From cc0da3590f0c47ef05de28cddc6cfd02a2bfbb64 Mon Sep 17 00:00:00 2001
From: keplyx <keplyx@gmail.com>
Date: Thu, 13 Jun 2019 13:50:17 +0200
Subject: [PATCH] Added password protection to ajax requests and admin site

---
 .idea/jsLibraryMappings.xml                 |  2 +-
 .idea/site-accueil-insa.iml                 |  2 +
 admin/.htaccess                             |  6 ++-
 ajax/read/index.php                         | 51 +++++++++++++++++++++
 ajax/write/.htaccess                        |  5 ++
 admin/ajax_load.php => ajax/write/index.php | 38 +--------------
 assets/js/map.js                            |  2 +-
 assets/js/mapManager.js                     |  5 +-
 assets/js/planning.js                       |  2 +-
 assets/js/planningManager.js                |  5 +-
 assets/js/statsDisplay.js                   |  2 +-
 assets/js/statsManager.js                   |  5 +-
 includes/.htpassajax                        |  2 +
 includes/.htpassurss                        |  1 -
 includes/.htpassusa                         |  1 -
 15 files changed, 76 insertions(+), 53 deletions(-)
 mode change 100755 => 100644 admin/.htaccess
 create mode 100644 ajax/read/index.php
 create mode 100644 ajax/write/.htaccess
 rename admin/ajax_load.php => ajax/write/index.php (51%)
 mode change 100755 => 100644
 create mode 100755 includes/.htpassajax
 delete mode 100755 includes/.htpassurss
 delete mode 100755 includes/.htpassusa

diff --git a/.idea/jsLibraryMappings.xml b/.idea/jsLibraryMappings.xml
index c2ce77e..66d6584 100644
--- a/.idea/jsLibraryMappings.xml
+++ b/.idea/jsLibraryMappings.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
   <component name="JavaScriptLibraryMappings">
-    <file url="PROJECT" libraries="{@types/jquery-countdown, jquery-3.3.1}" />
+    <file url="PROJECT" libraries="{jquery-3.3.1, jquery-confirm}" />
     <includedPredefinedLibrary name="HTTP Response Handler" />
   </component>
 </project>
\ No newline at end of file
diff --git a/.idea/site-accueil-insa.iml b/.idea/site-accueil-insa.iml
index e17b7e6..9eb8c48 100644
--- a/.idea/site-accueil-insa.iml
+++ b/.idea/site-accueil-insa.iml
@@ -6,5 +6,7 @@
     <orderEntry type="sourceFolder" forTests="false" />
     <orderEntry type="library" name="jquery-3.3.1" level="application" />
     <orderEntry type="library" name="@types/jquery-countdown" level="application" />
+    <orderEntry type="library" name="jquery-3.3.1" level="application" />
+    <orderEntry type="library" name="jquery-confirm" level="application" />
   </component>
 </module>
\ No newline at end of file
diff --git a/admin/.htaccess b/admin/.htaccess
old mode 100755
new mode 100644
index 5a928f6..e56c2b8
--- a/admin/.htaccess
+++ b/admin/.htaccess
@@ -1 +1,5 @@
-Options -Indexes
+AuthName "MDP ?"
+AuthType Basic
+#AuthUserFile /home/keplyx/Web/site-accueil-insa/includes/.htpassajax
+AuthUserFile /home_clubs/accueil_insa/public_html/includes/.htpassajax #production only
+require valid-user
diff --git a/ajax/read/index.php b/ajax/read/index.php
new file mode 100644
index 0000000..b28ee04
--- /dev/null
+++ b/ajax/read/index.php
@@ -0,0 +1,51 @@
+<?php
+require_once '../../classes/dao.php';
+
+
+if (isset($_GET['function'])) {
+    if ($_GET['function'] == "get_scores")
+        get_scores();
+    elseif ($_GET['function'] == "get_map_info")
+        get_map_info();
+    elseif ($_GET['function'] == "get_activities_of_day")
+        get_activities_of_day();
+} else
+    show_error();
+
+function get_scores() {
+    if (isset($_GET['team'])) {
+        header('Content-Type: application/json');
+        $dao = new Dao('../');
+        echo json_encode($dao->get_score_team($_GET['team']));
+    } else {
+        show_error();
+    }
+}
+
+function get_map_info() {
+    if (isset($_GET['selector'])) {
+        header('Content-Type: application/json');
+        $dao = new Dao('../');
+        echo json_encode($dao->get_map_info($_GET['selector']));
+    } else {
+        show_error();
+    }
+}
+
+
+function get_activities_of_day() {
+    if (isset($_GET['day'])) {
+        header('Content-Type: application/json');
+        $dao = new Dao('../');
+        echo json_encode($dao->get_activities_of_day($_GET['day']));
+    } else {
+        show_error();
+    }
+}
+
+
+
+function show_error() {
+    echo "Échec : ";
+    var_dump($_GET);
+}
\ No newline at end of file
diff --git a/ajax/write/.htaccess b/ajax/write/.htaccess
new file mode 100644
index 0000000..e56c2b8
--- /dev/null
+++ b/ajax/write/.htaccess
@@ -0,0 +1,5 @@
+AuthName "MDP ?"
+AuthType Basic
+#AuthUserFile /home/keplyx/Web/site-accueil-insa/includes/.htpassajax
+AuthUserFile /home_clubs/accueil_insa/public_html/includes/.htpassajax #production only
+require valid-user
diff --git a/admin/ajax_load.php b/ajax/write/index.php
old mode 100755
new mode 100644
similarity index 51%
rename from admin/ajax_load.php
rename to ajax/write/index.php
index fad5cdb..c24ad52
--- a/admin/ajax_load.php
+++ b/ajax/write/index.php
@@ -1,18 +1,12 @@
 <?php
-require_once '../classes/dao.php';
+require_once '../../classes/dao.php';
 
