summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorramon <ramongomez@us.es>2017-02-14 10:28:28 +0000
committerramon <ramongomez@us.es>2017-02-14 10:28:28 +0000
commit18391d1fea1d04dc95b21b4ca84f3c18f33893c9 (patch)
treee10193cc131ea89600cab8e086ff227b6deb1b45
parent6963f4203933d6ec0303beea1ddb0f9ef0bb5c89 (diff)
708: Aplicando seguridad a algunas rutas REST para que el usuario solo puede ver datos de su UO y soportar rutas terminadas en carácter "/".
git-svn-id: https://opengnsys.es/svn/branches/version1.1@5190 a21b9725-9963-47de-94b9-378ad31fedc9
-rw-r--r--admin/WebConsole/rest/server.php153
1 files changed, 88 insertions, 65 deletions
diff --git a/admin/WebConsole/rest/server.php b/admin/WebConsole/rest/server.php
index 4b275870..5f873098 100644
--- a/admin/WebConsole/rest/server.php
+++ b/admin/WebConsole/rest/server.php
@@ -129,7 +129,7 @@ $app->post('/login',
* @param no
* @return JSON array with id. and name for every defined OU
*/
-$app->get('/ous', function() {
+$app->get('/ous(/)', function() {
global $cmd;
$cmd->texto = "SELECT * FROM centros";
@@ -156,17 +156,27 @@ $app->get('/ous', function() {
* @param id OU id.
* @return JSON string with OU's parameters
*/
-$app->get('/ous/:ouid', 'validateApiKey',
+$app->get('/ous/:ouid(/)', 'validateApiKey',
function($ouid) {
global $cmd;
+ global $userid;
$ouid = htmlspecialchars($ouid);
- $cmd->texto = "SELECT * FROM centros WHERE idcentro='$ouid';";
+ // Show OU information if user is OU's admin.
+ $cmd->texto = <<<EOD
+SELECT *
+ FROM centros
+ RIGHT JOIN administradores_centros USING(idcentro)
+ WHERE administradores_centros.idadministradorcentro = '$userid'
+ AND centros.idcentro = '$ouid'
+ LIMIT 1;
+EOD;
$rs=new Recordset;
$rs->Comando=&$cmd;
if (!$rs->Abrir()) return(false); // Error al abrir recordset
$rs->Primero();
- if (checkParameter($rs->campos["nombrecentro"])) {
+ if (checkAdmin($rs->campos["idadministradorcentro"]) and
+ checkParameter($rs->campos["idcentro"])) {
$response['id'] = $ouid;
$response['name'] = $rs->campos["nombrecentro"];
$response['description'] = $rs->campos["comentarios"];
@@ -176,39 +186,50 @@ $app->get('/ous/:ouid', 'validateApiKey',
}
);
-// Listar grupos.
-$app->get('/ous/:ouid/groups', 'validateApiKey', function($ouid) {
+/**
+ * @brief List group of labs in an Organizational Unit
+ * @note Route: /ous/id/groups, Method: GET
+ * @param id OU id.
+ * @return JSON array of OU groups
+ */
+$app->get('/ous/:ouid/groups(/)', 'validateApiKey', function($ouid) {
global $cmd;
global $userid;
$ouid = htmlspecialchars($ouid);
- if(checkAdmin($userid, $ouid) == true){
- // Listar las salas de la UO si el usuario de la apikey es su admin.
- // Consulta temporal,
- $cmd->texto = "SELECT * FROM grupos WHERE idcentro='$ouid';";
- $rs=new Recordset;
- $rs->Comando=&$cmd;
- if (!$rs->Abrir()) return(false); // Error al abrir recordset
- $rs->Primero();
- // Comprobar que exista la UO.
- if (checkParameter($rs->campos["idcentro"])) {
- $response = array();
- while (!$rs->EOF) {
- $tmp = array();
- $tmp['id'] = $rs->campos["idgrupo"];
- $tmp['name'] = $rs->campos["nombregrupo"];
- $tmp['type'] = $rs->campos["tipo"];
- $tmp['comments'] = $rs->campos["comentarios"];
+ // List group of labs if user is OU's admin.
+ $cmd->texto = <<<EOD
+SELECT adm.idadministradorcentro, grupos.*
+ FROM grupos
+ RIGHT JOIN administradores_centros AS adm USING(idcentro)
+ WHERE adm.idadministradorcentro = '$userid'
+ AND idcentro='$ouid';
+EOD;
+ $rs=new Recordset;
+ $rs->Comando=&$cmd;
+ if (!$rs->Abrir()) return(false); // Error al abrir recordset
+ $rs->Primero();
+ // Check if user is an UO admin.
+ if (checkAdmin($rs->campos["idadministradorcentro"])) {
+ $response = array();
+ // Read data.
+ if (! is_null($rs->campos["idcentro"])) {
+ while (!$rs->EOF) {
+ $tmp = array();
+ $tmp['id'] = $rs->campos["idgrupo"];
+ $tmp['name'] = $rs->campos["nombregrupo"];
+ $tmp['type'] = $rs->campos["tipo"];
+ $tmp['comments'] = $rs->campos["comentarios"];
if($rs->campos["grupoid"] != 0){
$tmp['parent']['id'] = $rs->campos["grupoid"];
}
array_push($response, $tmp);
$rs->Siguiente();
}
- jsonResponse(200, $response);
}
- $rs->Cerrar();
+ jsonResponse(200, $response);
}
+ $rs->Cerrar();
}
);
@@ -216,69 +237,71 @@ $app->get('/ous/:ouid/groups', 'validateApiKey', function($ouid) {
* @brief List all labs defined in an OU
* @note Route: /ous/id/labs, Method: GET
* @param id OU id.
