mirror/zoneminder
1
0
Fork 0
mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-03-25 17:22:22 -04:00
Code Issues Packages Projects Releases Wiki Activity
27,125 Commits 80 Branches 104 Tags
ca22ae37375113fc3a20907ba09fe3cc64bdae4e
Commit Graph

116 Commits

Author SHA1 Message Date
Isaac Connor
60fbea3880 fix: security and code quality improvements in auth.php 
- Fix SQL injection vulnerability in migrateHash() by using prepared statements
- Add null/empty check in password_type() to prevent array access error
- Remove dead code branch in generateAuthHash() (unreachable $_SESSION check)
- Fix PHP version in error message (5.3 -> 5.5 for password_hash)
- Prevent username enumeration by using consistent error messages
- Fix spacing inconsistency in substr() call
- Add TODO comment about MD5 hash weakness

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-05 15:10:55 -05:00
Isaac Connor
4e60cb96a7 feat: add User Roles feature for reusable permission templates 
Add a User Roles system where roles define reusable permission templates.
When a user has a role assigned, the role provides fallback permissions
(user's direct permissions take precedence; role is used when user has 'None').

Database changes:
- Add User_Roles table with same permission fields as Users
- Add Role_Groups_Permissions table for per-role group overrides
- Add Role_Monitors_Permissions table for per-role monitor overrides
- Add RoleId foreign key to Users table

Permission resolution order:
1. User's direct Monitor/Group permissions (if not 'Inherit')
2. Role's Monitor/Group permissions (if user has role)
3. Role's base permission (if user's is 'None')
4. User's base permission (fallback)

Includes:
- PHP models: User_Role, Role_Group_Permission, Role_Monitor_Permission
- Role management UI in Options > Roles tab
- Role selector in user edit form
- REST API endpoints for roles CRUD
- Translation strings for en_gb

