ZP-984 Check permissions to access the getUsers store only in in the

WebserviceDevice webservice and not generally. Released under the Affero GNU General Public License (AGPL) version 3.

ZP-984 Check permissions to access the getUsers store only in in the
WebserviceDevice webservice and not generally. Released under the Affero GNU General Public License (AGPL) version 3.
9c15015d · Sebastian Kummer · 816b06b3 · 9c15015d · 9c15015d
Commit 9c15015d authored Jul 12, 2016 by Sebastian Kummer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 6 deletions

requestprocessor.php src/lib/request/requestprocessor.php +0 -4

webservice.php src/lib/webservice/webservice.php +4 -2

No files found.
--- a/src/lib/request/requestprocessor.php
+++ b/src/lib/request/requestprocessor.php
@@ -83,10 +83,6 @@ abstract class RequestProcessor {
        // mark this request as "authenticated"
        self::$userIsAuthenticated = true;
-        // check Auth-User's permissions on GETUser's store
-        if($backend->Setup(Request::GetGETUser(), true) == false)
-            throw new AuthenticationRequiredException(sprintf("Not enough privileges of '%s' to setup for user '%s': Permission denied", Request::GetAuthUser(), Request::GetGETUser()));
    }
    /**

--- a/src/lib/webservice/webservice.php
+++ b/src/lib/webservice/webservice.php
@@ -66,15 +66,17 @@ class Webservice {
        // the webservice command is handled by its class
        if ($commandCode == ZPush::COMMAND_WEBSERVICE_DEVICE) {
+            // check if the authUser has admin permissions to get data on the GETUser's device
+            if(ZPush::GetBackend()->Setup(Request::GetGETUser(), true) == false)
+                throw new AuthenticationRequiredException(sprintf("Not enough privileges of '%s' to setup for user '%s': Permission denied", Request::GetAuthUser(), Request::GetGETUser()));
            ZLog::Write(LOGLEVEL_DEBUG, sprintf("Webservice::HandleWebservice('%s'): executing WebserviceDevice service", $commandCode));
            $this->server->setClass("WebserviceDevice");
        }
-        // the webservice command is handled by its class
        else if ($commandCode == ZPush::COMMAND_WEBSERVICE_INFO) {
            ZLog::Write(LOGLEVEL_DEBUG, sprintf("Webservice::HandleWebservice('%s'): executing WebserviceInfo service", $commandCode));
            $this->server->setClass("WebserviceInfo");
        }
-        // the webservice command is handled by its class
        else if ($commandCode == ZPush::COMMAND_WEBSERVICE_USERS) {
            if (!defined("ALLOW_WEBSERVICE_USERS_ACCESS") || ALLOW_WEBSERVICE_USERS_ACCESS !== true)
                throw new HTTPReturnCodeException("Access to the WebserviceUsers service is disabled in configuration. Enable setting ALLOW_WEBSERVICE_USERS_ACCESS", 403);