System: add additional user session checks on root-level actions

GibbonEdu · Feb 22, 2025 · 8f603ab · 8f603ab
1 parent 87b746f
commit 8f603ab
Show file tree

Hide file tree

Showing 9 changed files with 75 additions and 51 deletions.
diff --git a/index_notification_ajax_alarmConfirmProcess.php b/index_notification_ajax_alarmConfirmProcess.php
@@ -30,7 +30,10 @@
 $URL = Url::fromRoute();
 
 //Proceed!
-if (empty($gibbonAlarmID) or empty($gibbonPersonID)) {
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+} elseif (empty($gibbonAlarmID) or empty($gibbonPersonID)) {
     header("Location: {$URL}");
 } else {
     //Check alarm

diff --git a/index_notification_ajax_alarmProcess.php b/index_notification_ajax_alarmProcess.php
@@ -29,7 +29,10 @@
 $URL = Url::fromRoute();
 
 //Proceed!
-if (empty($gibbonAlarmID)) {
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+} elseif (empty($gibbonAlarmID)) {
     header("Location: {$URL}");
 } else {
     //Check alarm

diff --git a/notificationsActionProcess.php b/notificationsActionProcess.php
@@ -23,12 +23,15 @@
 
 include './gibbon.php';
 
-$URLBack = Url::fromRoute('notifications');
+$URL = Url::fromRoute('notifications');
 $gibbonNotificationID = $_GET['gibbonNotificationID'] ?? '';
 
-if (empty($gibbonNotificationID) || !$session->has('gibbonPersonID')) {
-    header("Location: {$URLBack->withReturn('error1')}");
-    exit();
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+} elseif (empty($gibbonNotificationID) || !$session->has('gibbonPersonID')) {
+    header("Location: {$URL->withReturn('error1')}");
+    exit;
 } else {
     // Check for existence of notification, belonging to this user
     $data = array('gibbonNotificationID' => $gibbonNotificationID, 'gibbonPersonID' => $session->get('gibbonPersonID'));
@@ -37,10 +40,10 @@
     $notification = $pdo->selectOne($sql, $data);
 
     if (empty($notification)) {
-        header("Location: {$URLBack->withReturn('error2')}");
-        exit();
+        header("Location: {$URL->withReturn('error2')}");
+        exit;
     } else {
-        $URL = $session->get('absoluteURL').$notification['actionLink'];
+        $URLSuccess = $session->get('absoluteURL').$notification['actionLink'];
 
         //Archive notification
         $data = array('gibbonNotificationID' => $gibbonNotificationID, 'gibbonPersonID' => $session->get('gibbonPersonID'));
@@ -49,11 +52,11 @@
         $pdo->update($sql, $data);
 
         if (!$pdo->getQuerySuccess()) {
-            header("Location: {$URLBack->withReturn('error2')}");
-            exit();
+            header("Location: {$URL->withReturn('error2')}");
+            exit;
         }
 
         //Success 0
-        header("Location: {$URL}");
+        header("Location: {$URLSuccess}");
     }
 }
diff --git a/notificationsDeleteAllProcess.php b/notificationsDeleteAllProcess.php
@@ -25,6 +25,11 @@
 
 $URL = Url::fromRoute('notifications')->withQueryParam('sidebar', 'false');
 
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+}
+
 try {
     $data = array('gibbonPersonID' => $session->get('gibbonPersonID'));
     $sql = 'DELETE FROM gibbonNotification WHERE gibbonPersonID=:gibbonPersonID';

diff --git a/notificationsDeleteProcess.php b/notificationsDeleteProcess.php
@@ -25,9 +25,12 @@
 
 $URL = Url::fromRoute('notifications')->withQueryParam('sidebar', 'false');
 
-if (!isset($_GET['gibbonNotificationID'])) {
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+} elseif (!isset($_GET['gibbonNotificationID'])) {
     header("Location: {$URL->withReturn('error1')}");
-    exit();
+    exit;
 } else {
     $gibbonNotificationID = $_GET['gibbonNotificationID'] ?? '';
 