 
 if (isset($_GET['function'])) {
     if ($_GET['function'] == "save_scores")
         save_scores();
-    elseif ($_GET['function'] == "get_scores")
-        get_scores();
-    elseif ($_GET['function'] == "get_map_info")
-        get_map_info();
     elseif ($_GET['function'] == "save_map_info")
         save_map_info();
-    elseif ($_GET['function'] == "get_activities_of_day")
-        get_activities_of_day();
     elseif ($_GET['function'] == "save_day_activities")
         save_day_activities();
 } else
@@ -28,26 +22,6 @@ function save_scores() {
         show_error();
 }
 
-function get_scores() {
-    if (isset($_GET['team'])) {
-        header('Content-Type: application/json');
-        $dao = new Dao('../');
-        echo json_encode($dao->get_score_team($_GET['team']));
-    } else {
-        show_error();
-    }
-}
-
-function get_map_info() {
-    if (isset($_GET['selector'])) {
-        header('Content-Type: application/json');
-        $dao = new Dao('../');
-        echo json_encode($dao->get_map_info($_GET['selector']));
-    } else {
-        show_error();
-    }
-}
-
 function save_map_info() {
     if (isset($_GET['selector']) && isset($_GET['info'])) {
         $dao = new Dao('../');
@@ -58,16 +32,6 @@ function save_map_info() {
     }
 }
 
-function get_activities_of_day() {
-    if (isset($_GET['day'])) {
-        header('Content-Type: application/json');
-        $dao = new Dao('../');
-        echo json_encode($dao->get_activities_of_day($_GET['day']));
-    } else {
-        show_error();
-    }
-}
-
 function save_day_activities() {
     if (isset($_GET['day']) && isset($_GET['entries'])) {
         $dao = new Dao('../');
diff --git a/assets/js/map.js b/assets/js/map.js
index e125d24..78ae610 100755
--- a/assets/js/map.js
+++ b/assets/js/map.js
@@ -17,7 +17,7 @@ function clicked(elem){
                 'selector': get_name(elem.id),
             };
             return $.ajax({
-                url: 'admin/ajax_load.php',
+                url: 'ajax/read',
                 data: object,
                 method: 'get'
             }).done(function (data) {
diff --git a/assets/js/mapManager.js b/assets/js/mapManager.js
index 454ae8b..1573fcd 100644
--- a/assets/js/mapManager.js
+++ b/assets/js/mapManager.js
@@ -1,4 +1,3 @@
-let ajaxurl = 'ajax_load.php';
 
