diff --git a/frontend.pm b/frontend.pm index f5cd2f9..f4b5e94 100644 --- a/frontend.pm +++ b/frontend.pm @@ -486,6 +486,25 @@ sub sendResponse { } } +sub createUser { + my $aName = $_[0]; + my $aPassword = $_[1]; + my $aPrivileges = $_[2]; + my $aConnection = $_[3]; + + my $id = 0; + my $query = $aConnection->prepare(qq(select id from users order by rowid desc limit 1;)); + $query->execute(); + my @row = $query->fetchrow_array(); + if(scalar(@row)>0) { + $id = $row[0]+1; + } + + my $password = Digest::SHA::sha256_hex($aPassword); + $query = $aConnection->prepare(qq(insert into users values($id, ?, ?, ?);)); + $query->execute($aName, $aPassword, $aPrivileges); +} + sub httpServerWorker { my $db = DBI->connect("DBI:SQLite:dbname=$configuration::database", "", "", {RaiseError=>1}); my $query = $db->prepare(qq(select id from users;)); @@ -493,9 +512,7 @@ sub httpServerWorker { my @row = $query->fetchrow_array(); if(scalar(@row)==0) { # Create default user - my $password = Digest::SHA::sha256_hex("admin"); - $query = $db->prepare(qq(insert into users values(0, "admin", "$password", 2);)); - $query->execute(); + createUser("admin", "admin", 2, $db); } my $server = new IO::Socket::INET(LocalHost=>"localhost", LocalPort=>$configuration::httpServerPort, Proto=>"tcp", Listen=>1, Reuse=>1); diff --git a/frontend_routes.pm b/frontend_routes.pm index 0c05dd9..20a126d 100644 --- a/frontend_routes.pm +++ b/frontend_routes.pm @@ -27,6 +27,35 @@ use feature qw(switch); use strict; use warnings; +sub verifyRequestPrivileges { + my $aRequest = $_[0]; + my $aClient = $_[1]; + my $aPrivileges = $_[2]; + my $aConnection = $_[3]; + + if(!defined($aRequest->{"cookies"}{"session"}) || !frontend_session::isValidSession($aRequest->{"cookies"}{"session"})) { + frontend::redirect($aClient, "/"); + return 0; + } + if(defined($aRequest->{"headers"}{"Content-Type"}) && $aRequest->{"headers"}{"Content-Type"} ne "application/x-www-form-urlencoded") { + frontend::sendBadRequest($aClient, "Unsupported form Content-Type (application/x-www-form-urlencoded required)"); + return 0; + } + if(!defined($aRequest->{"content"})) { + frontend::sendBadRequest($aClient, "Request content required"); + return 0; + } + my $session = $frontend_session::sessions{$aRequest->{"cookies"}{"session"}}; + my $query = $aConnection->prepare(qq(select privileges from users where name=?;)); + $query->execute($session->{"username"}); + my @row = $query->fetchrow_array(); + if($row[0]<$aPrivileges) { + frontend::sendForbidden($aClient, "Insufficient permissions to perform this operation"); + return 0; + } + return 1; +} + sub verifyChannelAccess { my $aRequest = $_[0]; my $aClient = $_[1]; @@ -309,35 +338,48 @@ sub handlePath { return 1; } - when("/add_server_action") { - if(!defined($aRequest->{"cookies"}{"session"}) || !frontend_session::isValidSession($aRequest->{"cookies"}{"session"})) { - frontend::redirect($aClient, "/"); + when("/add_user_action") { + if(!verifyRequestPrivileges($aRequest, $aClient, 1, $aConnection)) { return 1; } - if(defined($aRequest->{"headers"}{"Content-Type"}) && $aRequest->{"headers"}{"Content-Type"} ne "application/x-www-form-urlencoded") { - frontend::sendBadRequest($aClient, "Unsupported form Content-Type (application/x-www-form-urlencoded required)"); - return 1; - } - if(!defined($aRequest->{"content"})) { - frontend::sendBadRequest($aClient, "Request content required"); - return 1; - } - my $session = $frontend_session::sessions{$aRequest->{"cookies"}{"session"}}; - - my $query = $aConnection->prepare(qq(select privileges from users where name=?;)); - $query->execute($session->{"username"}); - my @row = $query->fetchrow_array(); - if($row[0]<2) { - frontend::sendForbidden($aClient, "Insufficient permissions to perform this operation"); - return 1; - } - my %parameters = frontend::parsePathParameters($aRequest->{"content"}); - if(!defined($parameters{"name"})) { + if(!defined($parameters{"name"}) || length($parameters{"name"})==0) { + frontend::sendBadRequest($aClient, "Username required"); + return 