- * @return JSON string with all UO's labs parameters
+ * @return JSON array of all UO's labs data
*/
-$app->get('/ous/:ouid/labs', 'validateApiKey',
+$app->get('/ous/:ouid/labs(/)', 'validateApiKey',
function($ouid) {
global $userid;
global $cmd;
- global $rs;
$ouid = htmlspecialchars($ouid);
- // Listar las salas de la UO si el usuario de la apikey es su admin.
+ // Query: all labs in the UO if user is admin.
$cmd->texto = <<<EOD
-SELECT aulas.*, adm.idadministradorcentro, grp.idgrupo AS group_id,
+SELECT adm.idadministradorcentro, aulas.*, grp.idgrupo AS group_id,
grp.nombregrupoordenador, grp.grupoid AS group_group_id, grp.comentarios
FROM aulas
RIGHT JOIN administradores_centros AS adm USING(idcentro)
RIGHT JOIN usuarios USING(idusuario)
LEFT JOIN gruposordenadores AS grp USING(idaula)
- WHERE idcentro='$ouid' AND adm.idadministradorcentro = '$userid'
+ WHERE adm.idadministradorcentro = '$userid'
+ AND idcentro='$ouid'
ORDER BY aulas.idaula, grp.idgrupo
EOD;
$rs=new Recordset;
$rs->Comando=&$cmd;
if (!$rs->Abrir()) return(false); // Error opening recordset.
- // Comprobar que exista la UO y que el usuario sea su administrador.
+ // Check if user is an UO admin.
$rs->Primero();
- if (checkParameter($rs->campos["idcentro"]) and checkAdmin($rs->campos["idadministradorcentro"])) {
+ if (checkAdmin($rs->campos["idadministradorcentro"])) {
$response = array();
- while (!$rs->EOF) {
- // En los resultados las aulas vienen repetidas tantas veces como grupos tengan, solo dejamos uno
- $classroomIndex = -1;
- $found=false;
- $index = 0;
- while(!$found && $index < count($response)){
- if(isset($response[$index]["id"]) && $response[$index]["id"] == $rs->campos["idaula"]){
- $classroomIndex = $index;
- $found = true;
+ if (! is_null($rs->campos["idcentro"])) {
+ while (!$rs->EOF) {
+ // En los resultados las aulas vienen repetidas tantas veces como grupos tengan, solo dejamos uno
+ $classroomIndex = -1;
+ $found=false;
+ $index = 0;
+ while(!$found && $index < count($response)){
+ if(isset($response[$index]["id"]) && $response[$index]["id"] == $rs->campos["idaula"]){
+ $classroomIndex = $index;
+ $found = true;
+ }
+ $index++;
}
- $index++;
- }
- if(!$found){
- $tmp = array();
- $tmp['id'] = $rs->campos["idaula"];
- $tmp['name'] = $rs->campos["nombreaula"];
- $tmp['inremotepc'] = $rs->campos["inremotepc"]==0 ? false: true;
- $tmp['group']['id'] = $rs->campos["grupoid"];
- $tmp['ou']['id'] = $ouid;
- array_push($response, $tmp);
- }
- else{
- // Le añadimos el grupo en cuestion siempre que no sea un subgrupo
- if($rs->campos["group_group_id"] == 0){
- array_push($response[$classroomIndex]['classroomGroups'],
- array("id" => $rs->campos["group_id"],
- "name" => $rs->campos["nombregrupoordenador"],
- "comments" => $rs->campos["comentarios"],
- "classroomGroups" => array()));
+ if(!$found){
+ $tmp = array();
+ $tmp['id'] = $rs->campos["idaula"];
+ $tmp['name'] = $rs->campos["nombreaula"];
+ $tmp['inremotepc'] = $rs->campos["inremotepc"]==0 ? false: true;
+ $tmp['group']['id'] = $rs->campos["grupoid"];
+ $tmp['ou']['id'] = $ouid;
+ array_push($response, $tmp);
}
- else {
- // Buscamos el grupo donde añadir el grupo
- addClassroomGroup($response[$classroomIndex]['classroomGroups'], $rs);
+ else{
+ // Le añadimos el grupo en cuestion siempre que no sea un subgrupo
+ if($rs->campos["group_group_id"] == 0){
+ array_push($response[$classroomIndex]['classroomGroups'],
+ array("id" => $rs->campos["group_id"],
+ "name" => $rs->campos["nombregrupoordenador"],
+ "comments" => $rs->campos["comentarios"],
+ "classroomGroups" => array()));
+ }
+ else {
+ // Buscamos el grupo donde añadir el grupo
+ addClassroomGroup($response[$classroomIndex]['classroomGroups'], $rs);
+ }
}
+ $rs->Siguiente();
}
- $rs->Siguiente();
}
jsonResponse(200, $response);
}