From 563554dae52c72a95ea504fa3323dbf41e1d5300 Mon Sep 17 00:00:00 2001
From: Andreas <6977712+AndreasK79@users.noreply.github.com>
Date: Thu, 15 Jun 2023 08:12:57 +0200
Subject: [PATCH 1/2] [API] Added extra check for station_id

---
 application/controllers/Api.php | 10 ++++++++++
 application/models/Stations.php | 11 +++++++++++
 2 files changed, 21 insertions(+)

diff --git a/application/controllers/Api.php b/application/controllers/Api.php
index a31d3a5c..df547f97 100644
--- a/application/controllers/Api.php
+++ b/application/controllers/Api.php
@@ -423,6 +423,8 @@ class API extends CI_Controller {
 
 		$this->load->model('api_model');
 
+		$this->load->model('stations');
+
 		// Decode JSON and store
 		$obj = json_decode(file_get_contents("php://input"), true);
 		if ($obj === NULL) {
@@ -436,6 +438,14 @@ class API extends CI_Controller {
 		   die();
 		}
 
+		$userid = $this->api_model->key_userid($obj['key']);
+
+		if(!isset($obj['station_profile_id']) || $this->stations->check_station_against_user($obj['station_profile_id'], $userid) == 0) {
+			http_response_code(401);
+			echo json_encode(['status' => 'failed', 'reason' => "station id does not belong to the API key owner."]);
+			die();
+		}
+
 		$this->api_model->update_last_used($obj['key']);
 
 		if($obj['type'] == "adif" && $obj['string'] != "") {
diff --git a/application/models/Stations.php b/application/models/Stations.php
index 364a6419..0d82b44d 100644
--- a/application/models/Stations.php
+++ b/application/models/Stations.php
@@ -423,6 +423,17 @@ class Stations extends CI_Model {
 			return null;
 		}
 	}
+
+	public function check_station_against_user($stationid, $userid) {
+		$this->db->select('station_id');
+		$this->db->where('user_id', $userid);
+		$this->db->where('station_id', $id);
+		$query = $this->db->get('station_profile');
+		if ($query->num_rows() == 1) {
+			return true;
+		}
+		return false;
+	}
 }
 
 ?>

From 33a81154b63b0f56d74e6e0ef55131ce355ed535 Mon Sep 17 00:00:00 2001
From: Andreas <6977712+AndreasK79@users.noreply.github.com>
Date: Thu, 15 Jun 2023 09:26:17 +0200
Subject: [PATCH 2/2] [API] Corrected variable name and check

---
 application/controllers/Api.php | 2 +-
 application/models/Stations.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/application/controllers/Api.php b/application/controllers/Api.php
index df547f97..2eaf99a7 100644
--- a/application/controllers/Api.php
+++ b/application/controllers/Api.php
@@ -440,7 +440,7 @@ class API extends CI_Controller {
 
 		$userid = $this->api_model->key_userid($obj['key']);
 
-		if(!isset($obj['station_profile_id']) || $this->stations->check_station_against_user($obj['station_profile_id'], $userid) == 0) {
+		if(!isset($obj['station_profile_id']) || $this->stations->check_station_against_user($obj['station_profile_id'], $userid) == false) {
 			http_response_code(401);
 			echo json_encode(['status' => 'failed', 'reason' => "station id does not belong to the API key owner."]);
 			die();
diff --git a/application/models/Stations.php b/application/models/Stations.php
index 0d82b44d..0639c743 100644
--- a/application/models/Stations.php
+++ b/application/models/Stations.php
@@ -427,7 +427,7 @@ class Stations extends CI_Model {
 	public function check_station_against_user($stationid, $userid) {
 		$this->db->select('station_id');
 		$this->db->where('user_id', $userid);
-		$this->db->where('station_id', $id);
+		$this->db->where('station_id', $stationid);
 		$query = $this->db->get('station_profile');
 		if ($query->num_rows() == 1) {
 			return true;