mirror of https://github.com/itflow-org/itflow
78 lines
2.5 KiB
PHP
78 lines
2.5 KiB
PHP
<?php
|
|
// Headers to allow extensions access (CORS)
|
|
$chrome_id = "to-be-confirmed";
|
|
$firefox_id = "to-be-confirmed";
|
|
$http_origin = $_SERVER['HTTP_ORIGIN'];
|
|
if ($http_origin == "$chrome_id" || $http_origin == "$firefox_id")
|
|
{
|
|
header("Access-Control-Allow-Origin: $http_origin");
|
|
header("Access-Control-Allow-Credentials: true");
|
|
}
|
|
|
|
include("config.php");
|
|
include("functions.php");
|
|
|
|
session_start();
|
|
|
|
// Check user is logged in
|
|
// We do this manually, using check_login will break CORS due to the redirect.
|
|
if(!(isset($_SESSION['logged']))){
|
|
$data['found'] = "FALSE";
|
|
$data['message'] = "ITFlow - You are not logged into ITFlow.";
|
|
echo(json_encode($data));
|
|
exit();
|
|
}
|
|
|
|
// User is logged in!
|
|
|
|
// Get user info:
|
|
$session_user_id = $_SESSION['user_id'];
|
|
|
|
$sql = mysqli_query($mysqli,"SELECT * FROM users, user_settings WHERE users.user_id = user_settings.user_id AND users.user_id = $session_user_id");
|
|
$row = mysqli_fetch_array($sql);
|
|
$session_name = $row['user_name'];
|
|
$session_email = $row['user_email'];
|
|
$session_avatar = $row['user_avatar'];
|
|
$session_token = $row['user_token'];
|
|
$session_company_id = $row['user_default_company'];
|
|
$session_user_role = $row['user_role'];
|
|
if($session_user_role == 6){
|
|
$session_user_role_display = "Global Administrator";
|
|
}elseif($session_user_role == 5){
|
|
$session_user_role_display = "Administrator";
|
|
}elseif($session_user_role == 4){
|
|
$session_user_role_display = "Technician";
|
|
}elseif($session_user_role == 3){
|
|
$session_user_role_display = "IT Contractor";
|
|
}elseif($session_user_role == 2){
|
|
$session_user_role_display = "Client";
|
|
}else{
|
|
$session_user_role_display = "Accountant";
|
|
}
|
|
|
|
// Check user access level
|
|
if($session_user_role < 4){
|
|
$data['found'] = "FALSE";
|
|
$data['message'] = "ITFlow - You are not authorised to use this application.";
|
|
echo(json_encode($data));
|
|
exit();
|
|
}
|
|
|
|
if(isset($_GET['host'])){
|
|
|
|
$url = trim(strip_tags(mysqli_real_escape_string($mysqli,$_GET['host'])));
|
|
|
|
$sql_logins = mysqli_query($mysqli, "SELECT * FROM logins WHERE (login_uri = '$url' AND company_id = '$session_company_id') LIMIT 1");
|
|
|
|
if(mysqli_num_rows($sql_logins) > 0){
|
|
$row = mysqli_fetch_array($sql_logins);
|
|
$data['found'] = "TRUE";
|
|
$data['username'] = htmlentities($row['login_username']);
|
|
$data['password'] = decryptLoginEntry($row['login_password']);
|
|
echo json_encode($data);
|
|
}
|
|
}
|
|
|
|
//TODO: Future work:-
|
|
// - Check user has permission to this client
|
|
// - Showing multiple logins for a single URL
|