lindeas
/
jilo-web
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases 5 Wiki Activity

Adds validation to security pages

main
Yasen Pramatarov 2025-02-10 19:33:24 +02:00
parent 6c37a082bf
commit cca0eb63a6
1 changed files with 89 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
app/pages/security.php
View File

@ -23,75 +23,126 @@ $rateLimiter = new RateLimiter($dbWeb);
// Handle form submissions // Handle form submissions
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) { if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) {
require_once '../app/classes/validator.php';
$action = $_POST['action']; $action = $_POST['action'];
$validator = new Validator($_POST);
try { try {
switch ($action) { switch ($action) {
case 'add_whitelist': case 'add_whitelist':
if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit whitelist')) { if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit whitelist')) {
throw new Exception(Messages::get('SECURITY', 'PERMISSION_DENIED')['message']); throw new Exception('Unauthorized action');
} }
if (empty($_POST['ip_address'])) {
throw new Exception(Messages::get('SECURITY', 'IP_REQUIRED')['message']); $rules = [
'ip_address' => [
'required' => true,
'max' => 45 // IPv6 max length
],
'description' => [
'max' => 255
]
];
if ($validator->validate($rules)) {
$is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';
if (!$rateLimiter->addToWhitelist($_POST['ip_address'], $is_network, $_POST['description'] ?? '', $currentUser, $user_id)) {
throw new Exception('Failed to add IP to whitelist');
}
Messages::flash('SECURITY', 'WHITELIST_ADD_SUCCESS', 'IP address added to whitelist');
} else {
Messages::flash('SECURITY', 'WHITELIST_ADD_ERROR', $validator->getFirstError());
} }
$is_network = isset($_POST['is_network']) ? 1 : 0;
if (!$rateLimiter->addToWhitelist($_POST['ip_address'], $is_network, $_POST['description'] ?? '', $currentUser, $user_id)) {
throw new Exception(Messages::get('SECURITY', 'WHITELIST_ADD_ERROR')['message']);
}
Messages::flash('SECURITY', 'WHITELIST_ADD_SUCCESS');
break; break;
case 'remove_whitelist': case 'remove_whitelist':
if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit whitelist')) { if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit whitelist')) {
throw new Exception(Messages::get('SECURITY', 'PERMISSION_DENIED')['message']); throw new Exception('Unauthorized action');
} }
if (empty($_POST['ip_address'])) {
throw new Exception(Messages::get('SECURITY', 'IP_REQUIRED')['message']); $rules = [
'ip_address' => [
'required' => true,
'max' => 45
]
];
if ($validator->validate($rules)) {
if (!$rateLimiter->removeFromWhitelist($_POST['ip_address'], $currentUser, $user_id)) {
throw new Exception('Failed to remove IP from whitelist');
}
Messages::flash('SECURITY', 'WHITELIST_REMOVE_SUCCESS', 'IP address removed from whitelist');
} else {
Messages::flash('SECURITY', 'WHITELIST_REMOVE_ERROR', $validator->getFirstError());
} }
if (!$rateLimiter->removeFromWhitelist($_POST['ip_address'], $currentUser, $user_id)) {
throw new Exception(Messages::get('SECURITY', 'WHITELIST_REMOVE_ERROR')['message']);
}
Messages::flash('SECURITY', 'WHITELIST_REMOVE_SUCCESS');
break; break;
case 'add_blacklist': case 'add_blacklist':
if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit blacklist')) { if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit blacklist')) {
throw new Exception(Messages::get('SECURITY', 'PERMISSION_DENIED')['message']); throw new Exception('Unauthorized action');
} }
if (empty($_POST['ip_address'])) {
throw new Exception(Messages::get('SECURITY', 'IP_REQUIRED')['message']); $rules = [
'ip_address' => [
'required' => true,
'max' => 45
],
'reason' => [
'required' => true,
'max' => 255
],
'expiry_hours' => [
'numeric' => true,
'min' => 0,
'max' => 8760 // 1 year in hours
]
];
if ($validator->validate($rules)) {
$is_network = isset($_POST['is_network']) && $_POST['is_network'] === 'on';
$expiry_hours = !empty($_POST['expiry_hours']) ? (int)$_POST['expiry_hours'] : null;
if (!$rateLimiter->addToBlacklist($_POST['ip_address'], $is_network, $_POST['reason'], $currentUser, $user_id, $expiry_hours)) {
throw new Exception('Failed to add IP to blacklist');
}
Messages::flash('SECURITY', 'BLACKLIST_ADD_SUCCESS', 'IP address added to blacklist');
} else {
Messages::flash('SECURITY', 'BLACKLIST_ADD_ERROR', $validator->getFirstError());
} }
$is_network = isset($_POST['is_network']) ? 1 : 0;
$expiry_hours = !empty($_POST['expiry_hours']) ? intval($_POST['expiry_hours']) : null;
if (!$rateLimiter->addToBlacklist($_POST['ip_address'], $is_network, $_POST['reason'] ?? '', $currentUser, $user_id, $expiry_hours)) {
throw new Exception(Messages::get('SECURITY', 'BLACKLIST_ADD_ERROR')['message']);
}
Messages::flash('SECURITY', 'BLACKLIST_ADD_SUCCESS');
break; break;
case 'remove_blacklist': case 'remove_blacklist':
if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit blacklist')) { if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit blacklist')) {
throw new Exception(Messages::get('SECURITY', 'PERMISSION_DENIED')['message']); throw new Exception('Unauthorized action');
} }
if (empty($_POST['ip_address'])) {
throw new Exception(Messages::get('SECURITY', 'IP_REQUIRED')['message']); $rules = [
'ip_address' => [
'required' => true,
'max' => 45
]
];
if ($validator->validate($rules)) {
if (!$rateLimiter->removeFromBlacklist($_POST['ip_address'], $currentUser, $user_id)) {
throw new Exception('Failed to remove IP from blacklist');
}
Messages::flash('SECURITY', 'BLACKLIST_REMOVE_SUCCESS', 'IP address removed from blacklist');
} else {
Messages::flash('SECURITY', 'BLACKLIST_REMOVE_ERROR', $validator->getFirstError());
} }
if (!$rateLimiter->removeFromBlacklist($_POST['ip_address'], $currentUser, $user_id)) {
throw new Exception(Messages::get('SECURITY', 'BLACKLIST_REMOVE_ERROR')['message']);
}
Messages::flash('SECURITY', 'BLACKLIST_REMOVE_SUCCESS');
break; break;
default:
throw new Exception('Invalid action');
} }
} catch (Exception $e) { } catch (Exception $e) {
$messages[] = ['category' => 'SECURITY', 'key' => 'CUSTOM_ERROR', 'custom_message' => $e->getMessage()]; Messages::flash('SECURITY', 'ERROR', $e->getMessage());
Messages::flash('SECURITY', 'CUSTOM_ERROR', 'custom_message');
} }
if (empty($messages)) { // Redirect back to the appropriate section
// Only redirect if there were no errors header("Location: $app_root?page=security&section=" . urlencode($section));
header("Location: {$app_root}?page=security&section={$section}"); exit;
exit;
}
} }
// Always show rate limit info message for rate limiting section // Always show rate limit info message for rate limiting section