From b69eb5f99350a378387ab1f711d4fbe3bb3bddab Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sun, 29 May 2016 20:12:02 -0400 Subject: Update JsonRPC library and API --- app/Api/AuthApi.php | 82 ------------- app/Api/BaseApi.php | 45 ------- app/Api/Middleware/AuthenticationApiMiddleware.php | 130 +++++++++++++++++++++ 3 files changed, 130 insertions(+), 127 deletions(-) delete mode 100644 app/Api/AuthApi.php create mode 100644 app/Api/Middleware/AuthenticationApiMiddleware.php (limited to 'app/Api') diff --git a/app/Api/AuthApi.php b/app/Api/AuthApi.php deleted file mode 100644 index 1cbce5ae..00000000 --- a/app/Api/AuthApi.php +++ /dev/null @@ -1,82 +0,0 @@ -dispatcher->dispatch('app.bootstrap'); - - if ($this->isUserAuthenticated($username, $password)) { - $this->checkProcedurePermission(true, $method); - $this->userSession->initialize($this->userModel->getByUsername($username)); - } elseif ($this->isAppAuthenticated($username, $password)) { - $this->checkProcedurePermission(false, $method); - } else { - $this->logger->error('API authentication failure for '.$username); - throw new AuthenticationFailureException('Wrong credentials'); - } - } - - /** - * Check user credentials - * - * @access public - * @param string $username - * @param string $password - * @return boolean - */ - private function isUserAuthenticated($username, $password) - { - return $username !== 'jsonrpc' && - ! $this->userLockingModel->isLocked($username) && - $this->authenticationManager->passwordAuthentication($username, $password); - } - - /** - * Check administrative credentials - * - * @access public - * @param string $username - * @param string $password - * @return boolean - */ - private function isAppAuthenticated($username, $password) - { - return $username === 'jsonrpc' && $password === $this->getApiToken(); - } - - /** - * Get API Token - * - * @access private - * @return string - */ - private function getApiToken() - { - if (defined('API_AUTHENTICATION_TOKEN')) { - return API_AUTHENTICATION_TOKEN; - } - - return $this->configModel->get('api_token'); - } -} diff --git a/app/Api/BaseApi.php b/app/Api/BaseApi.php index ae41e5b5..9f69aa65 100644 --- a/app/Api/BaseApi.php +++ b/app/Api/BaseApi.php @@ -13,51 +13,6 @@ use Kanboard\Core\Base; */ abstract class BaseApi extends Base { - private $user_allowed_procedures = array( - 'getMe', - 'getMyDashboard', - 'getMyActivityStream', - 'createMyPrivateProject', - 'getMyProjectsList', - 'getMyProjects', - 'getMyOverdueTasks', - ); - - private $both_allowed_procedures = array( - 'getTimezone', - 'getVersion', - 'getDefaultTaskColor', - 'getDefaultTaskColors', - 'getColorList', - 'getProjectById', - 'getTask', - 'getTaskByReference', - 'getAllTasks', - 'openTask', - 'closeTask', - 'moveTaskPosition', - 'createTask', - 'updateTask', - 'getBoard', - 'getProjectActivity', - 'getOverdueTasksByProject', - 'searchTasks', - ); - - public function checkProcedurePermission($is_user, $procedure) - { - $is_both_procedure = in_array($procedure, $this->both_allowed_procedures); - $is_user_procedure = in_array($procedure, $this->user_allowed_procedures); - - if ($is_user && ! $is_both_procedure && ! $is_user_procedure) { - throw new AccessDeniedException('Permission denied'); - } elseif (! $is_user && ! $is_both_procedure && $is_user_procedure) { - throw new AccessDeniedException('Permission denied'); - } - - $this->logger->debug('API call: '.$procedure); - } - public function checkProjectPermission($project_id) { if ($this->userSession->isLogged() && ! $this->projectPermissionModel->isUserAllowed($project_id, $this->userSession->getId())) { diff --git a/app/Api/Middleware/AuthenticationApiMiddleware.php b/app/Api/Middleware/AuthenticationApiMiddleware.php new file mode 100644 index 00000000..5f63e1a1 --- /dev/null +++ b/app/Api/Middleware/AuthenticationApiMiddleware.php @@ -0,0 +1,130 @@ +dispatcher->dispatch('app.bootstrap'); + + if ($this->isUserAuthenticated($username, $password)) { + $this->checkProcedurePermission(true, $procedureName); + $this->userSession->initialize($this->userModel->getByUsername($username)); + } elseif ($this->isAppAuthenticated($username, $password)) { + $this->checkProcedurePermission(false, $procedureName); + } else { + $this->logger->error('API authentication failure for '.$username); + throw new AuthenticationFailureException('Wrong credentials'); + } + } + + /** + * Check user credentials + * + * @access public + * @param string $username + * @param string $password + * @return boolean + */ + private function isUserAuthenticated($username, $password) + { + return $username !== 'jsonrpc' && + ! $this->userLockingModel->isLocked($username) && + $this->authenticationManager->passwordAuthentication($username, $password); + } + + /** + * Check administrative credentials + * + * @access public + * @param string $username + * @param string $password + * @return boolean + */ + private function isAppAuthenticated($username, $password) + { + return $username === 'jsonrpc' && $password === $this->getApiToken(); + } + + /** + * Get API Token + * + * @access private + * @return string + */ + private function getApiToken() + { + if (defined('API_AUTHENTICATION_TOKEN')) { + return API_AUTHENTICATION_TOKEN; + } + + return $this->configModel->get('api_token'); + } + + public function checkProcedurePermission($is_user, $procedure) + { + $is_both_procedure = in_array($procedure, $this->both_allowed_procedures); + $is_user_procedure = in_array($procedure, $this->user_allowed_procedures); + + if ($is_user && ! $is_both_procedure && ! $is_user_procedure) { + throw new AccessDeniedException('Permission denied'); + } elseif (! $is_user && ! $is_both_procedure && $is_user_procedure) { + throw new AccessDeniedException('Permission denied'); + } + + $this->logger->debug('API call: '.$procedure); + } +} -- cgit v1.2.3