ACL Login add page information and lookup

Add the full page information and a new file name to cuid lookup to the acl array. Add a new method to check if a page name is in the list of pages that can be accessed by the user.
Edit user settings class remove password as mandatory
2025-04-15 18:38:14 +09:00 · 2025-04-15 17:51:32 +09:00 · 2025-04-15 17:46:41 +09:00 · 2025-04-15 17:40:54 +09:00 · 2025-04-14 09:19:58 +09:00
7 changed files with 74 additions and 8 deletions
--- a/4dev/tests/ACL/CoreLibsACLLoginTest.php
+++ b/4dev/tests/ACL/CoreLibsACLLoginTest.php
@@ -12,6 +12,8 @@ Not yet covered tests:
 - loginGetLocale
 - loginGetHeaderColor
 - loginGetPages
+- loginGetPageLookupList
+- loginPageAccessAllowed
 - loginGetEuid
 */

--- a/www/admin/class_test.db.encryption.php
+++ b/www/admin/class_test.db.encryption.php
@@ -15,6 +15,8 @@ ob_start();
 define('USE_DATABASE', true);
 // sample config
 require 'config.php';
+// for testing encryption compare
+use OpenPGP\OpenPGP;
 // define log file id
 $LOG_FILE_ID = 'classTest-db-query-encryption';
 ob_end_flush();
@@ -50,6 +52,7 @@ print "Secret Key: " . $key . "<br>";

 // test text
 $text_string = "I a some deep secret";
+$text_string = "I a some deep secret ABC";
 //
 $crypt = new SymmetricEncryption($key);
 $encrypted = $crypt->encrypt($text_string);
@@ -133,11 +136,31 @@ if ($res === false) {
 	if (hash_equals($string_hmac, $res['pg_hmac_text'])) {
 		print "libsodium and pgcrypto hash hmac match<br>";
 	}
+	// do compare for PHP and pgcrypto settings
+	$encryptedMessage_template = <<<TEXT
+	-----BEGIN PGP MESSAGE-----
+
+	{BASE64}
+	-----END PGP MESSAGE-----
+	TEXT;
+	$base64_string = base64_encode(hex2bin($res['pg_crypt_text']) ?: '');
+	$encryptedMessage = str_replace(
+		'{BASE64}',
+		$base64_string,
+		$encryptedMessage_template
+	);
+	try {
+		$literalMessage = OpenPGP::decryptMessage($encryptedMessage, passwords: [$key]);
+		$decrypted = $literalMessage->getLiteralData()->getData();
+		print "Pg decrypted PHP: " . $decrypted . "<br>";
+		if ($decrypted == $text_string) {
+			print "Decryption worked<br>";
+		}
+	} catch (\Exception $e) {
+		print "Error decrypting message: " . $e->getMessage() . "<br>";
+	}
 }

-
-// do compare for PHP and pgcrypto settings
-
 print "</body></html>";

 // __END__
--- a/www/admin/class_test.login.php
+++ b/www/admin/class_test.login.php
@@ -127,6 +127,12 @@ if (isset($login->loginGetAcl()['unit'])) {
 // IP check: 'REMOTE_ADDR', 'HTTP_X_FORWARDED_FOR', 'CLIENT_IP' in _SERVER
 // Agent check: 'HTTP_USER_AGENT'

+print "<hr>";
+print "PAGE lookup:<br>";
+$file_name = 'test_edit_base.php';
+print "Access to '$file_name': " . $log->prAr($login->loginPageAccessAllowed($file_name)) . "<br>";
+$file_name = 'i_do_not_exists.php';
+print "Access to '$file_name': " . $log->prAr($login->loginPageAccessAllowed($file_name)) . "<br>";

 echo "<hr>";
 print "SESSION: " . Support::printAr($_SESSION) . "<br>";
--- a/www/composer.json
+++ b/www/composer.json
@@ -24,6 +24,7 @@
        "egrajp/smarty-extended": "^5.4",
        "php": ">=8.1",
        "gullevek/dotenv": "^2.0",
-        "psr/log": "^2.0 || ^3.0"
+        "psr/log": "^2.0 || ^3.0",
+        "php-privacy/openpgp": "^2.1"
    }
 }
--- a/www/lib/CoreLibs/ACL/Login.php
+++ b/www/lib/CoreLibs/ACL/Login.php
@@ -924,7 +924,9 @@ class Login
 		$mandatory_session_vars = [
 			'LOGIN_USER_NAME', 'LOGIN_GROUP_NAME', 'LOGIN_EUCUID', 'LOGIN_EUCUUID',
 			'LOGIN_USER_ADDITIONAL_ACL', 'LOGIN_GROUP_ADDITIONAL_ACL',
-			'LOGIN_ADMIN', 'LOGIN_GROUP_ACL_LEVEL', 'LOGIN_PAGES_ACL_LEVEL', 'LOGIN_USER_ACL_LEVEL',
+			'LOGIN_ADMIN', 'LOGIN_GROUP_ACL_LEVEL',
+			'LOGIN_PAGES', 'LOGIN_PAGES_LOOKUP', 'LOGIN_PAGES_ACL_LEVEL',
+			'LOGIN_USER_ACL_LEVEL',
 			'LOGIN_UNIT', 'LOGIN_UNIT_DEFAULT_EACUID'
 		];
 		$force_reauth = false;
@@ -1264,6 +1266,7 @@ class Login
 		}
 		$edit_page_ids = [];
 		$pages = [];
+		$pages_lookup = [];
 		$pages_acl = [];
 		// set pages access
 		$q = <<<SQL
@@ -1307,6 +1310,7 @@ class Login
 				'query' => [],
 				'visible' => []
 			];
+			$pages_lookup[$res['filename']] = $res['cuid'];
 			// make reference filename -> level
 			$pages_acl[$res['filename']] = $res['level'];
 		} // for each page
@@ -1367,6 +1371,7 @@ class Login
 		// write back the pages data to the output array
 		$this->session->setMany([
 			'LOGIN_PAGES' => $pages,
+			'LOGIN_PAGES_LOOKUP' => $pages_lookup,
 			'LOGIN_PAGES_ACL_LEVEL' => $pages_acl,
 		]);
 		// load the edit_access user rights
@@ -1526,6 +1531,8 @@ class Login
 		) {
 			$this->acl['page'] = $_SESSION['LOGIN_PAGES_ACL_LEVEL'][$this->page_name];
 		}
+		$this->acl['pages_detail'] = $_SESSION['LOGIN_PAGES'];
+		$this->acl['pages_lookup_cuid'] = $_SESSION['LOGIN_PAGES_LOOKUP'];

