Controller: Add access check to Dispatcher

This commit adds a top level Controller to provide ability to check if
the caller has access.

Author: protich

bootstrap.php

@@ -204,6 +204,7 @@ static function connect() {
     static function loadCode() {
         #include required files
         require_once INCLUDE_DIR.'class.util.php';
+        include_once INCLUDE_DIR.'class.controller.php';
         require_once INCLUDE_DIR.'class.translation.php';
         require_once(INCLUDE_DIR.'class.signal.php');
         require(INCLUDE_DIR.'class.model.php');

include/class.ajax.php

@@ -24,7 +24,8 @@ class.ajax.php
  * call controller should inherit from this class in order to maintain
  * consistency.
  */
-class AjaxController extends ApiController {
+class AjaxController extends Controller {
+
     function staffOnly() {
         global $thisstaff;
         if(!$thisstaff || !$thisstaff->isValid()) {

include/class.api.php

@@ -165,7 +165,7 @@ static function save($id, $vars, &$errors) {
  * API request.
  */
 
-class ApiController {
+class ApiController extends Controller {
 
     var $apikey;
 

include/class.controller.php

@@ -0,0 +1,55 @@
+<?php
+/*********************************************************************
+    class.controller.php
+
+    Peter Rotich
+    Copyright (c)  osTicket
+    http://www.osticket.com
+
+    Released under the GNU General Public License WITHOUT ANY WARRANTY.
+    See LICENSE.TXT for details.
+
+    vim: expandtab sw=4 ts=4 sts=4:
+**********************************************************************/
+abstract class Controller {
+    /*
+     * access
+     *
+     * This routine can be defined downstream to check if user has
+     * permission to call routines in the controller.
+     *
+     */
+    function access() {
+        return true;
+    }
+
+    /**
+     *  error & logging and response!
+     *
+     */
+    function exerr($code, $error='') {
+        global $ost;
+
+        if ($error && is_array($error))
+            $error = Format::array_implode(": ", "\n", $error);
+
+        //Log the error as a warning - include api key if available.
+        $msg = $error;
+        if ($_SERVER['HTTP_X_API_KEY'])
+            $msg.="\n*[".$_SERVER['HTTP_X_API_KEY']."]*\n";
+        $ost->logWarning(__('Error')." ($code)", $msg, false);
+
+        if (PHP_SAPI == 'cli') {
+            fwrite(STDERR, "({$code}) $error\n");
+        } else {
+            $this->response($code, $error); //Responder should exit...
+        }
+        return false;
+    }
+
+    //Default response method - can be overwritten in subclasses.
+    function response($code, $resp) {
+        Http::response($code, $resp);
+        exit();
+    }
+}

include/class.dispatcher.php

@@ -136,7 +136,13 @@ function dispatch($url, $prev_args=null) {
         if ($class) {
             # Create instance of the class, which is the first item,
             # then call the method which is the second item
-            $func = array(new $class, $func);
+            $class = new $class;
+            # Check access at the controller level
+            if (!$class->access())
+                 Http::response(403,  __('Access Denied!!!'));
+            # Create callable function, class is the first item,
+            # then call the method is the second item
+            $func = array($class, $func);
         }
 
         if (!is_callable($func))