@@ -39,12 +42,12 @@
         $result->execute($data);
     } catch (PDOException $e) {
         header("Location: {$URL->withReturn('error2')}");
-        exit();
+        exit;
     }
 
     if ($result->rowCount() != 1) {
         header("Location: {$URL->withReturn('error2')}");
-        exit();
+        exit;
     } else {
         //Delete notification
         try {
@@ -54,11 +57,11 @@
             $result->execute($data);
         } catch (PDOException $e) {
             header("Location: {$URL->withReturn('error2')}");
-            exit();
+            exit;
         }
 
         //Success 0
         header("Location: {$URL->withReturn('success0')}");
-        exit();
+        exit;
     }
 }
diff --git a/preferencesPasswordProcess.php b/preferencesPasswordProcess.php
@@ -35,45 +35,47 @@
 $mfaSecret = $_POST['mfaSecret'] ?? null;
 $mfaCode = $_POST['mfaCode'] ?? null;
 
-if ($forceReset != 'Y') {
-    $forceReset = 'N';
-    $URLSuccess = Url::fromRoute('preferences')->withQueryParam('forceReset', 'N');
-} else {
-    $URLSuccess = Url::fromRoute()->withQueryParam('forceReset', 'Y');
-}
-$URL = Url::fromRoute('preferences')->withQueryParam('forceReset', $forceReset);
+$URL = Url::fromRoute('preferences')->withQueryParam('forceReset', $forceReset == 'Y' ? 'Y' : 'N');
 
 //Check passwords are not blank
-if ($password == '' or $passwordNew == '' or $passwordConfirm == '') {
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+} elseif ($password == '' or $passwordNew == '' or $passwordConfirm == '') {
     header("Location: {$URL->withReturn('error1')}");
+    exit;
 } else {
     //Check the mfaCode is correct
     if ($mfaEnable == 'Y') {
         $tfa = new RobThree\Auth\TwoFactorAuth('Gibbon'); //TODO: change the name to be based on the actual value of the school's gibbon name or similar...
         if ($tfa->verifyCode($mfaSecret, $mfaCode) !== true){
             header("Location: {$URL->withReturn('error8')}");
-            exit();
+            exit;
         }
     }
     //Check that new password is not same as old password
     if ($password == $passwordNew) {
         header("Location: {$URL->withReturn('error7')}");
+        exit;
     } else {
         /** @var PasswordPolicy */
         $passwordPolicies = $container->get(PasswordPolicy::class);
 
         //Check strength of password
         if (!$passwordPolicies->validate($passwordNew)) {
             header("Location: {$URL->withReturn('error6')}");
+            exit;
         } else {
             //Check new passwords match
             if ($passwordNew != $passwordConfirm) {
                 header("Location: {$URL->withReturn('error4')}");
+                exit;
             } else {
                 $user = $container->get(UserGateway::class)->getByID($session->get('gibbonPersonID'), ['passwordStrong', 'passwordStrongSalt']);
                 //Check current password
                 if (hash('sha256', $user['passwordStrongSalt'].$password) != $user['passwordStrong']) {
                     header("Location: {$URL->withReturn('error3')}");
+                    exit;
                 } else {
                     //If answer insert fails...
                     $salt = getSalt();
@@ -85,7 +87,7 @@
                         $result->execute($data);
                     } catch (PDOException $e) {
                         header("Location: {$URL->withReturn('error2')}");
-                        exit();
+                        exit;
                     }
 
                     //Check for forceReset and take action
@@ -98,14 +100,14 @@
                             $result->execute($data);
                         } catch (PDOException $e) {
                             header("Location: {$URL->withReturn('errora')}");
-                            exit();
+                            exit;
                         }
                         $session->set('passwordForceReset', 'N');
                         $session->set('passwordStrongSalt', $salt);
                         $session->set('passwordStrong', $passwordStrong);
                         $session->set('pageLoads', null);
                         header("Location: {$URL->withReturn('successa')}");
-                        exit() ;
+                        exit;
                     }
 
                     $session->set('passwordStrongSalt', $salt);

diff --git a/preferencesProcess.php b/preferencesProcess.php
@@ -24,6 +24,13 @@
 
 include './gibbon.php';
 
+$URL = Url::fromRoute('preferences');
+
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+}
+
 // Sanitize the whole $_POST array
 $validator = $container->get(Validator::class);
 $_POST = $validator->sanitize($_POST, ['personalBackground' => 'URL']);
@@ -44,8 +51,6 @@
 
 $mfaCode = $_POST['mfaCode'] ?? null;
 
