From eae2a8a47c8a204a873f339cce42037b7672ab69 Mon Sep 17 00:00:00 2001 From: Yasen Pramatarov Date: Sat, 4 Jan 2025 13:41:02 +0200 Subject: [PATCH] Adds modal messages, fixes ratelimiter --- app/classes/ratelimiter.php | 45 ++++++-------- app/pages/security.php | 116 ++++++++++++++++++++++++------------ app/templates/security.php | 30 ++++++++++ 3 files changed, 127 insertions(+), 64 deletions(-) diff --git a/app/classes/ratelimiter.php b/app/classes/ratelimiter.php index a9c56e5..42dfa1d 100644 --- a/app/classes/ratelimiter.php +++ b/app/classes/ratelimiter.php @@ -53,11 +53,11 @@ class RateLimiter { // Default IPs to whitelist (local interface and private networks IPs) $defaultIps = [ - ['127.0.0.1', false, 'localhost IPv4'], - ['::1', false, 'localhost IPv6'], - ['10.0.0.0/8', true, 'Private network (Class A)'], - ['172.16.0.0/12', true, 'Private network (Class B)'], - ['192.168.0.0/16', true, 'Private network (Class C)'] + ['127.0.0.1', 0, 'localhost IPv4'], + ['::1', 0, 'localhost IPv6'], + ['10.0.0.0/8', 1, 'Private network (Class A)'], + ['172.16.0.0/12', 1, 'Private network (Class B)'], + ['192.168.0.0/16', 1, 'Private network (Class C)'] ]; // Insert default whitelisted IPs if they don't exist @@ -70,15 +70,15 @@ class RateLimiter { // Insert known malicious networks $defaultBlacklist = [ - ['0.0.0.0/8', true, 'Reserved address space - RFC 1122'], - ['100.64.0.0/10', true, 'Carrier-grade NAT space - RFC 6598'], - ['192.0.2.0/24', true, 'TEST-NET-1 Documentation space - RFC 5737'], - ['198.51.100.0/24', true, 'TEST-NET-2 Documentation space - RFC 5737'], - ['203.0.113.0/24', true, 'TEST-NET-3 Documentation space - RFC 5737'] + ['0.0.0.0/8', 1, 'Reserved address space - RFC 1122'], + ['100.64.0.0/10', 1, 'Carrier-grade NAT space - RFC 6598'], + ['192.0.2.0/24', 1, 'TEST-NET-1 Documentation space - RFC 5737'], + ['198.51.100.0/24', 1, 'TEST-NET-2 Documentation space - RFC 5737'], + ['203.0.113.0/24', 1, 'TEST-NET-3 Documentation space - RFC 5737'] ]; - $stmt = $this->db->prepare("INSERT OR IGNORE INTO {$this->blacklistTable} - (ip_address, is_network, reason, created_by) + $stmt = $this->db->prepare("INSERT OR IGNORE INTO {$this->blacklistTable} + (ip_address, is_network, reason, created_by) VALUES (?, ?, ?, 'system')"); foreach ($defaultBlacklist as $ip) { @@ -155,13 +155,9 @@ class RateLimiter { return false; } - $stmt = $this->db->prepare("INSERT INTO {$this->whitelistTable} + $stmt = $this->db->prepare("INSERT OR REPLACE INTO {$this->whitelistTable} (ip_address, is_network, description, created_by) - VALUES (?, ?, ?, ?) - ON DUPLICATE KEY UPDATE - is_network = VALUES(is_network), - description = VALUES(description), - created_by = VALUES(created_by)"); + VALUES (?, ?, ?, ?)"); $result = $stmt->execute([$ip, $isNetwork, $description, $createdBy]); @@ -187,7 +183,7 @@ class RateLimiter { } // Remove from whitelist - public function removeFromWhitelist($ip, $userId = null, $removedBy = 'system') { + public function removeFromWhitelist($ip, $removedBy = 'system', $userId = null) { try { // Get IP details before removal for logging $stmt = $this->db->prepare("SELECT * FROM {$this->whitelistTable} WHERE ip_address = ?"); @@ -233,14 +229,9 @@ class RateLimiter { $expiryTime = $expiryHours ? date('Y-m-d H:i:s', strtotime("+{$expiryHours} hours")) : null; - $stmt = $this->db->prepare("INSERT INTO {$this->blacklistTable} + $stmt = $this->db->prepare("INSERT OR REPLACE INTO {$this->blacklistTable} (ip_address, is_network, reason, expiry_time, created_by) - VALUES (?, ?, ?, ?, ?) - ON DUPLICATE KEY UPDATE - is_network = VALUES(is_network), - reason = VALUES(reason), - expiry_time = VALUES(expiry_time), - created_by = VALUES(created_by)"); + VALUES (?, ?, ?, ?, ?)"); $result = $stmt->execute([$ip, $isNetwork, $reason, $expiryTime, $createdBy]); @@ -265,7 +256,7 @@ class RateLimiter { } } - public function removeFromBlacklist($ip, $userId = null, $removedBy = 'system') { + public function removeFromBlacklist($ip, $removedBy = 'system', $userId = null) { try { // Get IP details before removal for logging $stmt = $this->db->prepare("SELECT * FROM {$this->blacklistTable} WHERE ip_address = ?"); diff --git a/app/pages/security.php b/app/pages/security.php index be6a603..c9cf76f 100644 --- a/app/pages/security.php +++ b/app/pages/security.php @@ -9,55 +9,97 @@ if (!($userObject->hasRight($user_id, 'superuser') || exit; } -$action = $_GET['action'] ?? 'view'; -$section = $_GET['section'] ?? 