jilo-web/app/pages/security.php

<?php

// Check if user has any of the required rights
if (!($userObject->hasRight($userId, 'superuser') ||
      $userObject->hasRight($userId, 'edit whitelist') ||
      $userObject->hasRight($userId, 'edit blacklist') ||
      $userObject->hasRight($userId, 'edit ratelimiting'))) {
    include '../app/templates/error-unauthorized.php';
    exit;
}

// Get current section
$section = isset($_POST['section']) ? $_POST['section'] : (isset($_GET['section']) ? $_GET['section'] : 'whitelist');

// Initialize RateLimiter
require_once '../app/classes/ratelimiter.php';
$rateLimiter = new RateLimiter($db);

// Handle form submissions
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {
    require_once '../app/classes/validator.php';

    // Apply rate limiting for security operations
    require_once '../app/includes/rate_limit_middleware.php';
    checkRateLimit($db, 'security', $userId);

    $action = $_POST['action'];
    $validator = new Validator($_POST);

    try {
        switch ($action) {
            case 'add_whitelist':
                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit whitelist')) {
                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
                    break;
                }

                $rules = [
                    'ip_address' => [
                        'required' => true,
                        'max' => 45, // Max length for IPv6
                        'ip' => true
                    ],
                    'description' => [
                        'required' => true,
                        'max' => 255
                    ]
                ];

                if ($validator->validate($rules)) {
                    $is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';
                    if (!$rateLimiter->addToWhitelist($_POST['ip_address'], $is_network, $_POST['description'] ?? '', $currentUser, $userId)) {
                        Feedback::flash('SECURITY', 'WHITELIST_ADD_FAILED');
                    } else {
                        Feedback::flash('SECURITY', 'WHITELIST_ADD_SUCCESS');
                    }
                } else {
                    Feedback::flash('SECURITY', 'WHITELIST_ADD_ERROR_IP', $validator->getFirstError());
                }
                break;

            case 'remove_whitelist':
                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit whitelist')) {
                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
                    break;
                }

                $rules = [
                    'ip_address' => [
                        'required' => true,
                        'max' => 45,
                        'ip' => true
                    ]
                ];

                if ($validator->validate($rules)) {
                    if (!$rateLimiter->removeFromWhitelist($_POST['ip_address'], $currentUser, $userId)) {
                        Feedback::flash('SECURITY', 'WHITELIST_REMOVE_FAILED');
                    } else {
                        Feedback::flash('SECURITY', 'WHITELIST_REMOVE_SUCCESS');
                    }
                } else {
                    Feedback::flash('SECURITY', 'WHITELIST_REMOVE_FAILED', $validator->getFirstError());
                }
                break;

            case 'add_blacklist':
                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit blacklist')) {
                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
                    break;
                }

                $rules = [
                    'ip_address' => [
                        'required' => true,
                        'max' => 45,
                        'ip' => true
                    ],
                    'reason' => [
                        'required' => true,
                        'max' => 255
                    ],
                    'expiry_hours' => [
                        'numeric' => true,
                        'min' => 0,
                        'max' => 8760 // 1 year in hours
                    ]
                ];

                if ($validator->validate($rules)) {
                    $is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';
                    $expiry_hours = !empty($_POST['expiry_hours']) ? (int)$_POST['expiry_hours'] : null;

                    if (!$rateLimiter->addToBlacklist($_POST['ip_address'], $is_network, $_POST['reason'], $currentUser, $userId, $expiry_hours)) {
                        Feedback::flash('SECURITY', 'BLACKLIST_ADD_FAILED');
                    } else {
                        Feedback::flash('SECURITY', 'BLACKLIST_ADD_SUCCESS');
                    }
                } else {
                    Feedback::flash('SECURITY', 'BLACKLIST_ADD_ERROR_IP', $validator->getFirstError());
                }
                break;

            case 'remove_blacklist':
                if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit blacklist')) {
                    Feedback::flash('SECURITY', 'PERMISSION_DENIED');
                    break;
                }

