From 4a230d331ec220fc32a48525afb308af0d9787fa Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sun, 26 Jun 2016 10:25:13 -0400
Subject: Added application and project roles validation for API procedure
 calls

---
 app/Api/Authorization/ProcedureAuthorization.php | 32 ++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 app/Api/Authorization/ProcedureAuthorization.php

(limited to 'app/Api/Authorization/ProcedureAuthorization.php')

diff --git a/app/Api/Authorization/ProcedureAuthorization.php b/app/Api/Authorization/ProcedureAuthorization.php
new file mode 100644
index 00000000..070a6371
--- /dev/null
+++ b/app/Api/Authorization/ProcedureAuthorization.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Kanboard\Api\Authorization;
+
+use JsonRPC\Exception\AccessDeniedException;
+use Kanboard\Core\Base;
+
+/**
+ * Class ProcedureAuthorization
+ *
+ * @package Kanboard\Api\Authorization
+ * @author  Frederic Guillot
+ */
+class ProcedureAuthorization extends Base
+{
+    private $userSpecificProcedures = array(
+        'getMe',
+        'getMyDashboard',
+        'getMyActivityStream',
+        'createMyPrivateProject',
+        'getMyProjectsList',
+        'getMyProjects',
+        'getMyOverdueTasks',
+    );
+
+    public function check($procedure)
+    {
+        if (! $this->userSession->isLogged() && in_array($procedure, $this->userSpecificProcedures)) {
+            throw new AccessDeniedException('This procedure is not available with the API credentials');
+        }
+    }
+}
-- 
cgit v1.2.3