'whitelist'; +// Initialize variables for feedback messages +$error_message = ''; +$success_message = ''; // Handle form submissions -if ($_SERVER['REQUEST_METHOD'] === 'POST') { - switch ($_POST['action']) { - case 'add_whitelist': - if ($userObject->hasRight($user_id, 'superuser') || $userObject->hasRight($user_id, 'edit whitelist')) { - $ip = $_POST['ip_address']; - $description = $_POST['description']; +if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['action'])) { + $action = $_POST['action']; + $section = isset($_POST['section']) ? $_POST['section'] : (isset($_GET['section']) ? $_GET['section'] : 'whitelist'); + + try { + switch ($action) { + case 'add_whitelist': + if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit whitelist')) { + throw new Exception('You do not have permission to modify the whitelist.'); + } + if (empty($_POST['ip_address'])) { + throw new Exception('IP address is required.'); + } $is_network = isset($_POST['is_network']) ? 1 : 0; - $rateLimiter->addToWhitelist($ip, $is_network, $description, $currentUser); - } - break; + if (!$rateLimiter->addToWhitelist($_POST['ip_address'], $is_network, $_POST['description'] ?? '', $currentUser, $user_id)) { + throw new Exception('Failed to add IP to whitelist. Please check the IP format.'); + } + $success_message = 'IP address successfully added to whitelist.'; + break; - case 'remove_whitelist': - if ($userObject->hasRight($user_id, 'superuser') || $userObject->hasRight($user_id, 'edit whitelist')) { - $ip = $_POST['ip_address']; - $rateLimiter->removeFromWhitelist($ip, $user_id, $currentUser); - } - break; + case 'remove_whitelist': + if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit whitelist')) { + throw new Exception('You do not have permission to modify the whitelist.'); + } + if (empty($_POST['ip_address'])) { + throw new Exception('IP address is required.'); + } + if (!$rateLimiter->removeFromWhitelist($_POST['ip_address'], $currentUser, $user_id)) { + throw new Exception('Failed to remove IP from whitelist.'); + } + $success_message = 'IP address successfully removed from whitelist.'; + break; - case 'add_blacklist': - if ($userObject->hasRight($user_id, 'superuser') || $userObject->hasRight($user_id, 'edit blacklist')) { - $ip = $_POST['ip_address']; - $reason = $_POST['reason']; + case 'add_blacklist': + if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit blacklist')) { + throw new Exception('You do not have permission to modify the blacklist.'); + } + if (empty($_POST['ip_address'])) { + throw new Exception('IP address is required.'); + } $is_network = isset($_POST['is_network']) ? 1 : 0; - $expiry_hours = empty($_POST['expiry_hours']) ? null : intval($_POST['expiry_hours']); - $rateLimiter->addToBlacklist($ip, $is_network, $reason, $currentUser, null, $expiry_hours); - } - break; + $expiry_hours = !empty($_POST['expiry_hours']) ? intval($_POST['expiry_hours']) : null; + if (!$rateLimiter->addToBlacklist($_POST['ip_address'], $is_network, $_POST['reason'] ?? '', $currentUser, $user_id, $expiry_hours)) { + throw new Exception('Failed to add IP to blacklist. Please check the IP format.'); + } + $success_message = 'IP address successfully added to blacklist.'; + break; - case 'remove_blacklist': - if ($userObject->hasRight($user_id, 'superuser') || $userObject->hasRight($user_id, 'edit blacklist')) { - $ip = $_POST['ip_address']; - $rateLimiter->removeFromBlacklist($ip, $user_id, $currentUser); - } - break; + case 'remove_blacklist': + if (!$userObject->hasRight($user_id, 'superuser') && !$userObject->hasRight($user_id, 'edit blacklist')) { + throw new Exception('You do not have permission to modify the blacklist.'); + } + if (empty($_POST['ip_address'])) { + throw new Exception('IP address is required.'); + } + if (!$rateLimiter->removeFromBlacklist($_POST['ip_address'], $currentUser, $user_id)) { + throw new Exception('Failed to remove IP from blacklist.'); + } + $success_message = 'IP address successfully removed from blacklist.'; + break; + } + } catch (Exception $e) { + $error_message = $e->getMessage(); + } + + if (empty($error_message)) { + // Only redirect if there was no error + header("Location: {$app_root}?page=security§ion={$section}" . + ($success_message ? '&success=' . urlencode($success_message) : '')); + exit; } - - // Redirect to prevent form resubmission - header("Location: {$app_root}?page=security§ion={$section}"); - exit; } -// Get the lists +// Get success message from URL if redirected after successful action +if (isset($_GET['success'])) { + $success_message = $_GET['success']; +} + +// Get current lists $whitelisted = $rateLimiter->getWhitelistedIps(); $blacklisted = $rateLimiter->getBlacklistedIps(); -// Include the template +// Get current section +$section = isset($_GET['section']) ? $_GET['section'] : 'whitelist'; + +// Include template include '../app/templates/security.php'; + ?> diff --git a/app/templates/security.php b/app/templates/security.php index 631795e..f6e461c 100644 --- a/app/templates/security.php +++ b/app/templates/security.php @@ -3,6 +3,18 @@

Security Settings

+ + + + + +
    hasRight($user_id, 'superuser') || $userObject->hasRight($user_id, 'edit whitelist')) { ?>
  • @@ -221,3 +233,21 @@
+ +