2016-02-05 16:14:49 +00:00
< ? php
/*
* Copyright 2016 Lukas Metzger < developer @ lukas - metzger . com >.
*
* Licensed under the Apache License , Version 2.0 ( the " License " );
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http :// www . apache . org / licenses / LICENSE - 2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an " AS IS " BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
*/
require_once '../config/config-default.php' ;
require_once '../lib/database.php' ;
require_once '../lib/session.php' ;
$input = json_decode ( file_get_contents ( 'php://input' ));
if ( ! isset ( $input -> csrfToken ) || $input -> csrfToken !== $_SESSION [ 'csrfToken' ]) {
echo " Permission denied! " ;
exit ();
}
//Permission check
if ( isset ( $input -> record )) {
2017-01-08 04:15:31 +00:00
$permquery = $db -> prepare ( " SELECT COUNT(*) FROM records JOIN permissions ON records.domain_id=permissions.domain WHERE userid=:user AND records.id=:id " );
2017-02-05 16:12:38 +00:00
$permquery -> bindValue ( ':user' , $_SESSION [ 'id' ], PDO :: PARAM_INT );
$permquery -> bindValue ( ':id' , $input -> record , PDO :: PARAM_INT );
2016-02-05 16:14:49 +00:00
$permquery -> execute ();
2017-01-07 10:18:39 +00:00
if ( $permquery -> fetchColumn () < 1 && $_SESSION [ 'type' ] != " admin " ) {
2016-02-05 16:14:49 +00:00
echo " Permission denied! " ;
exit ();
}
} else {
echo " Permission denied! " ;
exit ();
}
//Action for getting permission
if ( isset ( $input -> action ) && $input -> action == " getPermissions " ) {
2017-01-07 10:18:39 +00:00
$sql = " SELECT id, description, type FROM remote WHERE record=:record " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-02-05 16:12:38 +00:00
$stmt -> bindValue ( ':record' , $input -> record , PDO :: PARAM_INT );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
$retval = Array ();
2017-01-07 10:18:39 +00:00
while ( $obj = $stmt -> fetchObject ()) {
2016-02-05 16:14:49 +00:00
$retval [] = $obj ;
}
}
//Action for adding password
if ( isset ( $input -> action ) && $input -> action == " addPassword " ) {
$passwordHash = password_hash ( $input -> password , PASSWORD_DEFAULT );
2017-01-07 10:18:39 +00:00
$sql = " INSERT INTO remote(record,description,type,security) VALUES (:record,:description,'password',:security) " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-02-05 16:12:38 +00:00
$stmt -> bindValue ( ':record' , $input -> record , PDO :: PARAM_INT );
$stmt -> bindValue ( ':description' , $input -> description , PDO :: PARAM_STR );
$stmt -> bindValue ( ':security' , $passwordHash , PDO :: PARAM_STR );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
}
//Action for adding key
if ( isset ( $input -> action ) && $input -> action == " addKey " ) {
2017-01-07 10:18:39 +00:00
$sql = " INSERT INTO remote(record,description,type,security) VALUES (:record,:description,'key',:security) " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-02-05 16:12:38 +00:00
$stmt -> bindValue ( ':record' , $input -> record , PDO :: PARAM_INT );
$stmt -> bindValue ( ':description' , $input -> description , PDO :: PARAM_STR );
$stmt -> bindValue ( ':security' , $input -> key , PDO :: PARAM_STR );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
}
//Action for updating password
if ( isset ( $input -> action ) && $input -> action == " changePassword " ) {
if ( isset ( $input -> password )) {
$passwordHash = password_hash ( $input -> password , PASSWORD_DEFAULT );
2017-01-07 10:18:39 +00:00
$sql = " UPDATE remote SET description=:description,security=:security WHERE id=:id " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-02-05 16:12:38 +00:00
$stmt -> bindValue ( ':description' , $input -> description , PDO :: PARAM_STR );
$stmt -> bindValue ( ':security' , $passwordHash , PDO :: PARAM_STR );
$stmt -> bindValue ( ':id' , $input -> permission , PDO :: PARAM_INT );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
} else {
2017-01-07 10:18:39 +00:00
$sql = " UPDATE remote SET description=:description WHERE id=:id " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-02-05 16:12:38 +00:00
$stmt -> bindValue ( ':description' , $input -> description , PDO :: PARAM_STR );
2017-01-07 10:18:39 +00:00
$stmt -> bindValue ( ':id' , $input -> permission , PDO :: PARAM_INT );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
}
}
//Action for updating key
if ( isset ( $input -> action ) && $input -> action == " changeKey " ) {
2017-01-07 10:18:39 +00:00
$sql = " UPDATE remote SET description=:description,security=:security WHERE id=:id " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-02-05 16:12:38 +00:00
$stmt -> bindValue ( ':description' , $input -> description , PDO :: PARAM_STR );
$stmt -> bindValue ( ':security' , $input -> key , PDO :: PARAM_STR );
$stmt -> bindValue ( ':id' , $input -> permission , PDO :: PARAM_INT );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
}
//Action for getting key
if ( isset ( $input -> action ) && $input -> action == " getKey " ) {
2017-01-07 10:18:39 +00:00
$sql = " SELECT security FROM remote WHERE id=:id AND type='key' LIMIT 1 " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-02-05 16:12:38 +00:00
$stmt -> bindValue ( ':id' , $input -> permission , PDO :: PARAM_INT );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
2017-01-07 10:18:39 +00:00
$key = $stmt -> fetchColumn ();
2016-02-05 16:14:49 +00:00
$retval = Array ();
$retval [ 'key' ] = $key ;
}
//Action for deleting permission
if ( isset ( $input -> action ) && $input -> action == " deletePermission " ) {
2017-01-07 10:18:39 +00:00
$sql = " DELETE FROM remote WHERE id=:id " ;
2016-02-05 16:14:49 +00:00
$stmt = $db -> prepare ( $sql );
2017-01-07 10:18:39 +00:00
$stmt -> bindValue ( ':id' , $input -> permission , PDO :: PARAM_INT );
2016-02-05 16:14:49 +00:00
$stmt -> execute ();
}
if ( isset ( $retval )) {
echo json_encode ( $retval );
} else {
echo " { } " ;
}