                $rules = [
                    'ip_address' => [
                        'required' => true,
                        'max' => 45,
                        'ip' => true
                    ]
                ];

                if ($validator->validate($rules)) {
                    if (!$rateLimiter->removeFromBlacklist($_POST['ip_address'], $currentUser, $userId)) {
                        Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_FAILED');
                    } else {
                        Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_SUCCESS');
                    }
                } else {
                    Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_FAILED', $validator->getFirstError());
                }
                break;

            default:
                Feedback::flash('ERROR', 'INVALID_ACTION');
        }
    } catch (Exception $e) {
        Feedback::flash('ERROR', $e->getMessage());
    }

    // Redirect back to the appropriate section
    header("Location: $app_root?page=security&section=" . urlencode($section));
    exit;
}

// Always show rate limit info message for rate limiting section
if ($section === 'ratelimit') {
    $system_messages[] = ['category' => 'SECURITY', 'key' => 'RATE_LIMIT_INFO'];
}

// Get current lists
$whitelisted = $rateLimiter->getWhitelistedIps();
$blacklisted = $rateLimiter->getBlacklistedIps();

// Get any new feedback messages
include '../app/helpers/feedback.php';

// Load the template
include '../app/templates/security.php';
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00			`<?php`

			`// Check if user has any of the required rights`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!($userObject->hasRight($userId, 'superuser') \|\|`
			`$userObject->hasRight($userId, 'edit whitelist') \|\|`
			`$userObject->hasRight($userId, 'edit blacklist') \|\|`
			`$userObject->hasRight($userId, 'edit ratelimiting'))) {`
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00			`include '../app/templates/error-unauthorized.php';`
			`exit;`
			`}`

Adds new message system with dismissible messages 2025-01-04 12:22:53 +00:00			`// Get current section`
			`$section = isset($_POST['section']) ? $_POST['section'] : (isset($_GET['section']) ? $_GET['section'] : 'whitelist');`
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00
Implements and troubleshoots new messages system 2025-01-06 09:13:28 +00:00			`// Initialize RateLimiter`
			`require_once '../app/classes/ratelimiter.php';`
Migrates app database from SQLite to MariaDB 2025-04-25 09:10:29 +00:00			`$rateLimiter = new RateLimiter($db);`
Implements and troubleshoots new messages system 2025-01-06 09:13:28 +00:00
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00			`// Handle form submissions`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`require_once '../app/classes/validator.php';`
Adds ratelimiting to some pages 2025-02-17 13:15:05 +00:00
			`// Apply rate limiting for security operations`
			`require_once '../app/includes/rate_limit_middleware.php';`
Migrates app database from SQLite to MariaDB 2025-04-25 09:10:29 +00:00			`checkRateLimit($db, 'security', $userId);`
Adds ratelimiting to some pages 2025-02-17 13:15:05 +00:00
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`$action = $_POST['action'];`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`$validator = new Validator($_POST);`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00
			`try {`
			`switch ($action) {`
			`case 'add_whitelist':`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit whitelist')) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'PERMISSION_DENIED');`
			`break;`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
Adds validation to security pages 2025-02-10 17:33:24 +00:00
			`$rules = [`
			`'ip_address' => [`
			`'required' => true,`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`'max' => 45, // Max length for IPv6`
			`'ip' => true`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`],`
			`'description' => [`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`'required' => true,`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`'max' => 255`
			`]`
			`];`

			`if ($validator->validate($rules)) {`
			`$is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$rateLimiter->addToWhitelist($_POST['ip_address'], $is_network, $_POST['description'] ?? '', $currentUser, $userId)) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'WHITELIST_ADD_FAILED');`
			`} else {`
			`Feedback::flash('SECURITY', 'WHITELIST_ADD_SUCCESS');`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`}`
			`} else {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'WHITELIST_ADD_ERROR_IP', $validator->getFirstError());`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
			`break;`

			`case 'remove_whitelist':`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit whitelist')) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'PERMISSION_DENIED');`
			`break;`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
Adds validation to security pages 2025-02-10 17:33:24 +00:00
			`$rules = [`
			`'ip_address' => [`
			`'required' => true,`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`'max' => 45,`
			`'ip' => true`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`]`
			`];`

