diff --git a/frontend.pm b/frontend.pm
index e4e694d..f5cd2f9 100644
--- a/frontend.pm
+++ b/frontend.pm
@@ -297,6 +297,18 @@ sub sendBadRequest {
$aClient->send($response);
}
+sub sendUnauthorized {
+ my $aClient = $_[0];
+ my $aMessage = $_[1];
+
+ my $content = "401 Unauthorized
irclogger_web
Error: $aMessage";
+ my $response = getBaseResponse(401, "Unauthorized");
+ $response.="Content-Type: text/html, charset=utf-8\r\n";
+ $response.="Content-Length: ".length($content)."\r\n\r\n";
+ $response.=$content;
+ $aClient->send($response);
+}
+
sub sendForbidden {
my $aClient = $_[0];
my $aMessage = $_[1];
@@ -429,7 +441,7 @@ sub sendResponse {
my $aRequest = $_[1];
my $aConnection = $_[2];
- if($aRequest->{"version"} ne "HTTP/1.1") {
+ if($aRequest->{"version"} ne "HTTP/1.0" && $aRequest->{"version"} ne "HTTP/1.1") {
sendNotImplemented($aClient);
return;
}
diff --git a/frontend_routes.pm b/frontend_routes.pm
index d8988a8..656cb40 100644
--- a/frontend_routes.pm
+++ b/frontend_routes.pm
@@ -26,6 +26,35 @@ use feature qw(switch);
use strict;
use warnings;
+sub verifyChannelAccess {
+ my $aRequest = $_[0];
+ my $aClient = $_[1];
+ my $aConnection = $_[2];
+ my $aChannelID = $_[3];
+
+ if(!defined($aRequest->{"cookies"}{"session"}) || !frontend_session::isValidSession($aRequest->{"cookies"}{"session"})) {
+ frontend::sendUnauthorized($aClient, "You need to log in to view this resource");
+ return 0;
+ }
+ my $session = $frontend_session::sessions{$aRequest->{"cookies"}{"session"}};
+ my $query = $aConnection->prepare(qq(select id, privileges from users where name=?;));
+ $query->execute($session->{"username"});
+ my @row = $query->fetchrow_array();
+ my $userID = $row[0];
+ my $privileges = $row[1];
+ if($privileges>0) {
+ return 1;
+ }
+ $query = $aConnection->prepare(qq(select user_id from accessors where channel_id=$aChannelID and user_id=$userID;));
+ $query->execute($session->{"username"});
+ @row = $query->fetchrow_array();
+ if(scalar(@row)==0) {
+ frontend::sendForbidden($aClient, "You don't have access to this channel logs");
+ return 0;
+ }
+ return 1;
+}
+
sub handlePath {
my $aClient = $_[0];
my $aPath = $_[1];
@@ -337,7 +366,7 @@ sub handlePath {
return 1;
}
- my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
+ my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
$query->execute($channelID);
my @row = $query->fetchrow_array();
if(scalar(@row)==0) {
@@ -345,7 +374,12 @@ sub handlePath {
return 1;
}
my $channelName = $row[0];
- my $serverName = $row[1];
+ $channelName =~ s/%23/#/;
+ my $channelPublic = $row[1];
+ if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) {
+ return 1;
+ }
+ my $serverName = $row[2];
my $logsPath = "logs/".$serverName."/".$channelName;
my $result = opendir(my $folder, $logsPath);
@@ -375,7 +409,7 @@ sub handlePath {
return 1;
}
- my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
+ my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
$query->execute($channelID);
my @row = $query->fetchrow_array();
if(scalar(@row)==0) {
@@ -383,7 +417,12 @@ sub handlePath {
return 1;
}
my $channelName = $row[0];
- my $serverName = $row[1];
+ $channelName =~ s/%23/#/;
+ my $channelPublic = $row[1];
+ if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) {
+ return 1;
+ }
+ my $serverName = $row[2];
my $logFilePath = "logs/".$serverName."/".$channelName."/".$logFile;
my $result = open(my $file, "<", $logFilePath);