From 5919c771e9cf3c3edfc62dfb1ac6bddf1cfc9732 Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Fri, 21 Feb 2014 23:24:01 +0100
Subject: Implement multiple access levels for api keys

This allows to use an api key to write a completly standalone client.

Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
 application/config/migration.php                   |  2 +-
 application/controllers/file.php                   |  4 ++--
 application/controllers/user.php                   | 17 ++++++++++----
 .../migrations/011_apikeys_add_access_level.php    | 19 ++++++++++++++++
 application/models/muser.php                       | 19 ++++++++++------
 application/views/user/apikeys.php                 | 26 ++++++++++++++++++++--
 6 files changed, 71 insertions(+), 16 deletions(-)
 create mode 100644 application/migrations/011_apikeys_add_access_level.php

diff --git a/application/config/migration.php b/application/config/migration.php
index 6cfd09a30..391b6c7c7 100644
--- a/application/config/migration.php
+++ b/application/config/migration.php
@@ -21,7 +21,7 @@ $config['migration_enabled'] = true;
 | be upgraded / downgraded to.
 |
 */
-$config['migration_version'] = 10;
+$config['migration_version'] = 11;
 
 
 /*
diff --git a/application/controllers/file.php b/application/controllers/file.php
index cb925f461..bb06e17d4 100644
--- a/application/controllers/file.php
+++ b/application/controllers/file.php
@@ -264,7 +264,7 @@ class File extends MY_Controller {
 				"lexer" => $lexer
 			));
 			$this->session->set_flashdata("uri", "file/claim_id");
-			$this->muser->require_access("apikey");
+			$this->muser->require_access("basic");
 		}
 
 		foreach ($ids as $id) {
@@ -630,7 +630,7 @@ class File extends MY_Controller {
 		// stateful clients get a cookie to claim the ID later
 		// don't force them to log in just yet
 		if (!stateful_client()) {
-			$this->muser->require_access("apikey");
+			$this->muser->require_access("basic");
 		}
 
 		$ids = array();
diff --git a/application/controllers/user.php b/application/controllers/user.php
index bf6c44a86..f11baba74 100644
--- a/application/controllers/user.php
+++ b/application/controllers/user.php
@@ -79,7 +79,16 @@ class User extends MY_Controller {
 
 		$userid = $this->muser->get_userid();
 		$comment = $this->input->post("comment");
+		$access_level = $this->input->post("access_level");
 
+		if ($access_level === false) {
+			$access_level = "apikey";
+		}
+
+		$valid_levels = $this->muser->get_access_levels();
+		if (array_search($access_level, $valid_levels) === false) {
+			show_error("Invalid access levels requested.");
+		}
 
 		if (strlen($comment) > 255) {
 			show_error("Comment may only be 255 chars long.");
@@ -89,9 +98,9 @@ class User extends MY_Controller {
 
 		$this->db->query("
 			INSERT INTO `apikeys`
-			(`key`, `user`, `comment`)
-			VALUES (?, ?, ?)
-		", array($key, $userid, $comment));
+			(`key`, `user`, `comment`, `access_level`)
+			VALUES (?, ?, ?, ?)
+		", array($key, $userid, $comment, $access_level));
 
 		if (static_storage("response_type") == "json") {
 			return send_json_reply(array("new_key" => $key));
@@ -127,7 +136,7 @@ class User extends MY_Controller {
 		$userid = $this->muser->get_userid();
 
 		$query = $this->db->query("
-			SELECT `key`, UNIX_TIMESTAMP(`created`) `created`, `comment`
+			SELECT `key`, UNIX_TIMESTAMP(`created`) `created`, `comment`, `access_level`
 			FROM `apikeys`
 			WHERE `user` = ? order by created desc
 			", array($userid))->result_array();
diff --git a/application/migrations/011_apikeys_add_access_level.php b/application/migrations/011_apikeys_add_access_level.php
new file mode 100644
index 000000000..e0f39317b
--- /dev/null
+++ b/application/migrations/011_apikeys_add_access_level.php
@@ -0,0 +1,19 @@
+<?php
+defined('BASEPATH') OR exit('No direct script access allowed');
+
+class Migration_apikeys_add_access_level extends CI_Migration {
+
+	public function up()
+	{
+		$this->db->query("
+			alter table `apikeys` add `access_level` varchar(255) default 'apikey';
+		");
+	}
+
+	public function down()
+	{
+		$this->db->query("
+			alter table `apikeys` drop `access_level`;
+		");
+	}
+}
diff --git a/application/models/muser.php b/application/models/muser.php
index 7a3627b18..a1d8f18e5 100644
--- a/application/models/muser.php
+++ b/application/models/muser.php
@@ -11,6 +11,9 @@ class Muser extends CI_Model {
 
 	private $default_upload_id_limits = "3-6";
 
