diff --git a/src/FederationServer/Methods/Operators/DeleteOperator.php b/src/FederationServer/Methods/Operators/DeleteOperator.php index 6b8b895..38ce63e 100644 --- a/src/FederationServer/Methods/Operators/DeleteOperator.php +++ b/src/FederationServer/Methods/Operators/DeleteOperator.php @@ -26,20 +26,26 @@ throw new RequestException('Unauthorized: Insufficient permissions to delete operators', 403); } - if(!FederationServer::getParameter('uuid')) + if(!preg_match('#^/operators/([a-fA-F0-9\-]{36,})/delete$#', FederationServer::getPath(), $matches)) { - throw new RequestException('Bad Request: Operator UUID is required', 400); + throw new RequestException('Operator UUID required', 400); + } + + $operatorUuid = $matches[1]; + if(!$operatorUuid) + { + throw new RequestException('Operator UUID required', 400); } try { - $existingOperator = OperatorManager::getOperator(FederationServer::getParameter('uuid')); + $existingOperator = OperatorManager::getOperator($operatorUuid); if($existingOperator === null) { throw new RequestException('Operator Not Found', 404); } - OperatorManager::deleteOperator(FederationServer::getParameter('uuid')); + OperatorManager::deleteOperator($operatorUuid); AuditLogManager::createEntry(AuditLogType::OPERATOR_DELETED, sprintf('Operator %s (%s) deleted by %s (%s)', $existingOperator->getName(), $existingOperator->getUuid(), diff --git a/src/FederationServer/Methods/Operators/EnableOperator.php b/src/FederationServer/Methods/Operators/EnableOperator.php index f2d51f7..d58f0d5 100644 --- a/src/FederationServer/Methods/Operators/EnableOperator.php +++ b/src/FederationServer/Methods/Operators/EnableOperator.php @@ -26,7 +26,13 @@ throw new RequestException('Unauthorized: Insufficient permissions to enable/disable operators', 403); } - if(!FederationServer::getParameter('uuid')) + if(!preg_match('#^/operators/([a-fA-F0-9\-]{36,})/enable$#', FederationServer::getPath(), $matches)) + { + throw new RequestException('Bad Request: Operator UUID is required', 400); + } + + $operatorUuid = $matches[1]; + if(!$operatorUuid) { throw new RequestException('Bad Request: Operator UUID is required', 400); } @@ -44,7 +50,7 @@ try { - $existingOperator = OperatorManager::getOperator(FederationServer::getParameter('uuid')); + $existingOperator = OperatorManager::getOperator($operatorUuid); if($existingOperator === null) { throw new RequestException('Operator Not Found', 404); @@ -52,7 +58,7 @@ if($enabled) { - OperatorManager::enableOperator(FederationServer::getParameter('uuid')); + OperatorManager::enableOperator($operatorUuid); AuditLogManager::createEntry(AuditLogType::OPERATOR_ENABLED, sprintf('Operator %s (%s) enabled by %s (%s)', $existingOperator->getName(), $existingOperator->getUuid(), @@ -62,7 +68,7 @@ } else { - OperatorManager::disableOperator(FederationServer::getParameter('uuid')); + OperatorManager::disableOperator($operatorUuid); AuditLogManager::createEntry(AuditLogType::OPERATOR_DISABLED, sprintf('Operator %s (%s) disabled by %s (%s)', $existingOperator->getName(), $existingOperator->getUuid(), diff --git a/src/FederationServer/Methods/Operators/ManageBlacklistPermission.php b/src/FederationServer/Methods/Operators/ManageBlacklistPermission.php index 7b0689c..959ad63 100644 --- a/src/FederationServer/Methods/Operators/ManageBlacklistPermission.php +++ b/src/FederationServer/Methods/Operators/ManageBlacklistPermission.php @@ -23,13 +23,14 @@ throw new RequestException('Unauthorized: Insufficient permissions manage permissions', 403); } - $operatorUuid = FederationServer::getParameter('uuid'); - $enabled = (bool)filter_var(FederationServer::getParameter('enabled'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); - if($operatorUuid === null) + if(!preg_match('#^/operators/([a-fA-F0-9\-]{36,})/manage_blacklist$#', FederationServer::getPath(), $matches)) { throw new RequestException('Bad Request: Missing required parameters', 400); } + $operatorUuid = $matches[1]; + $enabled = (bool)filter_var(FederationServer::getParameter('enabled'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); + if(!Validate::uuid($operatorUuid)) { throw new RequestException('Bad Request: Invalid operator UUID', 400); diff --git a/src/FederationServer/Methods/Operators/ManageClientPermission.php b/src/FederationServer/Methods/Operators/ManageClientPermission.php index 979de48..0353dcd 100644 --- a/src/FederationServer/Methods/Operators/ManageClientPermission.php +++ b/src/FederationServer/Methods/Operators/ManageClientPermission.php @@ -23,13 +23,13 @@ throw new RequestException('Unauthorized: Insufficient permissions manage permissions', 403); } - $operatorUuid = FederationServer::getParameter('uuid'); - $enabled = (bool)filter_var(FederationServer::getParameter('enabled'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); - if($operatorUuid === null) + if(!preg_match('#^/operators/([a-fA-F0-9\-]{36,})/manage_client$#', FederationServer::getPath(), $matches)) { throw new RequestException('Bad Request: Missing required parameters', 400); } + $operatorUuid = $matches[1]; + $enabled = (bool)filter_var(FederationServer::getParameter('enabled'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); if(!Validate::uuid($operatorUuid)) { throw new RequestException('Bad Request: Invalid operator UUID', 400); diff --git a/src/FederationServer/Methods/Operators/ManageOperatorsPermission.php b/src/FederationServer/Methods/Operators/ManageOperatorsPermission.php index ba4f2e7..9ce5cca 100644 --- a/src/FederationServer/Methods/Operators/ManageOperatorsPermission.php +++ b/src/FederationServer/Methods/Operators/ManageOperatorsPermission.php @@ -23,13 +23,14 @@ throw new RequestException('Unauthorized: Insufficient permissions manage permissions', 403); } - $operatorUuid = FederationServer::getParameter('uuid'); - $enabled = (bool)filter_var(FederationServer::getParameter('enabled'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); - if($operatorUuid === null) + if(!preg_match('#^/operators/([a-fA-F0-9\-]{36,})/manage_operators$#', FederationServer::getPath(), $matches)) { throw new RequestException('Bad Request: Missing required parameters', 400); } + $operatorUuid = $matches[1]; + $enabled = (bool)filter_var(FederationServer::getParameter('enabled'), FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); + if(!Validate::uuid($operatorUuid)) { throw new RequestException('Bad Request: Invalid operator UUID', 400); diff --git a/src/FederationServer/Methods/Operators/RefreshOperatorApiKey.php b/src/FederationServer/Methods/Operators/RefreshOperatorApiKey.php index 7196f4a..869af0d 100644 --- a/src/FederationServer/Methods/Operators/RefreshOperatorApiKey.php +++ b/src/FederationServer/Methods/Operators/RefreshOperatorApiKey.php @@ -18,11 +18,12 @@ { $authenticatedOperator = FederationServer::getAuthenticatedOperator(); - $operatorUuid = FederationServer::getParameter('uuid'); - if($operatorUuid !== null) + $operatorUuid = null; + if(preg_match('#^/operators/([a-fA-F0-9\-]{36,})/refresh$#', FederationServer::getPath(), $matches)) { - // Ensure the authenticated operator has permission to delete operators. - if(!$authenticatedOperator->canManageOperators()) + $operatorUuid = $matches[1]; + // Ensure the authenticated operator has permission to refresh other operators' API keys. + if($operatorUuid !== $authenticatedOperator->getUuid() && !$authenticatedOperator->canManageOperators()) { throw new RequestException('Unauthorized: Insufficient permissions to refresh other operators API keys', 403); }