Merge pull request #307 in ZP/z-push from...

Merge pull request #307 in ZP/z-push from bugfix/ZP-984-unable-to-list-folders-of-a-another to develop * commit '9c15015d': ZP-984 Check permissions to access the getUsers store only in in the WebserviceDevice webservice and not generally.

Merge pull request #307 in ZP/z-push from...
Merge pull request #307 in ZP/z-push from bugfix/ZP-984-unable-to-list-folders-of-a-another to develop * commit '9c15015d': ZP-984 Check permissions to access the getUsers store only in in the WebserviceDevice webservice and not generally.
f6051d9c · Sebastian Kummer · 47f92e17 · 9c15015d · f6051d9c · f6051d9c
Commit f6051d9c authored Jul 12, 2016 by Sebastian Kummer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 6 deletions

requestprocessor.php src/lib/request/requestprocessor.php +0 -4

webservice.php src/lib/webservice/webservice.php +4 -2

No files found.
--- a/src/lib/request/requestprocessor.php
+++ b/src/lib/request/requestprocessor.php
@@ -83,10 +83,6 @@ abstract class RequestProcessor {
        // mark this request as "authenticated"
        self::$userIsAuthenticated = true;
-        // check Auth-User's permissions on GETUser's store
-        if($backend->Setup(Request::GetGETUser(), true) == false)
-            throw new AuthenticationRequiredException(sprintf("Not enough privileges of '%s' to setup for user '%s': Permission denied", Request::GetAuthUser(), Request::GetGETUser()));
    }
    /**

--- a/src/lib/webservice/webservice.php
+++ b/src/lib/webservice/webservice.php
@@ -66,15 +66,17 @@ class Webservice {
        // the webservice command is handled by its class
        if ($commandCode == ZPush::COMMAND_WEBSERVICE_DEVICE) {
+            // check if the authUser has admin permissions to get data on the GETUser's device
+            if(ZPush::GetBackend()->Setup(Request::GetGETUser(), true) == false)
+                throw new AuthenticationRequiredException(sprintf("Not enough privileges of '%s' to setup for user '%s': Permission denied", Request::GetAuthUser(), Request::GetGETUser()));
            ZLog::Write(LOGLEVEL_DEBUG, sprintf("Webservice::HandleWebservice('%s'): executing WebserviceDevice service", $commandCode));
            $this->server->setClass("WebserviceDevice");
        }
-        // the webservice command is handled by its class
        else if ($commandCode == ZPush::COMMAND_WEBSERVICE_INFO) {
            ZLog::Write(LOGLEVEL_DEBUG, sprintf("Webservice::HandleWebservice('%s'): executing WebserviceInfo service", $commandCode));
            $this->server->setClass("WebserviceInfo");
        }
-        // the webservice command is handled by its class
        else if ($commandCode == ZPush::COMMAND_WEBSERVICE_USERS) {
            if (!defined("ALLOW_WEBSERVICE_USERS_ACCESS") || ALLOW_WEBSERVICE_USERS_ACCESS !== true)
                throw new HTTPReturnCodeException("Access to the WebserviceUsers service is disabled in configuration. Enable setting ALLOW_WEBSERVICE_USERS_ACCESS", 403);