1; + } + if(!defined($parameters{"password"}) || length($parameters{"password"})==0) { + frontend::sendBadRequest($aClient, "Password required"); + return 1; + } + if(!defined($parameters{"confirmPassword"}) || length($parameters{"confirmPassword"})==0) { + frontend::sendBadRequest($aClient, "Confirm password required"); + return 1; + } + if($parameters{"password"} ne $parameters{"confirmPassword"}) { + frontend::sendBadRequest($aClient, "Password and confirm password don't match"); + return 1; + } + my $query = $aConnection->prepare(qq(select id from users where name=?;)); + $query->execute($parameters{"name"}); + my @row = $query->fetchrow_array(); + if(scalar(@row)>0) { + frontend::sendConflict($aClient, "User $parameters{'name'} already exists"); + return 1; + } + frontend::createUser($parameters{"name"}, $parameters{"password"}, defined($parameters{"operator"}), $aConnection); + frontend::redirect($aClient, "/user_added.html"); + return 1; + } + when("/add_server_action") { + if(!verifyRequestPrivileges($aRequest, $aClient, 2, $aConnection)) { + return 1; + } + my %parameters = frontend::parsePathParameters($aRequest->{"content"}); + if(!defined($parameters{"name"}) || length($parameters{"name"})==0) { frontend::sendBadRequest($aClient, "Server name required"); return 1; } - if(!defined($parameters{"address"})) { + if(!defined($parameters{"address"}) || length($parameters{"address"})==0) { frontend::sendBadRequest($aClient, "Server address required"); return 1; } @@ -346,9 +388,9 @@ sub handlePath { $port = $parameters{"port"}; } - $query = $aConnection->prepare(qq(select id from servers where name=?;)); + my $query = $aConnection->prepare(qq(select id from servers where name=?;)); $query->execute($parameters{"name"}); - @row = $query->fetchrow_array(); + my @row = $query->fetchrow_array(); if(scalar(@row)>0) { frontend::sendConflict($aClient, "Server with name $parameters{'name'} already exists"); return 1; @@ -369,41 +411,22 @@ sub handlePath { return 1; } when("/add_channel_action") { - if(!defined($aRequest->{"cookies"}{"session"}) || !frontend_session::isValidSession($aRequest->{"cookies"}{"session"})) { - frontend::redirect($aClient, "/"); + if(!verifyRequestPrivileges($aRequest, $aClient, 2, $aConnection)) { return 1; } - if(defined($aRequest->{"headers"}{"Content-Type"}) && $aRequest->{"headers"}{"Content-Type"} ne "application/x-www-form-urlencoded") { - frontend::sendBadRequest($aClient, "Unsupported form Content-Type (application/x-www-form-urlencoded required)"); - return 1; - } - if(!defined($aRequest->{"content"})) { - frontend::sendBadRequest($aClient, "Request content required"); - return 1; - } - my $session = $frontend_session::sessions{$aRequest->{"cookies"}{"session"}}; - - my $query = $aConnection->prepare(qq(select privileges from users where name=?;)); - $query->execute($session->{"username"}); - my @row = $query->fetchrow_array(); - if($row[0]<2) { - frontend::sendForbidden($aClient, "Insufficient permissions to perform this operation"); - return 1; - } - my %parameters = frontend::parsePathParameters($aRequest->{"content"}); - if(!defined($parameters{"channel"})) { + if(!defined($parameters{"channel"}) length($parameters{"channel"})==0) { frontend::sendBadRequest($aClient, "Channel name required"); return 1; } - if(!defined($parameters{"server"})) { + if(!defined($parameters{"server"}) || length($parameters{"server"})==0) { frontend::sendBadRequest($aClient, "Server ID required"); return 1; } - $query = $aConnection->prepare(qq(select name from servers where id=?;)); + my $query = $aConnection->prepare(qq(select name from servers where id=?;)); $query->execute($parameters{"server"}); - @row = $query->fetchrow_array(); + my @row = $query->fetchrow_array(); if(scalar(@row)==0) { frontend::sendBadRequest($aClient, "Invalid server ID"); return 1; diff --git a/static/user_added.html b/static/user_added.html new file mode 100644 index 0000000..76dc978 --- /dev/null +++ b/static/user_added.html @@ -0,0 +1,10 @@ + + +
+User successfully added
+ Return to user panel + +