+	// last level has the most access
+	private $access_levels = array("basic", "apikey", "full");
+
 	function __construct()
 	{
 		parent::__construct();
@@ -95,7 +98,7 @@ class Muser extends CI_Model {
 		$apikey = trim($apikey);
 
 		$query = $this->db->query("
-			SELECT a.user userid
+			SELECT a.user userid, a.access_level
 			FROM apikeys a
 			WHERE a.key = ?
 			", array($apikey))->row_array();
@@ -105,7 +108,7 @@ class Muser extends CI_Model {
 				'logged_in' => true,
 				'username' => '',
 				'userid' => $query["userid"],
-				'access_level' => 'apikey',
+				'access_level' => $query["access_level"],
 			));
 			return true;
 		}
@@ -145,15 +148,17 @@ class Muser extends CI_Model {
 		return $this->duser->get_email($userid);
 	}
 
+	public function get_access_levels()
+	{
+		return $this->access_levels;
+	}
+
 	private function check_access_level($wanted_level)
 	{
 		$session_level = $this->session->userdata("access_level");
 
-		// last level has the most access
-		$levels = array("apikey", "full");
-
-		$wanted = array_search($wanted_level, $levels);
-		$have = array_search($session_level, $levels);
+		$wanted = array_search($wanted_level, $this->access_levels);
+		$have = array_search($session_level, $this->access_levels);
 
 		if ($wanted === false || $have === false) {
 			show_error("Failed to determine access level");
diff --git a/application/views/user/apikeys.php b/application/views/user/apikeys.php
index 872eb9ef0..2b6934c6d 100644
--- a/application/views/user/apikeys.php
+++ b/application/views/user/apikeys.php
@@ -7,6 +7,7 @@
 				<th>Key</th>
 				<th style="width: 30%;">Comment</th>
 				<th>Created on</th>
+				<th>Access</th>
 				<th></th>
 			</tr>
 		</thead>
@@ -18,10 +19,16 @@
 					<td><?php echo $item["key"]; ?></td>
 					<td><?php echo htmlentities($item["comment"]); ?></td>
 					<td><?php echo date("Y/m/d H:i", $item["created"]); ?></td>
+					<td>
+						<?php if ($item["access_level"] == "full"): ?>
+							<span class="glyphicon glyphicon-warning-sign"></span>
+						<?php endif; ?>
+						<?php echo $item["access_level"]; ?>
+					</td>
 					<td>
 						<?php echo form_open("user/delete_apikey", array("style" => "margin-bottom: 0")); ?>
-						<?php echo form_hidden("key", $item["key"]); ?>
-						<button class="btn btn-danger btn-xs" type="submit">Delete</input>
+							<?php echo form_hidden("key", $item["key"]); ?>
+							<button class="btn btn-danger btn-xs" type="submit">Delete</input>
 						</form>
 					</td>
 				</tr>
@@ -30,9 +37,24 @@
 	</table>
 </div>
 
+<h3>Access levels:</h3>
+
+<dl class="dl-horizontal">
+	<dt>basic</dt>
+	<dd>Allows uploading files.</dd>
+	<dt>apikey</dt>
+	<dd>Allows removing existing files and viewing the history. Includes <code>basic</code>.</dd>
+	<dt>full</dt>
+	<dd>Allows everything, including, but not limited to, creating and removing api keys, changing profile settings and creating invitation keys. Includes <code>apikey</code>.</dd>
+
 <p>
 	<?php echo form_open('user/create_apikey', array("class" => "form-inline")); ?>
 	<input type="text" name="comment" placeholder="Comment" class="form-control" style="width: 200px;"/>
+	<select name="access_level" class="form-control" style="width: 100px;">
+		<option>basic</option>
+		<option selected="selected">apikey</option>
+		<option>full</option>
+	</select>
 	<input class="btn btn-primary" type="submit" value="Create a new key" name="process" />
 </form>
 </p>
-- 
cgit v1.2.3-24-g4f1b