Frontend: Don't allow viewing private channel logs without access
This commit is contained in:
parent
c296f53678
commit
f1724d2f23
14
frontend.pm
14
frontend.pm
@ -297,6 +297,18 @@ sub sendBadRequest {
|
|||||||
$aClient->send($response);
|
$aClient->send($response);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub sendUnauthorized {
|
||||||
|
my $aClient = $_[0];
|
||||||
|
my $aMessage = $_[1];
|
||||||
|
|
||||||
|
my $content = "<h1>401 Unauthorized</h1><h6>irclogger_web</h6>Error: $aMessage";
|
||||||
|
my $response = getBaseResponse(401, "Unauthorized");
|
||||||
|
$response.="Content-Type: text/html, charset=utf-8\r\n";
|
||||||
|
$response.="Content-Length: ".length($content)."\r\n\r\n";
|
||||||
|
$response.=$content;
|
||||||
|
$aClient->send($response);
|
||||||
|
}
|
||||||
|
|
||||||
sub sendForbidden {
|
sub sendForbidden {
|
||||||
my $aClient = $_[0];
|
my $aClient = $_[0];
|
||||||
my $aMessage = $_[1];
|
my $aMessage = $_[1];
|
||||||
@ -429,7 +441,7 @@ sub sendResponse {
|
|||||||
my $aRequest = $_[1];
|
my $aRequest = $_[1];
|
||||||
my $aConnection = $_[2];
|
my $aConnection = $_[2];
|
||||||
|
|
||||||
if($aRequest->{"version"} ne "HTTP/1.1") {
|
if($aRequest->{"version"} ne "HTTP/1.0" && $aRequest->{"version"} ne "HTTP/1.1") {
|
||||||
sendNotImplemented($aClient);
|
sendNotImplemented($aClient);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -26,6 +26,35 @@ use feature qw(switch);
|
|||||||
use strict;
|
use strict;
|
||||||
use warnings;
|
use warnings;
|
||||||
|
|
||||||
|
sub verifyChannelAccess {
|
||||||
|
my $aRequest = $_[0];
|
||||||
|
my $aClient = $_[1];
|
||||||
|
my $aConnection = $_[2];
|
||||||
|
my $aChannelID = $_[3];
|
||||||
|
|
||||||
|
if(!defined($aRequest->{"cookies"}{"session"}) || !frontend_session::isValidSession($aRequest->{"cookies"}{"session"})) {
|
||||||
|
frontend::sendUnauthorized($aClient, "You need to log in to view this resource");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
my $session = $frontend_session::sessions{$aRequest->{"cookies"}{"session"}};
|
||||||
|
my $query = $aConnection->prepare(qq(select id, privileges from users where name=?;));
|
||||||
|
$query->execute($session->{"username"});
|
||||||
|
my @row = $query->fetchrow_array();
|
||||||
|
my $userID = $row[0];
|
||||||
|
my $privileges = $row[1];
|
||||||
|
if($privileges>0) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
$query = $aConnection->prepare(qq(select user_id from accessors where channel_id=$aChannelID and user_id=$userID;));
|
||||||
|
$query->execute($session->{"username"});
|
||||||
|
@row = $query->fetchrow_array();
|
||||||
|
if(scalar(@row)==0) {
|
||||||
|
frontend::sendForbidden($aClient, "You don't have access to this channel logs");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
sub handlePath {
|
sub handlePath {
|
||||||
my $aClient = $_[0];
|
my $aClient = $_[0];
|
||||||
my $aPath = $_[1];
|
my $aPath = $_[1];
|
||||||
@ -337,7 +366,7 @@ sub handlePath {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
|
my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
|
||||||
$query->execute($channelID);
|
$query->execute($channelID);
|
||||||
my @row = $query->fetchrow_array();
|
my @row = $query->fetchrow_array();
|
||||||
if(scalar(@row)==0) {
|
if(scalar(@row)==0) {
|
||||||
@ -345,7 +374,12 @@ sub handlePath {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
my $channelName = $row[0];
|
my $channelName = $row[0];
|
||||||
my $serverName = $row[1];
|
$channelName =~ s/%23/#/;
|
||||||
|
my $channelPublic = $row[1];
|
||||||
|
if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
my $serverName = $row[2];
|
||||||
my $logsPath = "logs/".$serverName."/".$channelName;
|
my $logsPath = "logs/".$serverName."/".$channelName;
|
||||||
|
|
||||||
my $result = opendir(my $folder, $logsPath);
|
my $result = opendir(my $folder, $logsPath);
|
||||||
@ -375,7 +409,7 @@ sub handlePath {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
|
my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
|
||||||
$query->execute($channelID);
|
$query->execute($channelID);
|
||||||
my @row = $query->fetchrow_array();
|
my @row = $query->fetchrow_array();
|
||||||
if(scalar(@row)==0) {
|
if(scalar(@row)==0) {
|
||||||
@ -383,7 +417,12 @@ sub handlePath {
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
my $channelName = $row[0];
|
my $channelName = $row[0];
|
||||||
my $serverName = $row[1];
|
$channelName =~ s/%23/#/;
|
||||||
|
my $channelPublic = $row[1];
|
||||||
|
if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
my $serverName = $row[2];
|
||||||
my $logFilePath = "logs/".$serverName."/".$channelName."/".$logFile;
|
my $logFilePath = "logs/".$serverName."/".$channelName."/".$logFile;
|
||||||
|
|
||||||
my $result = open(my $file, "<", $logFilePath);
|
my $result = open(my $file, "<", $logFilePath);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user