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-29 13:34:27 -05:00
Isaac Connor
50fbbb0154 When logging in by auth hash, clear old auth in session. 2026-01-04 18:27:14 -05:00
Isaac Connor
3957a212f8 Dont error when using auth_relay=none and there is no username in session 2025-11-10 13:47:50 -05:00
Isaac Connor
b1e7266319 Turn off debug 2025-09-06 11:38:50 -04:00
Isaac Connor
ca8a3048ed Turn off debug 2025-09-06 11:38:40 -04:00
Isaac Connor
b5e1d5e611 Fix invalid canEditMonitor call, simplify login in canView and canEdit to prefer per-monitor permissions 2024-03-05 14:02:01 -05:00
Isaac Connor
31af9d905c Still generate an auth if no password present. 2024-02-08 13:31:21 -05:00
Isaac Connor
0d6e7bc082 Add debugging to editableMonitor and handle when permission is set to Create. 2024-01-21 11:28:34 -05:00
Isaac Connor
31036ae9dd Users with Create permission should be able to view console 2024-01-03 16:41:56 -05:00
Isaac Connor
2d49e93405 Introduce a Create permission for Monitors, so that a given user may Edit existing monitors, but not create new ones. 2024-01-02 12:18:09 -05:00
Isaac Connor
9f04d90a27 When ZM_AUTH_HASH_IPS is off, don't use remote ip in storing auth hash in session. If ips are constantly changing it breaks. 2023-11-13 11:31:45 -05:00
Isaac Connor
c6a7fe949a Use different syntax for property access 2023-09-13 13:10:01 -04:00
Isaac Connor
8748d6a1cc Handle unset _SESSION['remoteAddr'] 2023-08-16 15:23:34 -04:00
Isaac Connor
91b4e299b9 Demote failed login to Warn instead of Error 2023-08-16 10:37:06 -04:00
Isaac Connor
8f9a4dc825 Use User object to get Monitor_Permission and Group_Permissions hoping it will be cached there. 2023-08-02 18:07:35 -04:00
Isaac Connor
81b9ac5efd Ignore inherit on monitor permission. We were returning true instead 2023-06-07 16:00:27 -04:00
Isaac Connor
00113208bf fix typo 2023-04-28 08:44:47 -04:00
Isaac Connor
c87316d3a1 Handle not being logged in 2023-04-24 10:13:45 -04:00
Isaac Connor
969baa3891 Convert user from an array to a User object 2023-04-23 12:57:29 -04:00
Isaac Connor
d5baadca84 Comment out debug 2023-04-02 16:10:24 -04:00
Isaac Connor
6c8a2ad05a add support for shortened user= pass= which is used in auth_relay=PLAIN 2023-03-22 08:06:02 -04:00
Isaac Connor
97879eab49 Fix missing s causing problems when Group permission set to None 2023-03-08 10:59:33 -05:00
Isaac Connor
2e58ea1a42 return false if not logged in in canView. defaultUser is global, need to tell it so. 2023-02-27 17:01:58 -05:00
Isaac Connor
9ceb22db8f Fix auth for monitor_permissions... 2023-02-25 16:00:34 -05:00
Isaac Connor
bf810ec8c4 test for existence of username in session to prevent error outputs 2023-02-20 10:20:59 -05:00
Isaac Connor
1a8a84da96 Remove debug when relay not hashed 2023-02-15 15:02:22 -05:00
Isaac Connor
40e7f8a517 Handle SESSION[password] not being set which happens when you switch AUTH_RELAY to plain. 2023-02-14 17:10:58 -05:00
Isaac Connor
97e464b342 Comment out debugging 2022-11-15 14:17:30 -05:00
Isaac Connor
3c36233dd8 Put in all the new logic for visibleMonitor and editableMonitor referencing Monitor_Permissions and Group_Permissions 2022-11-02 13:25:53 -04:00
Isaac Connor
2ee142813e start to rough in an editable monitor function 2022-11-02 12:37:47 -04:00
Isaac Connor
5734e38f52 Add group permission checking to visibleMonitor 2022-11-02 12:36:42 -04:00
Isaac Connor
d00536915e Move getting time into the scope where it is used 2022-11-02 10:07:01 -04:00
Isaac Connor
5c8343f737 remoteAddr is set when session is opened. So no need to do it in auth. session_clear closes the session so no need to close it first 2022-10-17 17:23:45 -04:00
Isaac Connor
2329dda323 Merge pull request #3609 from connortechnology/fix_non_post_auth 
Move relevant code out of includes/actions/auth.php into includs/auth…
 2022-10-14 14:09:09 -04:00
Isaac Connor
9fc0d26d32 If we don't have session, we can still generate an auth hash. We kinda need this for zmu calls from API 2022-09-28 18:35:59 -04:00
megasaturnv
8fb6477820 Case insensitive login - Fix spacing ZoneMinder/zoneminder#3516 2022-09-21 16:47:16 +01:00
Isaac Connor
b4fc5abe95 Failure to auth by hash is common, the end result is a redirect to login page. Change the log level to INF 2022-09-13 17:59:53 -04:00
megasaturnv
6c4fb3e2cd Moved case-insensitive username checks to SQL 2022-09-05 15:43:53 +01:00
megasaturnv
d80026cab1 Fix typo 2022-09-05 15:29:23 +01:00
megasaturnv
6c0f40f570 Renamed ZM_AUTH_CASE_INSENSITIVE_USERNAMES to ZM_CASE_INSENSITIVE_USERNAMES as name was too long ZoneMinder/zoneminder#3516 2022-09-02 12:03:47 +01:00
megasaturnv
63e5b63eec Added option ZM_AUTH_CASE_INSENSITIVE_USERNAMES to match mixed case usernames to lower case usernames in database ZoneMinder/zoneminder#3516 2022-09-02 11:58:02 +01:00
Isaac Connor
0b4c35c58e Merge pull request #3241 from connortechnology/fix_3239 
Fix 3239
 2021-05-19 20:39:42 -04:00
Isaac Connor
7901950c48 spacing 2021-04-26 09:40:08 -04:00
Isaac Connor
37e0f010e3 Require session to be instantiated 2021-04-23 09:08:48 -04:00
Isaac Connor
6c4e423a8b Spacing 2021-03-30 18:20:31 -04:00
Isaac Connor
5482d3b3d5 Quiet error when calling logout when already logged out 2020-12-09 17:56:27 -05:00
Isaac Connor
63e36340c6 Remove extra } 2020-12-08 11:26:52 -05:00
Isaac Connor
bfe5bb0249 Include code to handle when we are already logged in but trying to auth with a mismatched auth_hash 2020-12-08 11:19:22 -05:00
Isaac Connor
b4aacde5bf Remove debug. Auth is pretty solid these days 2020-11-10 13:15:46 -05:00