diff --git a/index_notification_ajax_alarmConfirmProcess.php b/index_notification_ajax_alarmConfirmProcess.php index cf7ab96db1..dcb4fee4ae 100644 --- a/index_notification_ajax_alarmConfirmProcess.php +++ b/index_notification_ajax_alarmConfirmProcess.php @@ -30,7 +30,10 @@ $URL = Url::fromRoute(); //Proceed! -if (empty($gibbonAlarmID) or empty($gibbonPersonID)) { +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} elseif (empty($gibbonAlarmID) or empty($gibbonPersonID)) { header("Location: {$URL}"); } else { //Check alarm diff --git a/index_notification_ajax_alarmProcess.php b/index_notification_ajax_alarmProcess.php index bc1b37d11e..8261cca156 100644 --- a/index_notification_ajax_alarmProcess.php +++ b/index_notification_ajax_alarmProcess.php @@ -29,7 +29,10 @@ $URL = Url::fromRoute(); //Proceed! -if (empty($gibbonAlarmID)) { +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} elseif (empty($gibbonAlarmID)) { header("Location: {$URL}"); } else { //Check alarm diff --git a/notificationsActionProcess.php b/notificationsActionProcess.php index 38dbe5451a..17454410b1 100644 --- a/notificationsActionProcess.php +++ b/notificationsActionProcess.php @@ -23,12 +23,15 @@ include './gibbon.php'; -$URLBack = Url::fromRoute('notifications'); +$URL = Url::fromRoute('notifications'); $gibbonNotificationID = $_GET['gibbonNotificationID'] ?? ''; -if (empty($gibbonNotificationID) || !$session->has('gibbonPersonID')) { - header("Location: {$URLBack->withReturn('error1')}"); - exit(); +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} elseif (empty($gibbonNotificationID) || !$session->has('gibbonPersonID')) { + header("Location: {$URL->withReturn('error1')}"); + exit; } else { // Check for existence of notification, belonging to this user $data = array('gibbonNotificationID' => $gibbonNotificationID, 'gibbonPersonID' => $session->get('gibbonPersonID')); @@ -37,10 +40,10 @@ $notification = $pdo->selectOne($sql, $data); if (empty($notification)) { - header("Location: {$URLBack->withReturn('error2')}"); - exit(); + header("Location: {$URL->withReturn('error2')}"); + exit; } else { - $URL = $session->get('absoluteURL').$notification['actionLink']; + $URLSuccess = $session->get('absoluteURL').$notification['actionLink']; //Archive notification $data = array('gibbonNotificationID' => $gibbonNotificationID, 'gibbonPersonID' => $session->get('gibbonPersonID')); @@ -49,11 +52,11 @@ $pdo->update($sql, $data); if (!$pdo->getQuerySuccess()) { - header("Location: {$URLBack->withReturn('error2')}"); - exit(); + header("Location: {$URL->withReturn('error2')}"); + exit; } //Success 0 - header("Location: {$URL}"); + header("Location: {$URLSuccess}"); } } diff --git a/notificationsDeleteAllProcess.php b/notificationsDeleteAllProcess.php index 2bbbfa96e6..419622bdc8 100644 --- a/notificationsDeleteAllProcess.php +++ b/notificationsDeleteAllProcess.php @@ -25,6 +25,11 @@ $URL = Url::fromRoute('notifications')->withQueryParam('sidebar', 'false'); +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} + try { $data = array('gibbonPersonID' => $session->get('gibbonPersonID')); $sql = 'DELETE FROM gibbonNotification WHERE gibbonPersonID=:gibbonPersonID'; diff --git a/notificationsDeleteProcess.php b/notificationsDeleteProcess.php index f752a8c167..d5503158a6 100644 --- a/notificationsDeleteProcess.php +++ b/notificationsDeleteProcess.php @@ -25,9 +25,12 @@ $URL = Url::fromRoute('notifications')->withQueryParam('sidebar', 'false'); -if (!isset($_GET['gibbonNotificationID'])) { +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} elseif (!isset($_GET['gibbonNotificationID'])) { header("Location: {$URL->withReturn('error1')}"); - exit(); + exit; } else { $gibbonNotificationID = $_GET['gibbonNotificationID'] ?? ''; @@ -39,12 +42,12 @@ $result->execute($data); } catch (PDOException $e) { header("Location: {$URL->withReturn('error2')}"); - exit(); + exit; } if ($result->rowCount() != 1) { header("Location: {$URL->withReturn('error2')}"); - exit(); + exit; } else { //Delete notification try { @@ -54,11 +57,11 @@ $result->execute($data); } catch (PDOException $e) { header("Location: {$URL->withReturn('error2')}"); - exit(); + exit; } //Success 0 header("Location: {$URL->withReturn('success0')}"); - exit(); + exit; } } diff --git a/preferencesPasswordProcess.php b/preferencesPasswordProcess.php index 5e8bac5f4d..d019ccb165 100644 --- a/preferencesPasswordProcess.php +++ b/preferencesPasswordProcess.php @@ -35,29 +35,28 @@ $mfaSecret = $_POST['mfaSecret'] ?? null; $mfaCode = $_POST['mfaCode'] ?? null; -if ($forceReset != 'Y') { - $forceReset = 'N'; - $URLSuccess = Url::fromRoute('preferences')->withQueryParam('forceReset', 'N'); -} else { - $URLSuccess = Url::fromRoute()->withQueryParam('forceReset', 'Y'); -} -$URL = Url::fromRoute('preferences')->withQueryParam('forceReset', $forceReset); +$URL = Url::fromRoute('preferences')->withQueryParam('forceReset', $forceReset == 'Y' ? 'Y' : 'N'); //Check passwords are not blank -if ($password == '' or $passwordNew == '' or $passwordConfirm == '') { +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} elseif ($password == '' or $passwordNew == '' or $passwordConfirm == '') { header("Location: {$URL->withReturn('error1')}"); + exit; } else { //Check the mfaCode is correct if ($mfaEnable == 'Y') { $tfa = new RobThree\Auth\TwoFactorAuth('Gibbon'); //TODO: change the name to be based on the actual value of the school's gibbon name or similar... if ($tfa->verifyCode($mfaSecret, $mfaCode) !== true){ header("Location: {$URL->withReturn('error8')}"); - exit(); + exit; } } //Check that new password is not same as old password if ($password == $passwordNew) { header("Location: {$URL->withReturn('error7')}"); + exit; } else { /** @var PasswordPolicy */ $passwordPolicies = $container->get(PasswordPolicy::class); @@ -65,15 +64,18 @@ //Check strength of password if (!$passwordPolicies->validate($passwordNew)) { header("Location: {$URL->withReturn('error6')}"); + exit; } else { //Check new passwords match if ($passwordNew != $passwordConfirm) { header("Location: {$URL->withReturn('error4')}"); + exit; } else { $user = $container->get(UserGateway::class)->getByID($session->get('gibbonPersonID'), ['passwordStrong', 'passwordStrongSalt']); //Check current password if (hash('sha256', $user['passwordStrongSalt'].$password) != $user['passwordStrong']) { header("Location: {$URL->withReturn('error3')}"); + exit; } else { //If answer insert fails... $salt = getSalt(); @@ -85,7 +87,7 @@ $result->execute($data); } catch (PDOException $e) { header("Location: {$URL->withReturn('error2')}"); - exit(); + exit; } //Check for forceReset and take action @@ -98,14 +100,14 @@ $result->execute($data); } catch (PDOException $e) { header("Location: {$URL->withReturn('errora')}"); - exit(); + exit; } $session->set('passwordForceReset', 'N'); $session->set('passwordStrongSalt', $salt); $session->set('passwordStrong', $passwordStrong); $session->set('pageLoads', null); header("Location: {$URL->withReturn('successa')}"); - exit() ; + exit; } $session->set('passwordStrongSalt', $salt); diff --git a/preferencesProcess.php b/preferencesProcess.php index 5c33ae293b..f28a1bf016 100644 --- a/preferencesProcess.php +++ b/preferencesProcess.php @@ -24,6 +24,13 @@ include './gibbon.php'; +$URL = Url::fromRoute('preferences'); + +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} + // Sanitize