Merge pull request wavelog#2680 from int2001/api_fence

int2001 · web-flow · commit cfbd67a94c90 · 2025-12-14T18:12:49.000+01:00
Check Club-Keys more carefully on API
diff --git a/application/controllers/Api.php b/application/controllers/Api.php
@@ -119,10 +119,23 @@ function auth($key = '') {
 
 	function create_station($key = '') {
 		$this->load->model('api_model');
+
 		if ($this->api_model->access($key) == "No Key Found" || $this->api_model->access($key) == "Key Disabled") {
 			$this->output->set_status_header(401)->set_content_type('application/json')->set_output(json_encode(['status' => 'error', 'message' => 'Auth Error, invalid key']));
 			return;
 		}
+
+		$this->load->model('club_model');
+		$userid = $this->api_model->key_userid($key);
+		$created_by = $this->api_model->key_created_by($key);
+		$club_perm = $this->club_model->get_permission_noui($userid,$created_by);
+		if ($userid != $created_by) { // We're dealing with a Club Member/Member ADIF or Clubofficer
+			if ((($club_perm ?? 0) == 3) || (($club_perm ?? 0) == 6)) { // Member or ADIF-Member? DENY
+				$this->output->set_status_header(401)->set_content_type('application/json')->set_output(json_encode(['status' => 'error', 'message' => 'Auth Error, not enough grants for this operation']));
+				return;
+			}
+		}
+
 		try {
 			$raw = file_get_contents("php://input");
 			if ($raw === false) {
@@ -149,8 +162,7 @@ function create_station($key = '') {
 			$this->output->set_status_header(500)->set_content_type('application/json')->set_output(json_encode(['status' => 'error', 'message' => 'Processing error: ' . $e->getMessage()]));
 		}
 		$this->load->model('stationsetup_model');
-		$user_id = $this->api_model->key_userid($key);
-		$imported = $this->stationsetup_model->import_locations_parse($locations,$user_id);
+		$imported = $this->stationsetup_model->import_locations_parse($locations,$userid);
 		if (($imported[0] ?? '0') == 'limit') {
 			$this->output->set_status_header(201)->set_content_type('application/json')->set_output(json_encode(['status' => 'success', 'message' => ($imported[1] ?? '0')." locations imported. Maximum limit of 1000 locations reached."]));
 		} else {
@@ -224,6 +236,7 @@ function qso($dryrun = false) {
 		$this->load->model('api_model');
 
 		$this->load->model('stations');
+		$this->load->model('club_model');
 
 		if (!$this->load->is_loaded('Qra')) {
 			$this->load->library('Qra');
@@ -252,6 +265,7 @@ function qso($dryrun = false) {
 
 		$userid = $this->api_model->key_userid($obj['key']);
 		$created_by = $this->api_model->key_created_by($obj['key']);
+		$club_perm = $this->club_model->get_permission_noui($userid,$created_by);
 
 		/**
 		 * As the API key user could use it also for clubstations we need to do an additional check here. Only if clubstations are enabled
@@ -260,12 +274,11 @@ function qso($dryrun = false) {
 		 * If the user is not the creator of the API key, it's likely a clubstation. In this case the callsign of the clubstation
 		 * can not be the same as the callsign of the user (operator call provided by the user). If this is the case, we need to use the callsign of the creator of the API key
 		 */
-		$real_operator = null;
+		$real_operator = null;	// real_operator is only filled if its a clubstation and the used key is created by an OP. otherwise its null
 		if ($this->config->item('special_callsign')) {
 			if ($userid != $created_by) {
 				$this->load->model('user_model');
 				$real_operator = $this->user_model->get_by_id($created_by)->row()->user_callsign;
-				// TODO: It would be possible to check here if operator is allowed to use the clubstation, but this can be added later if needed
 			} else {
 				$real_operator = null;
 			}
@@ -327,6 +340,11 @@ function qso($dryrun = false) {
 						$record['operator'] = $real_operator;
 					}
 
+					// in case the caller is an OP for a clubstation (real_operator is filled - see above) and the OP only has level 3 or 6 - take the OP from real_operator!
+					if ($real_operator != null && ((($club_perm ?? 0) == 3) || (($club_perm ?? 0) == 6))) {
+						$record['operator'] = $real_operator;
+					}
+
 					if ((key_exists('gridsquare',$record)) && (($mygrid ?? '') != '') && (($record['gridsquare'] ?? '') != '') && (!(key_exists('distance',$record)))) {
 						$record['distance'] = $this->qra->distance($mygrid, $record['gridsquare'], 'K');
 					}
diff --git a/application/models/Club_model.php b/application/models/Club_model.php
@@ -56,6 +56,38 @@ function club_authorize($level, $club_id, $user_id = NULL) {
         return false;
     }
 
+    /**
+     * Get Permissionlevel for User in Club in a real model-way without UI
+     * 
+     * @param int $club_id
+     * @param int $user_id
+     * 
+     * @return int
+     */
+    function get_permission_noui($club_id, $user_id) {
+
+        if ($club_id == 0 || !is_numeric($club_id)) {
+		return 0;
+        }
+
+        if ($user_id == 0 || !is_numeric($user_id)) {
+		return 0;
+        }
+
+        $binding = [];
+        $sql = 'SELECT p_level FROM `club_permissions` WHERE user_id = ? AND club_id = ?';
+        $binding[] = $user_id;
+        $binding[] = $club_id;
+
+        $query = $this->db->query($sql, $binding);
+
+        if ($query->num_rows() > 0) {
+            return $query->row()->p_level;
+        } else {
+            return 0;
+        }
+    }
+
     /**
      * Get Permissionlevel for User in Club
      * 
