From c8183fbbbf757033ef14eb6c7b27129b5bf9b1a2 Mon Sep 17 00:00:00 2001
From: Michael Kaufmann <d00p@froxlor.org>
Date: Thu, 30 Jun 2022 14:53:58 +0200
Subject: [PATCH] avoid accessing api_keys page if not allowed for loggedin
 user

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
---
 api_keys.php                         | 10 ++++++++++
 templates/Froxlor/userarea.html.twig |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/api_keys.php b/api_keys.php
index fe9ed76e..023f5ee2 100644
--- a/api_keys.php
+++ b/api_keys.php
@@ -34,6 +34,16 @@ use Froxlor\UI\HTML;
 use Froxlor\UI\Listing;
 use Froxlor\UI\Panel\UI;
 use Froxlor\UI\Request;
+use Froxlor\UI\Response;
+
+// redirect if this customer has no permission for API usage
+if ($userinfo['adminsession'] == 0 && $userinfo['api_allowed'] == 0) {
+	Response::redirectTo('customer_index.php');
+}
+// redirect if this admin has no permission for API usage
+if ($userinfo['adminsession'] == 1 && $userinfo['api_allowed'] == 0) {
+	Response::redirectTo('admin_index.php');
+}
 
 // This file is being included in admin_index and customer_index
 // and therefore does not need to require lib/init.php
diff --git a/templates/Froxlor/userarea.html.twig b/templates/Froxlor/userarea.html.twig
index 8edcc03c..1b7de701 100644
--- a/templates/Froxlor/userarea.html.twig
+++ b/templates/Froxlor/userarea.html.twig
@@ -79,7 +79,7 @@
 									<a class="dropdown-item" href="{{ linker({'section': 'index', 'page': 'change_theme'}) }}"><i class="fa-solid fa-image"></i> {{ lng('panel.theme') }}</a>
 								</li>
 							{% endif %}
-							{% if get_setting('api.enabled') == 1 %}
+							{% if get_setting('api.enabled') == 1 and userinfo.api_allowed == 1 %}
 								<li><hr class="dropdown-divider"></li>
 								<li>
 									<a class="dropdown-item" href="{{ linker({'section': 'index', 'page': 'apikeys'}) }}"><i class="fa-solid fa-key"></i> {{ lng('menue.main.apikeys') }}</a>