 $(document).ready(function () {
     getMapInfo(getSelectedMap());
@@ -12,7 +11,7 @@ $(document).ready(function () {
             'info': info,
         };
         $.get(
-            ajaxurl,
+            "../ajax/write",
             object,
             function (data) {
                 alert(data);
@@ -34,7 +33,7 @@ function getMapInfo(selector) {
         'selector': selector,
     };
     $.get(
-        ajaxurl,
+        "../ajax/read",
         object,
         function (data) {
             console.log(data);
diff --git a/assets/js/planning.js b/assets/js/planning.js
index 200a7ae..f6f4fa1 100755
--- a/assets/js/planning.js
+++ b/assets/js/planning.js
@@ -1,4 +1,4 @@
-let ajaxurl = 'admin/ajax_load.php';
+let ajaxurl = 'ajax/read';
 
 
 let tableWrapper = $('#tablePlanning');
diff --git a/assets/js/planningManager.js b/assets/js/planningManager.js
index 68a312b..1d74369 100644
--- a/assets/js/planningManager.js
+++ b/assets/js/planningManager.js
@@ -1,4 +1,3 @@
-let ajaxurl = 'ajax_load.php';
 let uniqueID = 0;
 
 let currentActivities = [];
@@ -143,7 +142,7 @@ function saveDayActivities() {
         "entries": currentActivities,
     };
     $.get(
-        ajaxurl,
+        "../ajax/write",
         object,
         function (data) {
             alert(data);
@@ -157,7 +156,7 @@ function getDayActivities(day) {
         'day': day,
     };
     $.get(
-        ajaxurl,
+        "../ajax/read",
         object,
         function (data) {
             currentActivities = data;
diff --git a/assets/js/statsDisplay.js b/assets/js/statsDisplay.js
index dc9afe2..bba8c3a 100644
--- a/assets/js/statsDisplay.js
+++ b/assets/js/statsDisplay.js
@@ -28,7 +28,7 @@ function showScores(team) {
                 'team': team,
             };
             return $.ajax({
-                url: 'admin/ajax_load.php',
+                url: "ajax/read",
                 data: object,
                 method: 'get'
             }).done(function (data) {
diff --git a/assets/js/statsManager.js b/assets/js/statsManager.js
index 7d29209..39b52cd 100755
--- a/assets/js/statsManager.js
+++ b/assets/js/statsManager.js
@@ -1,5 +1,4 @@
 let uniqueID = 0;
-let ajaxurl = 'ajax_load.php';
 
 let entryTemplate =
     '<tr class="entry">' +
@@ -24,7 +23,7 @@ $(document).ready(function () {
             "lines": lines,
         };
         $.get(
-            ajaxurl,
+            "../ajax/write",
             object,
             function (data) {
                 alert(data);
@@ -85,7 +84,7 @@ function getScores(team) {
         'team': team,
     };
     $.get(
-        ajaxurl,
+        "../ajax/read",
         object,
         function (data) {
             for (let i = 0; i < data.length; i++) {
diff --git a/includes/.htpassajax b/includes/.htpassajax
new file mode 100755
index 0000000..c69aab6
--- /dev/null
+++ b/includes/.htpassajax
@@ -0,0 +1,2 @@
+admin:$apr1$kQeLzJ44$jOg93m9Vbz6FRkj.ViuIf.
+
diff --git a/includes/.htpassurss b/includes/.htpassurss
deleted file mode 100755
index 60433d8..0000000
--- a/includes/.htpassurss
+++ /dev/null
@@ -1 +0,0 @@
-urss:$apr1$be3lzprv$6ML9yz0HALe/oI9DRKEaw0
\ No newline at end of file
diff --git a/includes/.htpassusa b/includes/.htpassusa
deleted file mode 100755
index d245213..0000000
--- a/includes/.htpassusa
+++ /dev/null
@@ -1 +0,0 @@
-usa:$apr1$53morzy0$GxlXNPAdPtiin1/7/xQo4/
\ No newline at end of file