 		$this->acl['unit_cuid'] = null;
 		$this->acl['unit_name'] = null;
@@ -2728,6 +2735,31 @@ HTML;
 		return $this->session->get('LOGIN_PAGES');
 	}

+	/**
+	 * Return the current loaded list of pages the user can access
+	 *
+	 * @return array<mixed>
+	 */
+	public function loginGetPageLookupList(): array
+	{
+		return $this->session->get('LOGIN_PAGES_LOOKUP');
+	}
+
+	/**
+	 * Check access to a file in the pages list
+	 *
+	 * @param  string $filename File name to check
+	 * @return bool             True if page in list and anything other than None access, False if failed
+	 */
+	public function loginPageAccessAllowed(string $filename): bool
+	{
+		return (
+			$this->session->get('LOGIN_PAGES')[
+				$this->session->get('LOGIN_PAGES_LOOKUP')[$filename] ?? ''
+			] ?? 0
+		) != 0 ? true : false;
+	}
+
 	// MARK: logged in uid(pk)/eucuid/eucuuid

 	/**
--- a/www/lib/CoreLibs/Output/Form/Generate.php
+++ b/www/lib/CoreLibs/Output/Form/Generate.php
@@ -1371,7 +1371,7 @@ class Generate
 							) {
 								$this->msg .= sprintf(
 									$this->l->__('Please enter a valid (%s) input for the <b>%s</b> Field!<br>'),
-									$this->dba->getTableArray()[$key]['error_example'],
+									$this->dba->getTableArray()[$key]['error_example'] ?? '[MISSING]',
 									$this->dba->getTableArray()[$key]['output_name']
 								);
 							}
@@ -2602,7 +2602,7 @@ class Generate
 			}
 		}
 		// add lost error ones
-		$this->log->error('P: ' . $data['prefix'] . ', '
+		$this->log->error('Prefix: ' . $data['prefix'] . ', '
 			. Support::prAr($_POST['ERROR'][$data['prefix']] ?? []));
 		if ($this->error && !empty($_POST['ERROR'][$data['prefix']])) {
 			$prfx = $data['prefix']; // short
--- a/www/lib/CoreLibs/Output/Form/TableArrays/EditUsers.php
+++ b/www/lib/CoreLibs/Output/Form/TableArrays/EditUsers.php
@@ -50,7 +50,8 @@ class EditUsers implements Interface\TableArraysInterface
 					'HIDDEN_value' => $_POST['HIDDEN_password'] ?? '',
 					'CONFIRM_value' => $_POST['CONFIRM_password'] ?? '',
 					'output_name' => 'Password',
-					'mandatory' => 1,
+					// make it not mandatory to create dummy accounts that can only login via login url id
+					'mandatory' => 0,
 					'type' => 'password', // later has to be password for encryption in database
 					'update' => [ // connected field updates, and update data
 						'password_change_date' => [ // db row to update
@@ -182,6 +183,7 @@ class EditUsers implements Interface\TableArraysInterface
 					'type' => 'text',
 					'error_check' => 'unique|custom',
 					'error_regex' => "/^[A-Za-z0-9]+$/",
+					'error_example' => "ABCdef123",
 					'emptynull' => 1,'min_edit_acl' => '100',
 					'min_show_acl' => '100',
 				],
Author	SHA1	Message	Date
Clemens Schwaighofer	8396f7856b	ACL Login add page information and lookup Add the full page information and a new file name to cuid lookup to the acl array. Add a new method to check if a page name is in the list of pages that can be accessed by the user.	2025-04-15 18:38:14 +09:00
Clemens Schwaighofer	b18866077e	Edit user settings class remove password as mandatory	2025-04-15 17:51:32 +09:00
Clemens Schwaighofer	a66cc09095	Fix phpstan problems in test db encryption file	2025-04-15 17:46:41 +09:00
Clemens Schwaighofer	1cfdc45107	Fix edit user missing error example for login user id field	2025-04-15 17:40:54 +09:00
Clemens Schwaighofer	07e46c91ab	Add test decryption for pg crypto columns	2025-04-14 09:19:58 +09:00