the whole $_POST array $validator = $container->get(Validator::class); $_POST = $validator->sanitize($_POST, ['personalBackground' => 'URL']); @@ -44,8 +51,6 @@ $mfaCode = $_POST['mfaCode'] ?? null; -$URL = Url::fromRoute('preferences'); - $validated = true; // Validate the personal background URL diff --git a/roleSwitcherProcess.php b/roleSwitcherProcess.php index 30dfb6a4a7..f5f21838fd 100644 --- a/roleSwitcherProcess.php +++ b/roleSwitcherProcess.php @@ -29,11 +29,14 @@ $gibbonRoleID = str_pad(intval($gibbonRoleID), 3, '0', STR_PAD_LEFT); $session->set('pageLoads', null); +$URL = Url::fromRoute(); //Check for parameter -if (empty(intval($gibbonRoleID))) { - $URL = Url::fromRoute()->withReturn('error0'); - header("Location: {$URL}"); +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} elseif (empty(intval($gibbonRoleID))) { + header("Location: {$URL->withReturn('error0')}"); exit; } else { // Check for access to role @@ -41,8 +44,7 @@ $role = $roleGateway->getAvailableUserRoleByID($session->get('gibbonPersonID'), $gibbonRoleID); if (empty($role) || empty($role['category'])) { - $URL = Url::fromRoute()->withReturn('error0'); - header("Location: {$URL}"); + header("Location: {$URL->withReturn('error0')}"); exit; } diff --git a/yearSwitcherProcess.php b/yearSwitcherProcess.php index c985d64e60..cfa764f19e 100644 --- a/yearSwitcherProcess.php +++ b/yearSwitcherProcess.php @@ -27,11 +27,14 @@ $gibbonSchoolYearID = $_POST['gibbonSchoolYearID'] ?? null; $session->set('pageLoads', null); +$URL = Url::fromRoute(); -//Check for parameter -if (empty($gibbonSchoolYearID)) { - $URL = Url::fromRoute()->withReturn('error0'); - header("Location: {$URL}"); +// Check for access +if (!$session->has('gibbonPersonID') || !$session->has('gibbonRoleIDCurrent')) { + header("Location: {$URL->withReturn('error0')}"); + exit; +} elseif (empty($gibbonSchoolYearID)) { + header("Location: {$URL->withReturn('error0')}"); exit; } else { @@ -45,8 +48,7 @@ $row = $result->fetch(); if ($row['futureYearsLogin'] != 'Y' and $row['pastYearsLogin'] != 'Y') { //NOT ALLOWED DUE TO CONTROLS ON ROLE, KICK OUT! - $URL = Url::fromRoute()->withReturn('error0'); - header("Location: {$URL}"); + header("Location: {$URL->withReturn('error0')}"); exit(); } else { //Get details on requested school year @@ -66,8 +68,7 @@ //Check number of rows returned. //If it is not 1, show error if (!($resultYear->rowCount() == 1) && !($resultYearCurrent->rowCount() == 1)) { - $URL = Url::fromRoute()->withReturn('error0'); - header("Location: {$URL}"); + header("Location: {$URL->withReturn('error0')}"); exit; } //Else get year details @@ -75,12 +76,10 @@ $rowYear = $resultYear->fetch(); $rowYearCurrent = $resultYearCurrent->fetch(); if ($row['futureYearsLogin'] != 'Y' and $rowYearCurrent['sequenceNumber'] < $rowYear['sequenceNumber']) { //POSSIBLY NOT ALLOWED DUE TO CONTROLS ON ROLE, CHECK YEAR - $URL = Url::fromRoute()->withReturn('error0'); - header("Location: {$URL}"); + header("Location: {$URL->withReturn('error0')}"); exit(); } elseif ($row['pastYearsLogin'] != 'Y' and $rowYearCurrent['sequenceNumber'] > $rowYear['sequenceNumber']) { //POSSIBLY NOT ALLOWED DUE TO CONTROLS ON ROLE, CHECK YEAR - $URL = Url::fromRoute()->withReturn('error0'); - header("Location: {$URL}"); + header("Location: {$URL->withReturn('error0')}"); exit(); } else { //ALLOWED $session->set('gibbonSchoolYearID', $rowYear['gibbonSchoolYearID']); @@ -95,8 +94,7 @@ // Clear the main menu from session cache $session->forget('menuMainItems'); - $URL = Url::fromRoute()->withReturn('success0'); - header("Location: {$URL}"); + header("Location: {$URL->withReturn('success0')}"); } } }