From 4a230d331ec220fc32a48525afb308af0d9787fa Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sun, 26 Jun 2016 10:25:13 -0400
Subject: Added application and project roles validation for API procedure
 calls

---
 app/Api/Middleware/AuthenticationApiMiddleware.php | 137 ---------------------
 app/Api/Middleware/AuthenticationMiddleware.php    |  82 ++++++++++++
 2 files changed, 82 insertions(+), 137 deletions(-)
 delete mode 100644 app/Api/Middleware/AuthenticationApiMiddleware.php
 create mode 100644 app/Api/Middleware/AuthenticationMiddleware.php

(limited to 'app/Api/Middleware')

diff --git a/app/Api/Middleware/AuthenticationApiMiddleware.php b/app/Api/Middleware/AuthenticationApiMiddleware.php
deleted file mode 100644
index b16e10b8..00000000
--- a/app/Api/Middleware/AuthenticationApiMiddleware.php
+++ /dev/null
@@ -1,137 +0,0 @@
-<?php
-
-namespace Kanboard\Api\Middleware;
-
-use JsonRPC\Exception\AccessDeniedException;
-use JsonRPC\Exception\AuthenticationFailureException;
-use JsonRPC\MiddlewareInterface;
-use Kanboard\Core\Base;
-
-/**
- * Class AuthenticationApiMiddleware
- *
- * @package Kanboard\Api\Middleware
- * @author  Frederic Guillot
- */
-class AuthenticationApiMiddleware extends Base implements MiddlewareInterface
-{
-    private $user_allowed_procedures = array(
-        'getMe',
-        'getMyDashboard',
-        'getMyActivityStream',
-        'createMyPrivateProject',
-        'getMyProjectsList',
-        'getMyProjects',
-        'getMyOverdueTasks',
-    );
-
-    private $both_allowed_procedures = array(
-        'getTimezone',
-        'getVersion',
-        'getDefaultTaskColor',
-        'getDefaultTaskColors',
-        'getColorList',
-        'getProjectById',
-        'getSubTask',
-        'getTask',
-        'getTaskByReference',
-        'getTimeSpent',
-        'getAllTasks',
-        'getAllSubTasks',
-        'hasTimer',
-        'logStartTime',
-        'logEndTime',
-        'openTask',
-        'closeTask',
-        'moveTaskPosition',
-        'createTask',
-        'createSubtask',
-        'updateTask',
-        'getBoard',
-        'getProjectActivity',
-        'getOverdueTasksByProject',
-        'searchTasks',
-    );
-
-    /**
-     * Execute Middleware
-     *
-     * @access public
-     * @param  string $username
-     * @param  string $password
-     * @param  string $procedureName
-     * @throws AccessDeniedException
-     * @throws AuthenticationFailureException
-     */
-    public function execute($username, $password, $procedureName)
-    {
-        $this->dispatcher->dispatch('app.bootstrap');
-
-        if ($this->isUserAuthenticated($username, $password)) {
-            $this->checkProcedurePermission(true, $procedureName);
-            $this->userSession->initialize($this->userModel->getByUsername($username));
-        } elseif ($this->isAppAuthenticated($username, $password)) {
-            $this->checkProcedurePermission(false, $procedureName);
-        } else {
-            $this->logger->error('API authentication failure for '.$username);
-            throw new AuthenticationFailureException('Wrong credentials');
-        }
-    }
-
-    /**
-     * Check user credentials
-     *
-     * @access public
-     * @param  string  $username
-     * @param  string  $password
-     * @return boolean
-     */
-    private function isUserAuthenticated($username, $password)
-    {
-        return $username !== 'jsonrpc' &&
-        ! $this->userLockingModel->isLocked($username) &&
-        $this->authenticationManager->passwordAuthentication($username, $password);
-    }
-
-    /**
-     * Check administrative credentials
-     *
-     * @access public
-     * @param  string  $username
-     * @param  string  $password
-     * @return boolean
-     */
-    private function isAppAuthenticated($username, $password)
-    {
-        return $username === 'jsonrpc' && $password === $this->getApiToken();
-    }
-
-    /**
-     * Get API Token
-     *
-     * @access private
-     * @return string
-     */
-    private function getApiToken()
-    {
-        if (defined('API_AUTHENTICATION_TOKEN')) {
-            return API_AUTHENTICATION_TOKEN;
-        }
-
-        return $this->configModel->get('api_token');
-    }
-
-    public function checkProcedurePermission($is_user, $procedure)
-    {
-        $is_both_procedure = in_array($procedure, $this->both_allowed_procedures);
-        $is_user_procedure = in_array($procedure, $this->user_allowed_procedures);
-
-        if ($is_user && ! $is_both_procedure && ! $is_user_procedure) {
-            throw new AccessDeniedException('Permission denied');
-        } elseif (! $is_user && ! $is_both_procedure && $is_user_procedure) {
-            throw new AccessDeniedException('Permission denied');
-        }
-
-        $this->logger->debug('API call: '.$procedure);
-    }
-}
diff --git a/app/Api/Middleware/AuthenticationMiddleware.php b/app/Api/Middleware/AuthenticationMiddleware.php
new file mode 100644
index 00000000..8e309593
--- /dev/null
+++ b/app/Api/Middleware/AuthenticationMiddleware.php
@@ -0,0 +1,82 @@
+<?php
+
+namespace Kanboard\Api\Middleware;
+
+use JsonRPC\Exception\AccessDeniedException;
+use JsonRPC\Exception\AuthenticationFailureException;
+use JsonRPC\MiddlewareInterface;
+use Kanboard\Core\Base;
+
+/**
+ * Class AuthenticationApiMiddleware
+ *
+ * @package Kanboard\Api\Middleware
+ * @author  Frederic Guillot
+ */
+class AuthenticationMiddleware extends Base implements MiddlewareInterface
+{
+    /**
+     * Execute Middleware
+     *
+     * @access public
+     * @param  string $username
+     * @param  string $password
+     * @param  string $procedureName
+     * @throws AccessDeniedException
+     * @throws AuthenticationFailureException
+     */
+    public function execute($username, $password, $procedureName)
+    {
+        $this->dispatcher->dispatch('app.bootstrap');
+
+        if ($this->isUserAuthenticated($username, $password)) {
+            $this->userSession->initialize($this->userModel->getByUsername($username));
+        } elseif (! $this->isAppAuthenticated($username, $password)) {
+            $this->logger->error('API authentication failure for '.$username);
+            throw new AuthenticationFailureException('Wrong credentials');
+        }
+    }
+
+    /**
+     * Check user credentials
+     *
+     * @access public
+     * @param  string  $username
+     * @param  string  $password
+     * @return boolean
+     */
+    private function isUserAuthenticated($username, $password)
+    {
+        return $username !== 'jsonrpc' &&
+        ! $this->userLockingModel->isLocked($username) &&
+        $this->authenticationManager->passwordAuthentication($username, $password);
+    }
+
+    /**
+     * Check administrative credentials
+     *
+     * @access public
+     * @param  string  $username
+     * @param  string  $password
+     * @return boolean
+     */
+    private function isAppAuthenticated($username, $password)
+    {
+        return $username === 'jsonrpc' && $password === $this->getApiToken();
+    }
+
+    /**
+     * Get API Token
+     *
+     * @access private
+     * @return string
+     */
+    private function getApiToken()
+    {
+        if (defined('API_AUTHENTICATION_TOKEN')) {
+            return API_AUTHENTICATION_TOKEN;
+        }
+
+        return $this->configModel->get('api_token');
+    }
+}
-- 
cgit v1.2.3