From 1a0a81251900a647a96700f4aeaa098fd1192f3a Mon Sep 17 00:00:00 2001 From: Pierre Date: Sat, 16 Dec 2017 15:30:04 +0100 Subject: [PATCH] Can check if a user is allowed to access other user informations --- RestControllers/userController.php | 21 ++++++++++++++++++++ classes/components/user.php | 31 +++++++++++++++++++++++++++++- functions/user.php | 28 +++++++++++++++++++++------ 3 files changed, 73 insertions(+), 7 deletions(-) diff --git a/RestControllers/userController.php b/RestControllers/userController.php index 2c13033..4c89044 100644 --- a/RestControllers/userController.php +++ b/RestControllers/userController.php @@ -110,6 +110,27 @@ class userController return $userInfos; } + /** + * Get advanced user informations + * + * @url POST /user/getAdvancedUserInfos + */ + public function getAdvancedInfos(){ + + //Get the ID of the target user + if(!isset($_POST["userID"])) + Rest_fatal_error(400, "Please specify a user ID!"); + + $userID = toInt($_POST["userID"]); + + //Check if the user is allowed to get advanced user infromations + if(!CS::get()->components->user->userAllowed(userID, $userID)) + Rest_fatal_error(401, "You are not allowed to access these information !"); + + echo "ok"; + + } + /** * Get current user infos using tokens * diff --git a/classes/components/user.php b/classes/components/user.php index 5ae7136..dd89a22 100644 --- a/classes/components/user.php +++ b/classes/components/user.php @@ -337,7 +337,7 @@ class User{ * - 1 : The page is public (for signed in users) * - 2 : The page is open (for everyone) */ - public function getUserVisibilty(int $userID) : int { + public function getVisibilty(int $userID) : int { //Perform a request on the database $tableName = $this->userTable; @@ -372,6 +372,35 @@ class User{ return 2; //Public page } + + /** + * Check if a user is allowed to access another user page content + * + * @param $userID The ID of the user attempting to get user informations (0 = no user) + * @param $targetUser Target user for the research + * @return TRUE if the user is allowed to see the page / FALSE else + */ + public function userAllowed(int $userID, int $targetUser) : bool { + + //Get the visibility level of the page + $visibility = $this->getVisibilty($targetUser); + + //Check if the page is public + if($visibility == 3) + return true; + + if($userID == 0) + return false; + + if($visibility == 2) + return true; + + if(CS::get()->components->friends->are_friend($userID, $targetUser)) + return true; + else + return false; + + } /** diff --git a/functions/user.php b/functions/user.php index 789c008..44d7651 100644 --- a/functions/user.php +++ b/functions/user.php @@ -11,15 +11,31 @@ * * @return Boolean True for a success */ -function user_login_required(){ - if(!defined("userID")){ +function user_login_required() : bool{ + if(!user_signed_in()){ Rest_fatal_error(401, "This function requires user to be logged in!"); } - //Check if userID is the number 0 - if(userID == 0) - Rest_fatal_error(401, "This function requires user to be logged in!"); - //User logged in return true; +} + +/** + * Check wether the user is signed in or not + * + * @return TRUE if user is signed in / FALSE else + */ +function user_signed_in() : bool { + + //Check constant + if(!defined("userID")) + return false; + + //Check user ID + if(userID == 0) + return false; + + //User seems to be signed in + return true; + } \ No newline at end of file