Replace all authentication code with a function that does the auth for us

Makes things a little tidier and easier to change in the future, a custom message can be passed to authenticateUser() and this is output if the authentication fails.

Added protection around Include and Exclude species pages as these still accessible & data can still be written to include and exclude species.txt even with a password.
This commit is contained in:
jaredb7
2023-05-13 01:07:19 +10:00
parent 66863f2e6b
commit a80d39d7b6
7 changed files with 66 additions and 202 deletions
+21 -67
View File
@@ -6,86 +6,40 @@ if(file_exists('./scripts/common.php')){
}
if(isset($_GET['deletefile'])) {
if(isset($_SERVER['PHP_AUTH_USER'])) {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd == $config['CADDY_PWD'] && $submitteduser == 'birdnet'){
$filename_to_delete = $_GET['deletefile'];
$message = deleteDetection($filename_to_delete)['message'];
echo $message;
die();
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
$user_is_authenticated = authenticateUser('You must be authenticated to change the protection of files.');
if ($user_is_authenticated) {
$filename_to_delete = $_GET['deletefile'];
$message = deleteDetection($filename_to_delete)['message'];
echo $message;
die();
}
}
if(isset($_GET['excludefile'])) {
if(isset($_SERVER['PHP_AUTH_USER'])) {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd == $config['CADDY_PWD'] && $submitteduser == 'birdnet'){
$user_is_authenticated = authenticateUser('You must be authenticated to change the protection of files.');
if ($user_is_authenticated) {
if(isset($_GET['exclude_add'])) {
$response_data = protectDetectionFromDeletion('protect', $_GET['excludefile']);
echo $response_data['message'];
die();
} else {
$response_data = protectDetectionFromDeletion('unprotect', $_GET['excludefile']);
echo $response_data['message'];
die();
}
if (isset($_GET['exclude_add'])) {
$response_data = protectDetectionFromDeletion('protect', $_GET['excludefile']);
echo $response_data['message'];
die();
} else {
$response_data = protectDetectionFromDeletion('unprotect', $_GET['excludefile']);
echo $response_data['message'];
die();
}
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
} else {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo 'You must be authenticated to change the protection of files.';
exit;
}
}
}
$shifted_path = getDirectory('shifted_dir');
if(isset($_GET['shiftfile'])) {
//Parse the ini files
parseConfig();
//Authenticate before going any further
$caddypwd = $config['CADDY_PWD'];
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot shift files for this installation</td></tr></table>';
exit;
} else {
$submittedpwd = $_SERVER['PHP_AUTH_PW'];
$submitteduser = $_SERVER['PHP_AUTH_USER'];
if($submittedpwd !== $caddypwd || $submitteduser !== 'birdnet'){
header('WWW-Authenticate: Basic realm="My Realm"');
header('HTTP/1.0 401 Unauthorized');
echo '<table><tr><td>You cannot shift files for this installation<</td></tr></table>';
exit;
}
}
authenticateUser('You cannot shift files for this installation');
//Authenticated
//Authenticated if we get this far
$filename = $_GET['shiftfile'];
$doShift = null;
if (isset($_GET['doshift'])) {