file) ? 'true' : 'false'));
if (isAllowed($collection,$profile,$permission,'R') === 1 && empty($input) && file_exists($api_file)){
include_once $api_file;
}
elseif (isAllowed($collection,$profile,$permission,'U') === 1 && !empty($input) && file_exists($api_file_post)){
include_once $api_file_post;
}
else
{
//------------------------------------------
// User not allowed to perform operation
//------------------------------------------
http_response_code(403); //Forbidden
}
}
else
{
//------------------------------------------
// Maintenance mode is activce -> service unavailable
//------------------------------------------
http_response_code(503); //Service Unavailable
}
}
else
{
//------------------------------------------
// JWT not VALID
//------------------------------------------
http_response_code(403); //Forbidden
}
}
//------------------------------------------
// Debuglog
//------------------------------------------
if (debug){
$time_elapsed = microtime(true) - $_SERVER["REQUEST_TIME_FLOAT"];
$message = $date.';'.$collection.';'.$time_elapsed.';'.$username;
debuglog($message);
}
?>
Reference in New Issue View Git Blame Copy Permalink