-$URL = Url::fromRoute('preferences');
-
 $validated = true;
 
 // Validate the personal background URL

diff --git a/roleSwitcherProcess.php b/roleSwitcherProcess.php
@@ -29,20 +29,22 @@
 $gibbonRoleID = str_pad(intval($gibbonRoleID), 3, '0', STR_PAD_LEFT);
 
 $session->set('pageLoads', null);
+$URL = Url::fromRoute();
 
 //Check for parameter
-if (empty(intval($gibbonRoleID))) {
-    $URL = Url::fromRoute()->withReturn('error0');
-    header("Location: {$URL}");
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+} elseif (empty(intval($gibbonRoleID))) {
+    header("Location: {$URL->withReturn('error0')}");
     exit;
 } else {
     // Check for access to role
     $roleGateway = $container->get(RoleGateway::class);
     $role = $roleGateway->getAvailableUserRoleByID($session->get('gibbonPersonID'), $gibbonRoleID);
 
     if (empty($role) || empty($role['category'])) {
-        $URL = Url::fromRoute()->withReturn('error0');
-        header("Location: {$URL}");
+        header("Location: {$URL->withReturn('error0')}");
         exit;
     }
 

diff --git a/yearSwitcherProcess.php b/yearSwitcherProcess.php
@@ -27,11 +27,14 @@
 $gibbonSchoolYearID = $_POST['gibbonSchoolYearID'] ?? null;
 
 $session->set('pageLoads', null);
+$URL = Url::fromRoute();
 
-//Check for parameter
-if (empty($gibbonSchoolYearID)) {
-    $URL = Url::fromRoute()->withReturn('error0');
-    header("Location: {$URL}");
+// Check for access
+if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) {
+    header("Location: {$URL->withReturn('error0')}");
+    exit;
+} elseif (empty($gibbonSchoolYearID)) {
+    header("Location: {$URL->withReturn('error0')}");
     exit;
 } else {
 
@@ -45,8 +48,7 @@
         $row = $result->fetch();
 
         if ($row['futureYearsLogin'] != 'Y' and $row['pastYearsLogin'] != 'Y') { //NOT ALLOWED DUE TO CONTROLS ON ROLE, KICK OUT!
-            $URL = Url::fromRoute()->withReturn('error0');
-            header("Location: {$URL}");
+            header("Location: {$URL->withReturn('error0')}");
             exit();
         } else {
             //Get details on requested school year
@@ -66,21 +68,18 @@
             //Check number of rows returned.
             //If it is not 1, show error
             if (!($resultYear->rowCount() == 1) && !($resultYearCurrent->rowCount() == 1)) {
-                $URL = Url::fromRoute()->withReturn('error0');
-                header("Location: {$URL}");
+                header("Location: {$URL->withReturn('error0')}");
                 exit;
             }
             //Else get year details
             else {
                 $rowYear = $resultYear->fetch();
                 $rowYearCurrent = $resultYearCurrent->fetch();
                 if ($row['futureYearsLogin'] != 'Y' and $rowYearCurrent['sequenceNumber'] < $rowYear['sequenceNumber']) { //POSSIBLY NOT ALLOWED DUE TO CONTROLS ON ROLE, CHECK YEAR
-                    $URL = Url::fromRoute()->withReturn('error0');
-                    header("Location: {$URL}");
+                    header("Location: {$URL->withReturn('error0')}");
                     exit();
                 } elseif ($row['pastYearsLogin'] != 'Y' and $rowYearCurrent['sequenceNumber'] > $rowYear['sequenceNumber']) { //POSSIBLY NOT ALLOWED DUE TO CONTROLS ON ROLE, CHECK YEAR
-                    $URL = Url::fromRoute()->withReturn('error0');
-                    header("Location: {$URL}");
+                    header("Location: {$URL->withReturn('error0')}");
                     exit();
                 } else { //ALLOWED
                     $session->set('gibbonSchoolYearID', $rowYear['gibbonSchoolYearID']);
@@ -95,8 +94,7 @@
                     // Clear the main menu from session cache
                     $session->forget('menuMainItems');
 
-                    $URL = Url::fromRoute()->withReturn('success0');
-                    header("Location: {$URL}");
+                    header("Location: {$URL->withReturn('success0')}");
                 }
             }
         }