Unauthenticated users can read debug area info (#1086)

Added security for only local call unless using api key

api/functions/organizr-functions.php

@@ -370,6 +370,22 @@ function qualifyRequest($accessLevelNeeded)
 	}
 }
 
+function isApprovedRequest()
+{
+	$requesterToken = isset(getallheaders()['Token']) ? getallheaders()['Token'] : (isset($_GET['apikey']) ? $_GET['apikey'] : false);
+	// Check token or API key
+	// If API key, return 0 for admin
+	if (strlen($requesterToken) == 20 && $requesterToken == $GLOBALS['organizrAPI']) {
+		//DO API CHECK
+		return true;
+	} elseif (isset($_SERVER['HTTP_REFERER'])) {
+		if ($_SERVER['HTTP_REFERER'] == getServerPath(false)) {
+			return true;
+		}
+	}
+	return false;
+}
+
 function getUserLevel()
 {
 	// Grab token

api/index.php

@@ -15,6 +15,11 @@ if ($function === false) {
 	$result['statusText'] = "No API Path Supplied";
 	exit(json_encode($result));
 }
+if (isApprovedRequest() === false) {
+	$result['status'] = "error";
+	$result['statusText'] = "Not Authorized";
+	exit(json_encode($result));
+}
 $result['request'] = key($_GET);
 $result['params'] = $_POST;
 switch ($function) {