lychee/php/Access/Guest.php
Nils Asmussen 21b2f587d5 Detect accesses to admin functions by guests.
This commit detects accesses to admin functions when the user is a guest
and returns a corresponding error. This is now used to redirect the user
to the start page instead of "non-existing function". It has the
advantage that a bug in Lychee, that causes a non-existing function
to be called, can be spotted easier.
2016-08-20 11:50:24 +02:00

216 lines
4.6 KiB
PHP

<?php
namespace Lychee\Access;
use Lychee\Modules\Album;
use Lychee\Modules\Albums;
use Lychee\Modules\Photo;
use Lychee\Modules\Response;
use Lychee\Modules\Session;
use Lychee\Modules\Validator;
final class Guest extends Access {
public static function init($fn) {
switch ($fn) {
// Albums functions
case 'Albums::get': self::getAlbumsAction(); break;
// Album functions
case 'Album::get': self::getAlbumAction(); break;
case 'Album::getPublic': self::checkAlbumAccessAction(); break;
// Photo functions
case 'Photo::get': self::getPhotoAction(); break;
// Session functions
case 'Session::init': self::initAction(); break;
case 'Session::login': self::loginAction(); break;
case 'Session::logout': self::logoutAction(); break;
// $_GET functions
case 'Album::getArchive': self::getAlbumArchiveAction(); break;
case 'Photo::getArchive': self::getPhotoArchiveAction(); break;
// Admin functions
case 'Album::add':
case 'Album::setTitle':
case 'Album::setDescription':
case 'Album::setPublic':
case 'Album::delete':
case 'Album::merge':
case 'Photo::setTitle':
case 'Photo::setDescription':
case 'Photo::setStar':
case 'Photo::setPublic':
case 'Photo::setAlbum':
case 'Photo::setTags':
case 'Photo::duplicate':
case 'Photo::delete':
case 'Photo::add':
case 'Import::url':
case 'Import::server':
case 'search':
case 'Settings::setLogin':
case 'Settings::setSorting':
case 'Settings::setDropboxKey':
self::adminAction();
break;
}
self::fnNotFound();
}
private static function adminAction() {
Response::error('Function not available for guests.');
}
// Albums functions
private static function getAlbumsAction() {
$albums = new Albums();
Response::json($albums->get(true));
}
// Album functions
private static function getAlbumAction() {
Validator::required(isset($_POST['albumID'], $_POST['password']), __METHOD__);
$album = new Album($_POST['albumID']);
if ($album->getPublic()===true) {
// Album public
if ($album->checkPassword($_POST['password'])===true) Response::json($album->get());
else Response::warning('Wrong password!');
} else {
// Album private
Response::warning('Album private!');
}
}
private static function checkAlbumAccessAction() {
Validator::required(isset($_POST['albumID'], $_POST['password']), __METHOD__);
$album = new Album($_POST['albumID']);
if ($album->getPublic()===true) {
// Album public
if ($album->checkPassword($_POST['password'])===true) Response::json(true);
else Response::json(false);
} else {
// Album private
Response::json(false);
}
}
// Photo functions
private static function getPhotoAction() {
Validator::required(isset($_POST['photoID'], $_POST['albumID'], $_POST['password']), __METHOD__);
$photo = new Photo($_POST['photoID']);
$pgP = $photo->getPublic($_POST['password']);
if ($pgP===2) Response::json($photo->get($_POST['albumID']));
else if ($pgP===1) Response::warning('Wrong password!');
else if ($pgP===0) Response::warning('Photo private!');
}
// Session functions
private static function initAction() {
$session = new Session();
Response::json($session->init(true));
}
private static function loginAction() {
Validator::required(isset($_POST['user'], $_POST['password']), __METHOD__);
$session = new Session();
Response::json($session->login($_POST['user'], $_POST['password']));
}
private static function logoutAction() {
$session = new Session();
Response::json($session->logout());
}
// $_GET functions
private static function getAlbumArchiveAction() {
Validator::required(isset($_GET['albumID'], $_GET['password']), __METHOD__);
$album = new Album($_GET['albumID']);
if ($album->getPublic()&&$album->getDownloadable()) {
// Album Public
if ($album->checkPassword($_GET['password'])) $album->getArchive();
else Response::warning('Wrong password!');
} else {
// Album Private
Response::warning('Album private or not downloadable!');
}
}
private static function getPhotoArchiveAction() {
Validator::required(isset($_GET['photoID'], $_GET['password']), __METHOD__);
$photo = new Photo($_GET['photoID']);
$pgP = $photo->getPublic($_GET['password']);
// Photo Download
if ($pgP===2) {
// Photo Public
$photo->getArchive();
} else {
// Photo Private
Response::warning('Photo private or password incorrect!');
}
}
}
?>