avoid accessing api_keys page if not allowed for loggedin user

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

api_keys.php

@@ -34,6 +34,16 @@ use Froxlor\UI\HTML;
 use Froxlor\UI\Listing;
 use Froxlor\UI\Panel\UI;
 use Froxlor\UI\Request;
+use Froxlor\UI\Response;
+
+// redirect if this customer has no permission for API usage
+if ($userinfo['adminsession'] == 0 && $userinfo['api_allowed'] == 0) {
+	Response::redirectTo('customer_index.php');
+}
+// redirect if this admin has no permission for API usage
+if ($userinfo['adminsession'] == 1 && $userinfo['api_allowed'] == 0) {
+	Response::redirectTo('admin_index.php');
+}
 
 // This file is being included in admin_index and customer_index
 // and therefore does not need to require lib/init.php

templates/Froxlor/userarea.html.twig

@@ -79,7 +79,7 @@
 									<a class="dropdown-item" href="{{ linker({'section': 'index', 'page': 'change_theme'}) }}"><i class="fa-solid fa-image"></i> {{ lng('panel.theme') }}</a>
 								</li>
 							{% endif %}
-							{% if get_setting('api.enabled') == 1 %}
+							{% if get_setting('api.enabled') == 1 and userinfo.api_allowed == 1 %}
 								<li><hr class="dropdown-divider"></li>
 								<li>
 									<a class="dropdown-item" href="{{ linker({'section': 'index', 'page': 'apikeys'}) }}"><i class="fa-solid fa-key"></i> {{ lng('menue.main.apikeys') }}</a>