Add authentication to ajax.php

.gitignore

@@ -57,6 +57,7 @@ _config.yml
 test.php
 users.db
 config/config.php
+config/config.bak.php
 config/users/
 config/users
 config/users.db

ajax.php

@@ -8,11 +8,6 @@ upgradeCheck();
 // Lazyload settings
 $databaseConfig = configLazy('config/config.php');
 
-// Authorization
-	# Check if user is currently active and allowed to access resource
-	//require_once("user.php");
-	# ^^ I think adding this does that?
-	
 // Get Action
 if (isset($_POST['submit'])) { $action = $_POST['submit']; }
 if (isset($_POST['action'])) { $action = $_POST['action']; }
@@ -52,6 +47,8 @@ switch ($_SERVER['REQUEST_METHOD']) {
 		}
 		break;
 	case 'POST':
+		// Check if the user is an admin and is allowed to commit values
+		qualifyUser('admin', true);
 		switch ($action) {
 			case 'upload-images':
 				uploadFiles('images/', array('jpg', 'png', 'svg', 'jpeg', 'bmp'));

functions.php

@@ -1012,6 +1012,22 @@ function resolveSelectOptions($array, $selected = '') {
 	return implode('',$output);
 }
 
+// Check if user is allowed to continue
+function qualifyUser($type, $errOnFail = false) {
+	if (!isset($GLOBALS['USER'])) {
+		require_once("user.php");
+		$GLOBALS['USER'] = new User('registration_callback');
+	}
+	
+	$authorized = ($GLOBALS['USER']->authenticated && $GLOBALS['USER']->role == $type);
+	
+	if (!$authorized && $errOnFail) {
+		debug_out('Not Authorized' ,1);
+	} else {
+		return $authorized;
+	}
+}
+
 // ==============
 
 function clean($strin) {