Check operator more carefully on API

2026-03-22 02:14:13 +00:00 · 2025-12-13 07:27:04 +00:00
parent d12d991aa2
commit d22238ba74
2 changed files with 40 additions and 2 deletions
--- a/application/controllers/Api.php
+++ b/application/controllers/Api.php
@@ -224,6 +224,7 @@ class API extends CI_Controller {
 		$this->load->model('api_model');

 		$this->load->model('stations');
+		$this->load->model('club_model');

 		if (!$this->load->is_loaded('Qra')) {
 			$this->load->library('Qra');
@@ -252,6 +253,7 @@ class API extends CI_Controller {

 		$userid = $this->api_model->key_userid($obj['key']);
 		$created_by = $this->api_model->key_created_by($obj['key']);
+		$club_perm = $this->club_model->get_permission_noui($userid,$created_by);

 		/**
 		 * As the API key user could use it also for clubstations we need to do an additional check here. Only if clubstations are enabled
@@ -260,12 +262,11 @@ class API extends CI_Controller {
 		 * If the user is not the creator of the API key, it's likely a clubstation. In this case the callsign of the clubstation
 		 * can not be the same as the callsign of the user (operator call provided by the user). If this is the case, we need to use the callsign of the creator of the API key
 		 */
-		$real_operator = null;
+		$real_operator = null;	// real_operator is only filled if its a clubstation and the used key is created by an OP. otherwise its null
 		if ($this->config->item('special_callsign')) {
 			if ($userid != $created_by) {
 				$this->load->model('user_model');
 				$real_operator = $this->user_model->get_by_id($created_by)->row()->user_callsign;
-				// TODO: It would be possible to check here if operator is allowed to use the clubstation, but this can be added later if needed
 			} else {
 				$real_operator = null;
 			}
@@ -327,6 +328,11 @@ class API extends CI_Controller {
 						$record['operator'] = $real_operator;
 					}

+					// in case the caller is an OP for a clubstation (real_operator is filled - see above) and the OP only has level 3 or 6 - take the OP from real_operator!
+					if ($real_operator != null && ((($club_perm ?? 0) == 3) || (($club_perm ?? 0) == 6))) {
+						$record['operator'] = $real_operator;
+					}
+
 					if ((key_exists('gridsquare',$record)) && (($mygrid ?? '') != '') && (($record['gridsquare'] ?? '') != '') && (!(key_exists('distance',$record)))) {
 						$record['distance'] = $this->qra->distance($mygrid, $record['gridsquare'], 'K');
 					}
--- a/application/models/Club_model.php
+++ b/application/models/Club_model.php
@@ -56,6 +56,38 @@ class Club_model extends CI_Model {
        return false;
    }

+    /**
+     * Get Permissionlevel for User in Club in a real model-way without UI
+     * 
+     * @param int $club_id
+     * @param int $user_id
+     * 
+     * @return int
+     */
+    function get_permission_noui($club_id, $user_id) {
+
+        if ($club_id == 0 || !is_numeric($club_id)) {
+		return 0;
+        }
+
+        if ($user_id == 0 || !is_numeric($user_id)) {
+		return 0;
+        }
+
+        $binding = [];
+        $sql = 'SELECT p_level FROM `club_permissions` WHERE user_id = ? AND club_id = ?';
+        $binding[] = $user_id;
+        $binding[] = $club_id;
+
+        $query = $this->db->query($sql, $binding);
+
+        if ($query->num_rows() > 0) {
+            return $query->row()->p_level;
+        } else {
+            return 0;
+        }
+    }
+
    /**
     * Get Permissionlevel for User in Club
     *