			`if ($validator->validate($rules)) {`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$rateLimiter->removeFromWhitelist($_POST['ip_address'], $currentUser, $userId)) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'WHITELIST_REMOVE_FAILED');`
			`} else {`
			`Feedback::flash('SECURITY', 'WHITELIST_REMOVE_SUCCESS');`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`}`
			`} else {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'WHITELIST_REMOVE_FAILED', $validator->getFirstError());`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
			`break;`

			`case 'add_blacklist':`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit blacklist')) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'PERMISSION_DENIED');`
			`break;`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
Adds validation to security pages 2025-02-10 17:33:24 +00:00
			`$rules = [`
			`'ip_address' => [`
			`'required' => true,`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`'max' => 45,`
			`'ip' => true`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`],`
			`'reason' => [`
			`'required' => true,`
			`'max' => 255`
			`],`
			`'expiry_hours' => [`
			`'numeric' => true,`
			`'min' => 0,`
			`'max' => 8760 // 1 year in hours`
			`]`
			`];`

			`if ($validator->validate($rules)) {`
			`$is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';`
			`$expiry_hours = !empty($_POST['expiry_hours']) ? (int)$_POST['expiry_hours'] : null;`

Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$rateLimiter->addToBlacklist($_POST['ip_address'], $is_network, $_POST['reason'], $currentUser, $userId, $expiry_hours)) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'BLACKLIST_ADD_FAILED');`
			`} else {`
			`Feedback::flash('SECURITY', 'BLACKLIST_ADD_SUCCESS');`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`}`
			`} else {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'BLACKLIST_ADD_ERROR_IP', $validator->getFirstError());`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
			`break;`

			`case 'remove_blacklist':`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$userObject->hasRight($userId, 'superuser') && !$userObject->hasRight($userId, 'edit blacklist')) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'PERMISSION_DENIED');`
			`break;`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
Adds validation to security pages 2025-02-10 17:33:24 +00:00
			`$rules = [`
			`'ip_address' => [`
			`'required' => true,`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`'max' => 45,`
			`'ip' => true`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`]`
			`];`

			`if ($validator->validate($rules)) {`
Standartizes $userId as user ID variable in whole app 2025-04-14 07:39:58 +00:00			`if (!$rateLimiter->removeFromBlacklist($_POST['ip_address'], $currentUser, $userId)) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_FAILED');`
			`} else {`
			`Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_SUCCESS');`
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`}`
			`} else {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('SECURITY', 'BLACKLIST_REMOVE_FAILED', $validator->getFirstError());`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
			`break;`
Adds validation to security pages 2025-02-10 17:33:24 +00:00
			`default:`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('ERROR', 'INVALID_ACTION');`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`
			`} catch (Exception $e) {`
Adds missing feedback messages to login and security 2025-02-24 12:08:05 +00:00			`Feedback::flash('ERROR', $e->getMessage());`
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00			`}`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00
Adds validation to security pages 2025-02-10 17:33:24 +00:00			`// Redirect back to the appropriate section`
			`header("Location: $app_root?page=security&section=" . urlencode($section));`
			`exit;`
Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`}`

Adds new message system with dismissible messages 2025-01-04 12:22:53 +00:00			`// Always show rate limit info message for rate limiting section`
			`if ($section === 'ratelimit') {`
Adds ratelimiting to some pages 2025-02-17 13:15:05 +00:00			`$system_messages[] = ['category' => 'SECURITY', 'key' => 'RATE_LIMIT_INFO'];`
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00			`}`

Adds modal messages, fixes ratelimiter 2025-01-04 11:41:02 +00:00			`// Get current lists`
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00			`$whitelisted = $rateLimiter->getWhitelistedIps();`
			`$blacklisted = $rateLimiter->getBlacklistedIps();`

Renames messages to feedback 2025-02-17 08:24:50 +00:00			`// Get any new feedback messages`
Reorganizes helper include files 2025-02-17 14:50:57 +00:00			`include '../app/helpers/feedback.php';`
Implements and troubleshoots new messages system 2025-01-06 09:13:28 +00:00
			`// Load the template`
Adds a web interface for ratelimiter 2025-01-04 10:30:44 +00:00			`include '../app/templates/security.php';`